[Infowarrior] - Apple sits on critical Mac bug for 7 months (and counting)

Richard Forno rforno at infowarrior.org
Tue Jan 12 03:40:19 UTC 2010 

Apple sits on critical Mac bug for 7 months (and counting)
Unix flaw fixed in OpenBSD, not OS X
By Dan Goodin in San Francisco • Get more from this author

Posted in Security, 12th January 2010 00:14 GMT

http://www.theregister.co.uk/2010/01/12/critical_osx_security_bug/

Researchers have disclosed a critical vulnerability in the latest  
version of Mac OS X that they say Apple has sat on for almost seven  
months without fixing.

The buffer overflow flaw could be exploited by attackers to remotely  
execute malicious code, and virtually all Apple devices - including  
Mac computers and servers, iPhones, and even Apple TV - are  
susceptible, one of the researchers, Maksymilian Arciemowicz, told The  
Register. SecurityReason.com, the Poland-based security firm he works  
for, alerted Apple to the vulnerability in the middle of June and  
again last month, but the computer maker has yet to patch the bug.

By contrast, developers for OpenBSD, NetBSD, FreeBSD, and a variety of  
Mozilla applications have fixed identical vulnerabilities, in some  
cases within hours of notification. The bug affects all applications  
and operating systems that implement gdtoa floating point numbers.

"It was not that difficult to patch it," Arciemowicz wrote in an  
email. "It seems to us that Apple comes from the assumption that when  
there is no PoC or exploit given that the problem doesn't exist."

The OS X bug resides in the libc/strtod(3) and libc/gdtoa function.  
Arciemowicz said the vulnerability could be remotely exploited using  
booby-trapped PHP code on a website, among other methods.

SecurityReason has posted proof-of-concept code here that shows how  
the flaw can be exploited to make a machine crash. With additional  
work - specifically, by manipulating esi and edi registers - it is  
possible to remotely execute code, Arciemowicz said.

Of the 16 applications or systems known to be affected by the bug,  
only four remain vulnerable. In addition to OS X, they include Mozilla  
Sunbird, K-Meleon, and the J programming language. ®

More information about the Infowarrior mailing list