Apple fixes iChat, Finder (MoAB) flaws

Apple fixes iChat, Finder (MoAB) flaws

Summary: Apple has started fixing security holes exposed during January's MoAB (Month of Apple Bugs) project.

Apple has started fixing security holes exposed during January's MoAB (Month of Apple Bugs) project.

A software update from Cupertino today provides cover for a pair of flaws in iChat and a code execution vulnerability in Finder. All three vulnerabilities were publicly disclosed by L.M.H. and Kevin Finisterre, the two hackers behind MoAB.

According to Apple's Security Update 2007-002 alert, a maliciously crafted disk image may lead to an application crash or arbitrary code execution in Mac OS S X v10.4.8 and Mac OS X Server v10.4.8.

Apple described the issue as a buffer overflow in Finder's handling of volume names and warned that a proof-of-concept for this issue is already available on the MoAB site. Finisterre is prominently credited in Apple's advisory.

Two bugs in iChat are also fixed. The first could allow attackers on a local network to cause the program to crash because of a null pointer dereference in iChat's Bonjour message handling. The second iChat fix is even more serious because it puts Mac OS X users at risk of code execution attacks with limited user action.

"By enticing a user to access a maliciously-crafted AIM URL, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution," Apple said, noting again that demo code for exploiting this issue is available at the MoAB project page.

The update also fixes a bug in UserNotification that could allow malicious local users to obtain system privileges.

Apple also released two software updates to add support for the latest Daylight Saving Time (DST) and time zone information. (The DST updates address an issue where, for the first time in more than 20 years, clocks will move forward an hour on the second Sunday in March, instead of the first Sunday in April).

[NOTE: Also see Mary Jo Foley's DST change tips for Microsoft users.]

Topics: Operating Systems, Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Get a Mac - It just works

    after you patch and patch and patch and patch...
    • Get a NonZealot - It just doesn't work

      Are you related to Loverock Davidson cos u 2 sure sound alike.. hahahahaha

      Actually your nick is hypocritical. It should be 'AntiAppleZealout' cos NonZealot your are not !

      That said none system is 100% perfect be it Linux, Windows or Apple. It boils down to how critical the flaw is, how easy to exploit it, how fast the company react to it (patch tuesday anyone?) and how easy to patch it
    • First to post again eh?

      You must hover over ZDnet, constantly hitting the refresh button, just praying for a Mac related story.
    • Do you feel better now?

      I guess you think you made some sort of profound point.
    • Get a Mac

      Yeah, a patch here and a patch there. Whatever. However, I don't remember seeing
      series after series of articles on ZDNet or anywhere else about upgrading OS X,
      unlike Vista. Seems like you MS Vista disciples have your hands full. You'll have to
      patch and patch too once you can figure out how to get Vista onto your XP FAT32
      disk -- oh wait, you can't! You have to erase all your data and settings when you
      reformat your hard drive. What a shame! And if you're upgrading, well, there are
      lots of technical articles that tell you how to do just that, because IT AIN'T EASY

      Give me a patch or two any day.
    • patching is good!.

      not patching is bad. Simple enough?
      • Then Windows is better than OSX

        [i]patching is good![/i]

        Wait, let me guess. The rule is actually more complicated:
        1. Take the number of patches that Apple has released.
        2. Take the number of patches that MS has released.

        The number from step #1 is the ideal amount of patching possible. The number from step #2 is the worst amount of patching possible.

        Repeat every month.
  • also mention,

    the daylight savings issue. its not just a Mac issue. the text is pasted in below from the story on Yahoo. THe link being;;_ylt=Aj_H7gAA1jEFpX2UmN.gM0whLpA5

    Here is the text

    Boy, am I ever about to give you a great excuse to miss a few appointments! This year Daylight Saving Time has been re-jiggered on the calendar in order to help save energy, but PC and consumer devices don't all know about the change.

    That means you could potentially be an hour off for every appointment you have scheduled from March 11 (the new Daylight Saving Time, 2007) through the first Sunday in April (the traditional, often programmed-into-software calendar date).

    While the experts are saying we're not gearing up for anything as major as the old Y2K scare, there are concerns. Microsoft is reminding users not to take calendar appointments as the gospel truth during this new/old daylight saving time period.

    Since blaming your PC for being late is going to get old real fast, you're probably going to want to get the jump on remedying the situation. Here are some pointers:

    Remember that it's not just your PC that can be affected. It could be your cell phone, PDA, DVD player, TiVO, digital camera?basically anything that has a date setting. See the manufacturer's web site for device-specific advice.
    It can also affect the businesses we use, so check and save your bank deposits and payments during this period, especially if there's a fee for missing a deadline.
    If you're a PC user, software patches (this will supersede the older DST information programmed into your existing operating system and MS applications) and information are available on Microsoft's Daylight Saving Time web site. Microsoft plans to make the patch available as part of its "automatic update" feature. To turn on Automatic Updates visit the PC's Control Panel. If you don't use the feature, you can download the patch manually from Microsoft. Vista users are spared the problem since Vista is so new that it already knows about the change this year.
    Here are some other common sense things you should do:

    Put the time and date of your meeting in the body or header of an email. That way you're not totally dependent on the system calendar or Outlook's automatic date notification. Even after DST issues are gone this is a great suggestion, especially for bicoastal meetings that are always a problem for Outlook.
    Send a verification of the meeting the day before?always a good idea, too.
    If you synchronize devices like your cell phone's calendar with your PC, check the devices before and after you synchronize them so you can see whether one device has overridden another and inadvertently messed things up.
    You might want to keep a printout of calendars during the weeks of this little interlude, especially if you do a lot of synchronizing where data may get overwritten.
    As for your other gadgets see the following sites:





    Apple (to upgrade the OS)

    You can help by getting on your cell phone carrier's case to get some software updates out. They seem to be the missing link.
  • Patching.....

    "after you patch and patch and patch and patch..." -Zealot.

    3 patches for Apple this month vs 20 patches for Windows who's really patching?
    • Not a fair comparison

      Microsoft saves up its patches until the second Tuesday of every month, come hell or
      high water. Apple has this annoying habit of releasing patches as soon as they are
      ready and tested.

      No, wait. MS will break it's patch cycle for one thing: Crack any of its DRM and they'll
      have a patch out faster than you can spit.
      • DRM huH?

        I laughed hard on that one. Probably Apple patches quickly for DRM, but from all I've
        read their DRM doesn't get cracked as often as Microsoft's DRM..... still laughing
  • Get A Real Computer

    Get a PC.
    • I do have a real computer.

      I have a couple of PCs and a couple of Macs. They're all real computers. Two of them
      are just a lot easier to use than the other two, and actually do more than the ones
      that, supposedly, have more software.
      • I have a REAL computer.

        It's a SPARCstation IPX. It's sitting in the garage, but I'm certain if I fed it some
        electrons it would boot NetBSD 1.3.3 and go right back to being a great little FTP
        server. I could even put the most up to date NetBSD on it, but never mind that.

        You idiot PC zealots and Mac haters really need to take a step back and stop
        slinging mud about patches at anyone else. Seriously. Recall that you are all
        living in a glass house with most of the panes broken. Try not to gloat when
        others leave their windows (haha!) open a crack. Gloating that they're fixing the
        flaws faster than Microsoft -- recall that "Patch Tuesday" is done because it
        benefits Microsoft, not you -- is especially strange.
      • Please define

        "do more". Name the things that a computer is designed to do, and point out where Apple does more. I'd like to know cause I just might buy a Mac if one can do more for me and my users than a PC.
    • Aw shucks, I thought my Commodore Vic 20 was a real computer

  • Re: Get a real Computer

    "Get A Real Computer Get a PC."

    My Wife has a PC she uses OpenBSD with KDE works great no issues I use a