/>
X
Business

Apple fixes iChat, Finder (MoAB) flaws

Apple has started fixing security holes exposed during January's MoAB (Month of Apple Bugs) project.
Written by Ryan Naraine, Contributor on
Apple has started fixing security holes exposed during January's MoAB (Month of Apple Bugs) project.

A software update from Cupertino today provides cover for a pair of flaws in iChat and a code execution vulnerability in Finder. All three vulnerabilities were publicly disclosed by L.M.H. and Kevin Finisterre, the two hackers behind MoAB.

According to Apple's Security Update 2007-002 alert, a maliciously crafted disk image may lead to an application crash or arbitrary code execution in Mac OS S X v10.4.8 and Mac OS X Server v10.4.8.

Apple described the issue as a buffer overflow in Finder's handling of volume names and warned that a proof-of-concept for this issue is already available on the MoAB site. Finisterre is prominently credited in Apple's advisory.

Two bugs in iChat are also fixed. The first could allow attackers on a local network to cause the program to crash because of a null pointer dereference in iChat's Bonjour message handling. The second iChat fix is even more serious because it puts Mac OS X users at risk of code execution attacks with limited user action.

"By enticing a user to access a maliciously-crafted AIM URL, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution," Apple said, noting again that demo code for exploiting this issue is available at the MoAB project page.

The update also fixes a bug in UserNotification that could allow malicious local users to obtain system privileges.

Apple also released two software updates to add support for the latest Daylight Saving Time (DST) and time zone information. (The DST updates address an issue where, for the first time in more than 20 years, clocks will move forward an hour on the second Sunday in March, instead of the first Sunday in April).

[NOTE: Also see Mary Jo Foley's DST change tips for Microsoft users.]

Editorial standards

Related

The 16 best Cyber Monday deals under $30 still available
Amazon Fire TV Stick 4K

The 16 best Cyber Monday deals under $30 still available

Apple names the 16 best apps and games of 2022, with BeReal taking top honors
App Store icon

Apple names the 16 best apps and games of 2022, with BeReal taking top honors

Don't miss the 98 best Cyber Monday deals still available now
Large white Cyber Monday text with electronics behind it

Don't miss the 98 best Cyber Monday deals still available now