Proof-of-concept exploiting Mac OS X flaw released

Researchers have released proof-of-concept code exploiting an unpatched buffer overflow vulnerability in the Mac OS X.

The flaw could allow an attacker to execute arbitrary code or launch a denial-of-service (DoS) attack, according to researchers at the Poland-based security auditing firm SecurityReason.com, which first discovered the vulnerability last May. Proof-of-concept (PoC) code was released Friday, according to a company alert.

“We assume that the entire product line of Apple, including Macintosh computers and servers, iPhones, iPods and Apple TV, could be affected by this issue,” SecurityReason.com researcher Maksymilian Arciemowicz told SCMagazineUS.com on Tuesday in an email.

Apple was notified about the vulnerability in June, then again in December. The issue still has not been fixed, researchers said.

The bug affects 15 other applications and systems that use the vulnerable code – most of which have been fixed, Arciemowicz said. Besides Mac OS X, the vulnerability remains open in Mozilla Sunbird, K-Meleon and the J programming language. 

Meanwhile, developers for NetBSD fixed the issue back in May, the same day they were notified, Maksymilian said. It has also been corrected in several Mozilla applications, including Firefox, Opera, Google Chrome, OpenBSD, FreeBSD, KDE and F-Lock.

“It seems to us that Apple comes from the assumption that when there is no PoC or exploit given, that the problem doesn't exists,” Arciemowicz said.

An Apple spokesperson did not respond to a request for comment on Tuesday.