Patch/Configuration Management, Vulnerability Management

Month of Apple Bugs projects reveals highly critical Mac OS X flaw

A highly-critical vulnerability in Mac OS X that can be exploited to compromise users' systems was disclosed on Thursday.

The flaw is part of the Month of Apple Bugs (MoAB) project, the brainchild of Kevin Finisterre and a researcher with the handle of LMH.

LMH reported this current vulnerability, which is caused due to an integer overflow error in a function when handling UFS filesystem disc images.

"This can be exploited to cause a heap-based buffer overflow via a specially crafted UFS DMG image," according to the Secunia website. "Successful exploitation may allow the execution of arbitrary code."

Secunia ranked the vulnerability as "highly critical."

MoAB researchers said that the problem was initially found as a part of the Month of Kernel Bugs project, but never released due to time constraints.

"This issue is related to those published in the UFS code as part of the Month of Kernel Bugs, and the set of DMG flaws that couldn't make it to the MoKB schedule," they wrote on their website. "As DMG encapsulates filesystem streams, most of the bugs existent in the FreeBSD kernel sources tree can be abused in Mac OS X's XNU via rogue DMG images."

The issue is only remotely exploitable through the Safari web browser when the "opening safe files after downloading" option is enabled. Security experts strongly recommend disabling this option on all OS X systems.

Click here to email West Coast Bureau Chief Ericka Chickowski.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.