Technology news and Jobs 
Information Technology News Apple Mac security flaws detailed by researcher
Information Technology News Apple Mac security flaws detailed by researcher | Apple Mac security flaws detailed by researcher |
|
|
|
| Written by Stan Beer | |
| Saturday, 22 April 2006 | |
|
On April 7, Ferris wrote: "So I have been fuzzing a few Apple OS X applications and found some very interesting issues when fuzzing one Application, other Applications and Services also crash and burn. For example mdimportserver pops up a crash screen almost every few minutes. It really gets in the way, when your trying to break other Applications. Safari seems to be worst when it comes to parsing input correctly. So there seems to be some problems with the claimed solid as a rock UNIX OS. Getting Safari to crash in many different spots is trivial, as where Firefox is very tough. I have been researching the AFP (Apple Filing Protocol) and I wrote a very basic fuzzer and it has found some very neat bugs." In his latest entry on April 17, Ferris writes: "As I previously wrote, I have been fuzzing Mac OS X applications, and have found quite a few flaws. Below are links to some of the flaws which I have found. All of these were reported to This e-mail address is being protected from spam bots, you need JavaScript enabled to view it the beginning of the year. From what I have been told, they 'will be fixed in the next security release'." The flaws are as detailed: Apple OS X 10.4.5 .tiff "LZWDecodeVector ()" Heap Overflow Apple OS X BOM ArchiveHelper .zip Heap Overflow Apple OS X Safari 2.0.3 Multiple Vulnerabilities Apple OS X 10.4.6 "ReadBMP ()" .bmp Heap Overflow Apple OS X 10.4.6 "CFAllocatorAllocate ()" .gif Heap Overflow Apple OS X 10.4.6 .tiff "_cg_TIFFSetField ()" DoS Apple OS X 10.4.6 .tiff "PredictorVSetField ()" Heap Overflow As Ferris points out in his advisories, multiple vulnerabilities exist within the Safari 2.0.3 browser "and all prior versions which causes the application to crash, and or may allow for an attacker to execute arbitrary code." He also details other issues which make Preview, Finder, QuickTime, and Safari potential attack vectors. Apple is reportedly working to fix the security gaps.{moscomment}
Get stories like this delivered daily - FREE - subscribe now When you subscribe get a 12 months license for LiveProject Valued at $99 USD  Download the FREE iTWire desktop alert widget
  |
Tags
| < Prev | Next > |
|---|
Subscribe to iTWire's daily e-newsletter now and get a FREE 12 month license to project management software valued at $99 USD. 
