"Arbitrary code execution is possible, as we control the size parameter used for buffer allocation and data is being copied directly from the stream in the DMG image," writes MoAB's LMH, adding that Apple was aware of this flaw over a month ago.

In related news, some people have complained that the proof of concept for an earlier bug disclosed by MoAB (day 7's Application Enhancer (APE) Local Privilege Escalation) did what it promised: "drop a backdoor on the system and possibly perform other hilarious operations."

In a blog post, LMH points out "The disclaimer is clear enough, and if they go around downloading and voluntarily executing random code (read, a exploit), it's certainly their responsibility to set up a properly isolated environment. Otherwise you're total jackass or plain retarded".{moscomment}