Apple bug chase resembles Whack-a-Mole

Stephen Withers
Friday, 05 January 2007 03:18

Your IT - Home IT

Landon Fuller's project to counter vulnerabilities identified by the Month of Apple Bugs continues with a patch for yesterday's QuickTime issue, but the MoAB duo has now presented its first Mac-specific vulnerability.

According to Fuller's blog, the vulnerability appears to be a non-issue for users of the current version of Safari since it does not appear to execute JavaScript from a QuickTime HREFtrack.

For the benefit of those who use older versions or alternative browsers, Fuller has released a patch that blocks JavaScript URL requests made via the QuickTime Plugin, crediting Alexander Strange and Rosyna of Unsanity (the company that created Application Enhancer, which is used to deliver these unofficial patches) "for doing most of the work to track down the issue."

The patch is being further developed to prevent attacks via local reference protocol handlers. 

Breaking new ground, today's instalment in the Month of Apple Bugs is Mac-specific and concerns iPhoto's photocasting feature. According to LMH and Kevin Finisterre, the 'iLife iPhoto Photocast XML title Format String Vulnerability' means that a specially formed title element in a feed could possibly lead to the execution of malicious code delivered by the feed.

The suggested workaround is to avoid subscribing to photocasts "without checking first that the feed doesn't contain a malicious payload." However, examining the XML for a feed isn't straightforward as Safari hands it directly to iPhoto. If you attempt to open the feed in Firefox, go to the URL displayed in the resulting error message and then choose View>Page Source you can see the feed's XML.

But that's not the whole story: just because a feed is clean when you first check it, who is to say it will stay that way?

Fortunately, the format string flaw should be relatively easy to patch.