MoAB day five reveals 'in the wild' exploit

Stephen Withers
Saturday, 06 January 2007 07:56

Your IT - Home IT

Day five of the Month of Apple Bugs has uncovered a vulnerability that is said to be being exploited in the wild.

The Apple DiskManagement BOM Local Privilege Escalation Vulnerability describes a problem whereby the permissions repair process can be tricked into setting incorrect and inappropriate privileges for particular locations.

This situation can then be exploited to "plant a backdoor, overwrite resources or simply gain root privileges." One example presented involves the creation of malicious cron tasks for the root user. Cron is a system function that runs tasks according to a schedule, such as the overnight system maintenance tasks. Cron tasks for the root user run with root privileges, which means they can do anything.

A temporary fix is said to be to remove the setuid bit from DiskManagementTool and to check that the system hasn't already been compromised by comparing the hashes of specified receipt files with those of a new installation.

Yesterday's iPhoto vulnerability has been patched by Finlay Dobbie, a member of Landon Fuller's MOAB Fixes group. "His patch guards the -[SubscribedAlbum registerPublishError:withTitle:] method, escaping all occurances of '%' in the title argument," wrote Fuller.

The latest MOAB Fixes APE (Application Enhancer module) also updates the fix for the QuickTime HREFTrack vulnerability, providing additional protection by only allowing http, https and ftp URLs in a movie's HREFTrack. Credit goes to William Carrel.

The next release will remove the patch for VLC 0.8.6, so users of that media player should install version 0.8.6a before moving to MOAB Fixes 5.0.