iChat latest on 'Apple Bugs' list

Stephen Withers
Monday, 22 January 2007 03:41

Your IT - Home IT

A flaw in Apple's iChat text, audio and video chat application is the subject of the latest disclosure in the Month of Apple Bugs.

A malformed aim URL can be delivered via JavaScript or Flash in order to crash the program. A code execution exploit "is certainly more difficult" but "We are investigating some possibilities", wrote LMH.

The suggested workaround is to disable the aim URL handler.

Meanwhile, the MoAB Fixes team have been busy. The weekend saw the release of their latest patches, which prompt for user confirmation before a disk image file is mounted (as a partial measure against MoAB 9, 10, 11, 12 and 13), control the length of strings passed to a vulnerable routine in Transmit (MoAB 19), and sanity-check GIF image blocks before they are sent to Java's GIF image decoder (recently disclosed by the Zero Day Initiative).

Team member William Carrel has also released a script that sets more secure permissions on certain folders (MoAB 5, 8 and 15). The script also modifies the corresponding receipt files so that repairing permissions does not undo the changes.

Work is underway on a patch for the iChat flaw described above.