Filename bug affects multiple Apple apps

Stephen Withers
Wednesday, 31 January 2007 09:59

Your IT - Home IT

For its penultimate instalment, the Month of Apple Bugs points to a format string vulnerability affecting Help Viewer, iMovie, iPhoto, Safari and potentially other applications using certain functions from the AppKit framework.

According to Apple's documentation, AppKit "is a framework containing all the objects you need to implement your graphical, event-driven user interface: windows, panels, buttons, menus, scrollers, and text fields." It is therefore likely to be used by a great many applications. However, Kevin Finisterre and LMH aren't claiming that the functions are inherently flawed, just that various developers don't understand how to use them properly.

When one of the listed applications attempts to open a file with a name containing formatting commands, for example %n%n%n%n%n%n%n%n%n%n%n.imovieproj, a crash occurs. A code execution exploit would be "difficult".

The duo show they sill have a sense of humour by suggesting that those looking for a workaround or temporary solution should "Seek out Landon Fuller and he shall destroy all that is evil!"

How Fuller and other members of the MoAB Fixes group will respond to that remains to be seen. For now, they are still busy investigating what appears to be a denial of service attack on Safari that was built into day 29's disclosure. It appears that a malformed JPEG2000 image embedded in the page causes Safari to stop responding. Apparently Firefox uses a different routine for displaying such images, as it is able to render the page without incident.

The fact that today's disclosure is published on Finisterre's digitalmunition.com site rather than the project's usual home might be related to yesterday's 'attack'. Or it might just be a coincidence.