Month of Apple Bugs Overview

[Symantec]

Month of Apple Bugs Overview
<p>The month of January is already over and, accordingly, so is the <a href="http://projects.info-pull.com/moab/">Month of Apple Bugs</a> (MoAB). As promised, one advisory was released every day of the month, in some cases addressing numerous vulnerabilities in an application. Unlike the <a href="http://www.symantec.com/enterprise/security_response/weblog/2006/07/a_month_of_browser_bugs_a_litt.html">Month of Browser Bugs</a> and <a href="http://projects.info-pull.com/mokb/">Month of Kernel Bugs</a>, this time we saw the interesting twist of a parallel group starting a <a href="http://landonf.bikemonkey.org/code/macosx/">Month of Apple Fixes</a>. This group was responsible for the release of unofficial run-time patches for the majority of the issues disclosed, with the exception of those affecting the kernel.</p>

<p>The classes of vulnerabilities discovered during the MoAB covered pretty much the whole gamut, including stack and heap corruption, format strings, integer handling, generic design flaws, resource exhaustion, and other denial of service issues. Moreover, a wide range of associated vectors were covered, including remote code execution, client-side code execution, local privilege escalation, and local and remote kernel flaws.</p>

<p>As far as remote kernel flaws go, <a href="http://projects.info-pull.com/moab/MOAB-31-01-2007.html">MOAB-31-01-2007</a> has yet to be released, but is anxiously anticipated by myself and likely many in the industry. The information available suggests that it may be the first publicly available remote kernel exploit for the Apple platform. These have been developed privately in the past and details of the exploitation techniques have also remained private.</p>

<p>There has been some public criticism of the MoAB findings, claiming that they are not related to Apple or they are simply bugs. But I think, overall, the month demonstrated a lot of interesting and/or critical issues that showed that there is more work that needs to be done in securing the platform, especially in regards to the user model. The following is a small diagram illustrating how many issues affected Apple applications specifically versus those affecting other applications or multiple vendors.</p>

<p> <img alt="affectedvendor.jpg" src="http://www.symantec.com/enterprise/security_response/weblog/upload/2007/02/affectedvendor.jpg" width="306" height="135" /></p>

<p>One of the highlights of the vulnerability findings was a critical client-side flaw in the Apple’s Quicktime movie player that could be coupled with one of numerous local vulnerabilities disclosed during the month to remotely obtain root privileges. Another highlight was an interesting flaw affecting the User Notification Dialog, which effectively turns any local crash into a privilege escalation issue.</p>

<p>We haven’t seen the last of the Month of X Bugs and this may not strictly be a bad thing. Each month has helped expose areas that vendors need to spend more time auditing and securing. The end result is always that numerous flaws are fixed and therefore no longer accessible to attackers.<br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2007/02/month_of_apple_bugs_overview.html
http://www.symantec.com/enterprise/security_response/weblog/2007/02/month_of_apple_bugs_overview.html
Thu, 08 Feb 2007 05:00:00 -0800