|30||Multiple Apple Software Format String Vulnerabilities||Apple Help Viewer, Safari, iMovie and iPhoto are affected by multiple format string vulnerabilities, related to certain functions from AppKit that have been documented in previous releases.||Not required.||CVE-NO-NAME|
|29||Apple iChat Bonjour Multiple Denial of Service Vulnerabilities||Apple iChat Bonjour functionality is affected by several remotely exploitable denial of service flaws which can be triggered via advertising presence services over multicast DNS.||MOAB-29-01-2007.rb||CVE-NO-NAME|
|28||Apple crashdump Privilege Escalation Vulnerability||
|27||Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability||Flip4Mac fails to properly handle WMV files with a crafted ASF_File_Properties_Object size field, leading to an exploitable memory corruption condition, which can be abused remotely for arbitrary code execution.||MOAB-27-01-2007.wmv||CVE-2007-0466|
|26||Apple Installer Package Filename Format String Vulnerability||Apple Installer fails to properly handle package filename strings. It's a affected by a typical format string vulnerability, which can lead to a denial of service condition or arbitrary code execution.||Not necessary||CVE-2007-0465|
|25||Apple CFNetwork HTTP Response Denial of Service||CFNetwork fails to handle certain HTTP responses properly, causing the
|24||Apple Software Update Catalog Filename Format String Vulnerability||Software Update fails to properly handle the filename strings containing the
|23||Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability||A vulnerability exists in the handling of ARGB records (Alpha RGB) within PICT images, that leads to an exploitable memory corruption condition.||MOAB-23-01-2007.pct||CVE-2007-0462|
|22||Apple UserNotificationCenter Privilege Escalation Vulnerability||UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated
with the current user. Because of this, it> will attempt to run any
|21||System Preferences writeconfig Local Privilege Escalation Vulnerability||The preference panes setuid helper,
|20||Apple iChat aim:// URL Handler Format String Vulnerability||Apple iChat AIM URI scheme (referred as the 'url handler') handling is affected by a classic format string vulnerability, allowing remote users to cause a denial of service condition or arbitrary code execution.||MOAB-20-01-2007.php||CVE-2007-0021|
|19||Transmit.app ftps:// URL Handler Heap Buffer Overflow||Transmit does not allocate enough space when dealing with the string passed on via the ftps:// URL handler, leading to an exploitable heap-based buffer overflow condition.||MOAB-19-01-2007.php||CVE-2007-0020|
|18||Rumpus Multiple Vulnerabilities||
|17||Apple SLP Daemon Service Registration Buffer Overflow Vulnerability||
|16||Multiple Colloquy IRC Format String Vulnerabilities||Colloquy is vulnerable to a format string vulnerability in the handling of INVITE requests, that can be abused by remote users and requires no interaction at all, leading to a denial of service and potential arbitrary code execution.||MOAB-16-01-2007.rb||CVE-2007-0344|
|15||Multiple Mac OS X Local Privilege Escalation Vulnerabilities||Multiple binaries inside the /Applications directory tree are setuid root, but remain writable by users in the admin group (ex. first user by default in a non-server Mac OS X installation), allowing privilege escalation.||MOAB-15-01-2007.rb||CVE-2007-0345|
|14||AppleTalk ATPsndrsp() Heap Buffer Overflow Vulnerability||The
|13||Apple DMG HFS+ do_hfs_truncate() Denial of Service Vulnerability||A specially crafted HFS+ filesystem in a DMG image can cause the
||MOAB-13-01-2007.dmg.gz||CVE-2006-5482 (similar old issue, UFS-based)|
|12||Apple DMG UFS ufs_lookup() Denial of Service Vulnerability||A specially crafted UFS filesystem in a DMG image can cause the
|11||Apple DMG UFS byte_swap_sbin() Integer Overflow Vulnerability||The
|10||Apple DMG UFS ffs_mountfs() Integer Overflow Vulnerability||The ffs_mountfs() function, part of the UFS filesystem handling code (shared between FreeBSD and Mac OS X XNU) is affected by an integer overflow vulnerability, leading to an exploitable denial of service condition and potential arbitrary code execution.||MOAB-10-01-2007.dmg.gz||CVE-2006-5679
|9||Apple Finder DMG Volume Name Memory Corruption||Finder is affected by a memory corruption vulnerability, which leads to an exploitable denial of service condition and potential arbitrary code execution, that can be triggered by DMG images.||MOAB-09-01-2007.rb
|8||Application Enhancer (APE) Local Privilege Escalation||Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.||exploit-of-the-apes.rb||CVE-2007-0162|
|6||Multiple Vendor PDF Document Catalog Handling Vulnerability||The current PDF specification is affected by a design flaw, a rogue Pages entry or malicious catalog dictionary could cause a denial of service (memory corruption condition, memory leakage, etc) or potential arbitrary code execution in the reader application.||MOAB-06-01-2007.pdf||CVE-2007-0104
|5||Apple DiskManagement BOM Local Privilege Escalation Vulnerability||A vulnerability in the handling of BOM files by DiskManagement/diskutil allows to set rogue permissions on the filesystem. This can be used to execute arbitrary code and escalate privileges.||MOAB-05-01-2007.rb
|4||iLife iPhoto Photocast XML title Format String Vulnerability||A format string vulnerability in the handling of iPhoto XML feeds title field allows potential remote arbitrary code execution.||MOAB-04-01-2007.rb||CVE-2007-0051|
|3||Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability||A vulnerability in the handling of the HREFTrack field allows to perform cross-zone scripting, leading to potential remote arbitrary code execution.||MOAB-03-01-2007.rb||CVE-2007-0059|
|2||VLC Media Player udp:// Format String Vulnerability||A vulnerability in the handling of the udp:// URL handler allows remote arbitrary code execution.||VLCMediaSlayer-x86.pl
|1||Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow||A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution.||MOAB-01-01-2007.rb||CVE-2007-0015|
Frequently Asked Questions(FAQ)
The following list of questions and answers aims to provide some information regarding the motives and related facts about the MoAB, such as involved products and disclosure terms. Please check that your question isn't already answered here before attempting to contact us. Any unsolicited e-mail, offensive or non-sense will be ignored, published with details or reported to the proper parties.
- Is this an attack, revenge, conspiracy or some kind of evil plot against Apple and the users of Apple products?
- But XXX bug is a crash, not an exploit. But XXX is a kernel panic. But XXX is (some gobbledegook).
- Are Apple products the only one target of this initiative?
- Are the issues being reported to the vendor before public disclosure?
- Does "someone" pay, sponsor or support this? ex. This initiative is influenced by (random software vendor) in order to spread FUD over competitor's products?
- Why Apple and not (random software vendor)?
- John Doe has written a 'post' in his blog, saying he debunks the XXX bug, what's that?
- I'm going to kill you and your dog. And pee in your empty dead skull.
- What does "pwnie" mean? Doesn't the use of monstrous pony image and pink color, lessen the credibility of this work?
Not at all, some of us use OS X on a daily basis. Getting problems solved makes that use a bit more safe each day, for everyone else. Flaws exist, with and without people disclosing them. If we wanted to make business out of this we would be selling the issues and the proper exploit for each one. Thus, business-wise, we are wasting a good cake with this project (although software by Apple isn't really of interest in these terms, except iTunes and other high-profile applications).
Shrug. Fortunately this time there will be working exploits for mostly every critical advisory released, thus there will be less room for drama and speculation.
Not at all, but they are the main focus. We'll be looking over popular OS X applications as well.
Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end. 'Responsible disclosure' exists when the vendor doesn't deploy any harmful tactics against the source of the vulnerability reports, and requires confidence by all parties involved. At the moment, we don't trust Apple on these matters due to the track of incidents and unpleasant situations surrounding their policy on product vulnerability handling.
Definitely, no way. For conspiracy theories, please watch the X Files.
We like to play with OS X, we enjoy hate e-mail and it's not as crowded as (random software vendor), yet. Thus, it's really comfortable for research and there's so much to be worked out.
No worries. It's probably someone begging for attention or PR-brainwashed. Like good old Dirty Harry said...
De Georgio: You need any help?
Harry Callahan: Go on out and get some air, fatso.
The hardcore bondage club is at the other building. Have a nice day.
The 'pwnies phenomenon' isn't more than yet another meme or non-sense net-folklore. The original image is done by Jon-Mikel Gates and was sent to Jonathan Coulton. A fellow proposed it to be used for giving a sarcastic / humorous sense to the Apple-related bugs. Probably, the intention was to create the slang word (pink bug) for these issues, given the totally non-sense and immature reaction from so-called Mac fan boys. On the second question, if that, for you, ruins the credibility of this exercise, you're clearly not the audience we're speaking for.
This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security
flaws in different Apple software and third-party applications designed for this operating system.
A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices
from the management side of Apple. Also, we want to develop and provide tools and documented techniques
to aid security research in this platform.
If nothing else, we had fun working on it and hope people out there will enjoy the results.
(Lance M. Havok and Kevin Finisterre, 2006).
Press and pressure
What the media and press say about the MoAB:
- Apple Bug-Hunt Begins - PC World
- Month of Apple bugs planned for January - The Register
- Coming in January: Month of Apple Bugs - Security Watch (eWeek)
- Coming in January: "Month of Apple Bugs" - Security Fix (The Washington Post)
- An Apple (Bug) a Day - Dark Reading
- Flaw Found in Apple Bug-Fix Tool (Slashdot)
- Month of Apple Bugs - First Bug Unveiled (Slashdot)
- Security project focuses on Apple (BBC News).
...and Public Relations (PR) drama:
- Editorial - A Month of Continuous Foolishness - MacObserver.
Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author(s) be liable for any direct or indirect damages whatsoever result of or in connection with the use or spread of this information, which is distributed for educational and research purposes only. Any use of this information is at the user's own risk.