Feeds

Apple sits on critical Mac bug for 7 months (and counting)

Unix flaw fixed in OpenBSD, not OS X

Remote control for virtualized desktops

Researchers have disclosed a critical vulnerability in the latest version of Mac OS X that they say Apple has sat on for almost seven months without fixing.

The buffer overflow flaw could be exploited by attackers to remotely execute malicious code, and virtually all Apple devices - including Mac computers and servers, iPhones, and even Apple TV - are susceptible, one of the researchers, Maksymilian Arciemowicz, told The Register. SecurityReason.com, the Poland-based security firm he works for, alerted Apple to the vulnerability in the middle of June and again last month, but the computer maker has yet to patch the bug.

By contrast, developers for OpenBSD, NetBSD, FreeBSD, and a variety of Mozilla applications have fixed identical vulnerabilities, in some cases within hours of notification. The bug affects all applications and operating systems that implement gdtoa floating point numbers.

"It was not that difficult to patch it," Arciemowicz wrote in an email. "It seems to us that Apple comes from the assumption that when there is no PoC or exploit given that the problem doesn't exist."

The OS X bug resides in the libc/strtod(3) and libc/gdtoa function. Arciemowicz said the vulnerability could be remotely exploited using booby-trapped PHP code on a website, among other methods.

SecurityReason has posted proof-of-concept code here that shows how the flaw can be exploited to make a machine crash. With additional work - specifically, by manipulating esi and edi registers - it is possible to remotely execute code, Arciemowicz said.

Of the 16 applications or systems known to be affected by the bug, only four remain vulnerable. In addition to OS X, they include Mozilla Sunbird, K-Meleon, and the J programming language. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ford's B-Max: Fiesta-based runaround that goes THUNK
... when you close the slidey doors, that is ...
Official: European members prefer to fondle Apple iPads
Only 7 of 50 parliamentarians plump for Samsung Galaxy S
Fujitsu CTO: We'll be 3D-printing tech execs in 15 years
Fleshy techie disses network neutrality, helmet-less motorcyclists
Space Commanders rebel as Elite:Dangerous kills offline mode
Frontier cops an epic kicking in its own forums ahead of December revival
Intel's LAME DUCK mobile chips gobbled by CASH COW
Chipzilla won't have money-losing mobe unit to kick about anymore
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.