updated 12:20 pm EST, Wed January 31, 2007
MOAB exploits Safari
A security researcher who promised to deliver a "Month of Apple Bugs" (MOAB) is exploiting Apple's Safari Web browser while presenting the 29th documented flaw, according to isfym.com. Some Safari users attempting to view bug no. 29 will experience an application hang, and will need to force quit Apple's Web browser as a result. The researcher, who published the month's first vulnerability affecting Apple's QuickTime software on January 2nd, sparked heated debate among Apple enthusiasts who questioned the ethics of revealing security flaws to the masses without providing advanced warning to the software developer -- in this case Apple. The recently-discovered addition of a nested Safari exploit in one of the bug explanations further raises questions about the moral integrity of the Month of Apple Bugs security researcher who uses the handle "LHM."
The vulnerability accompanying bug no. 29 appears to be Safari-specific, and is likely a different JPEG 2000 vulnerability than one Apple fixed with the release of Mac OS X 10.4.8, according to isfym.com.
The image tag contained within the Web page for bug no. 29 appears to reference a specially-crafted JPEG 2000 file that, when downloaded as Safari renders the HTML of the Web page, causes some versions of Apple's browser to hang requiring a force quit.
Interestingly, members of the Apple community banded together in an effort to fix the bugs revealed by the Month of Apple Bugs site shortly after the Month of Apple Bugs was announced, and have successfully fixed many of those bugs within hours of their exposure. Additionally, MOAB recently countered the Mac community's efforts by reporting bugs in the provided bug fixes. Apple fans retorted with further fixes to the vulnerabilities, again securing Mac users against would-be attackers wielding the recently-discovered flaws.
A video surfaced in early August appearing to show two security researchers compromising the security of a MacBook Pro at a Black Hat presentation. The researchers said they chose Apple's hardware as their preferred platform for the demonstration due to a "Mac user base aura of smugness on security."
"We're not picking specifically on Macs here, but if you watch those 'Get a Mac' commercials enough, it eventually makes you want to stab one of those users in the eye with a lit cigarette or something," said David Maynor, one of the two security professionals who participated in the demonstration.
Not long after the video circulated across the internet, however, both researchers admitted that the MacBook Pro used to demonstrate the exploit included a third-party wireless device driver which was used to gain access to the notebook. InformationWeek noted that a responsible demonstration policy forbids the installation of flawed drivers to make a point, and Apple responded to the news by acknowledging the admission as proof that its systems are not vulnerable as they were made to appear during the conference.