DoS vulnerability in Apple's iChat
In their "Month of Apple Bugs", LMH and KF have reported three additional vulnerabilities in Mac OS X and an Apple application. For instance, specially prepared Bonjour messages can cause the iChat agent to crash. All attackers need to do is send packets with certain TXT key hashes. Because Bonjour is a broadcast service, a single packet suffices to take down all of the iChat clients that can be reached in the local access network. Bonjour helps recognize computers, periphery, and services on networks so that users can access them without complicated configurations. The security advisory says it is not yet clear whether the hole is in Chat or the mDNSResponder, which handles the processing of DNS records transmitted by Bonjour.
In addition, yet another privilege escalation hole can be exploited to gain root privileges, but only if the attacker is a member of the admin group. This time, the crashdump tool is the guilty party; when applications crash, it writes excerpts of memory into directories that the user can manipulate. Apparently, symbolic links can be stored to allow attackers to save their own libraries or binaries that can then be started with the privileges of crashdump, which are root privileges.
Furthermore, specially prepared media files in the WMV format allow code to be injected onto Apple computers and executed with user rights. Fortunately, this attack depends on the Flip4Mac Windows Media Components for QuickTime (Version 18.104.22.168), which is not installed by default.
- Overview of MOAB, security advisories by LMH and KF