Mac OS X vulnerability left unpatched for months
New information about a security hole in Mac OS X ,which has been known for about seven months, could finally force Apple to fix the problem. The hole is a new instance of the flawed implementation of the
dtoa (double to ascii) C function for converting floating point numbers into strings. During conversion, a flaw in the array index can allow some memory areas to be overwritten. Since the flaw originated in a C library file it found its way into a number of operating systems and applications.
By adding certain formatting characters to print functions, attackers can exploit the vulnerability to provoke a heap overflow, inject arbitrary code in a system, and execute it there. Publicly known since last June, the hole was rated (extremely) critical and has been fixed by several browser vendors, such as Opera, Google and the Mozilla Foundation. OpenBSD, FreeBSD and NetBSD also contained the hole, but have now been updated to close it.
According to Maksymilian Arciemowicz, who discovered the vulnerability, the
dtoa flaw does exist in Mac OS X 10.5.x and 10.6.x, but it can't be exploited via normal print functions such as printf. However, the strtod (string to double) libc function also uses the vulnerable
dtoa code and can, in turn, be exploited via printf. Arciemowicz has released a short demo program which provokes the flaw – although it only causes the application to crash. However, according to Arciemowicz, it is not difficult to manipulate the ESI and EDI registers in such a way that injected code can be executed. Users apparently only need to visit a specially crafted web page to fall victim to the attack.
Why Apple hasn't closed the known hole in
dtoa is an open question. Arciemowicz speculates that the previous absence of a proof-of-concept exploit led Apple to believe the hole can't be exploited. He said that other affected vendors usually respond promptly after being informed about vulnerabilities.
A similar misinterpretation of a hole in Java already caused considerable trouble for Apple last year. It was probably only an exploit published by security specialist Landon Fuller that eventually made Apple release an updated version of Java to close the hole.
- Security hole in Thunderbird 2.x, a report from The H.
- Opera 10.10 closes "extremely severe" hole, a report from The H.
- Google closes vulnerability in Chrome 3, a report from The H.
- Exploit for unpatched vulnerability in Mac OS X, a report from The H.