Month of Apple Bugs: Hole in Apple's iPhoto
While the third flaw made public in the Month of Apple Bugs was not that spectacular, security specialist Kevin Finisterre has upped the ante with the fourth flaw. This flaw in Apple's Photocasting iLife iPhoto can be exploited to inject code onto a Mac and execute it with the user's rights. iPhoto allows people to share their personal digital photo albums. Users can take advantage of a subscription-based XML feed to find out when new images have been added to an album, or a new album has been created.
In iPhoto version 6.0.5 (316), however, Finisterre found a format-string weak point. Manipulated title elements can be used in the XML feed to inject code into Macs. While the non-executable stack prevents the injected code from being executed on Mac OS X., in his security advisory, Finisterre writes that the protection can be broken with the "dyld_stub overwrite technique". In other words, attackers could put albums that seem to be interesting online and infect interested users with contaminants via the feed.
In a test conducted by heise Security, Finisterre's demo exploits caused iPhoto to crash on a Mac mini (x86). Unlike the exploit for the hole in VLC, this exploit does not contain any shell code. While Apple has not provided an official patch yet, the "MOAB" Fixes group has formed around Apple enthusiast Landon Fuller to provide an official patches for all of the holes. The patches are cumulative, meaning that the latest one contains all of the fixes for previous holes. The Application Enhancer (APE) is required to install the patches.
- iLife iPhoto Photocast XML title Format String Vulnerability, security advisory at MOAB
(trk)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
