In association with heise online

05 January 2007, 13:11

Month of Apple Bugs: Hole in Apple's iPhoto

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

While the third flaw made public in the Month of Apple Bugs was not that spectacular, security specialist Kevin Finisterre has upped the ante with the fourth flaw. This flaw in Apple's Photocasting iLife iPhoto can be exploited to inject code onto a Mac and execute it with the user's rights. iPhoto allows people to share their personal digital photo albums. Users can take advantage of a subscription-based XML feed to find out when new images have been added to an album, or a new album has been created.

In iPhoto version 6.0.5 (316), however, Finisterre found a format-string weak point. Manipulated title elements can be used in the XML feed to inject code into Macs. While the non-executable stack prevents the injected code from being executed on Mac OS X., in his security advisory, Finisterre writes that the protection can be broken with the "dyld_stub overwrite technique". In other words, attackers could put albums that seem to be interesting online and infect interested users with contaminants via the feed.

In a test conducted by heise Security, Finisterre's demo exploits caused iPhoto to crash on a Mac mini (x86). Unlike the exploit for the hole in VLC, this exploit does not contain any shell code. While Apple has not provided an official patch yet, the "MOAB" Fixes group has formed around Apple enthusiast Landon Fuller to provide an official patches for all of the holes. The patches are cumulative, meaning that the latest one contains all of the fixes for previous holes. The Application Enhancer (APE) is required to install the patches.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit