"Month of Apple Bugs" attacks Mac users
The message on the flaw in iChat Bonjour published as part of the "Month of Apple Bugs" (MoAB-29) contains a hidden trap. It includes a specially prepared JPEG2000 file called heat-up-jp2, which causes Safari to freeze. A comment in the HTML source text reveals that the effect is intentional:
Never use the macbook at (sic) bed again when browsing the MoAB or you will fry your balls, looper
One of the developers of the MoAB Fix Group has found out that the image provokes a relatively long -- possibly even endless -- loop in the libJP2.dylib JPEG2000 library in CoreGraphics.
This is not the first time that the MoAB team has had its fun at the expense of users. Those who tried to call not yet released advisories by guessing their file names were treated to extremely disgusting pornographic images. When heise Security reported on the matter and refused to retract its criticism, calling the action "childish", LMH accused Heise of being into "illegal, dishonest, malicious" activities.
He apparently just failed to understand that a [ticker:uk_83949 German] version of the English report had been published hours beforehand and obviously misunderstood the activities of heise readers as a denial-of-service and brute-force attack by the editors. The time frame of the log files published starts after the publication of the German report, and no address is from heise. A polite request to correct the published statements received no reaction.
Furthermore, IRC users have reported that they have been attacked in the IRC in a live test of the not yet pulished exploit of a hole in the Colloquy IRC client. The initiators of MoAB claim, however, that they are not behind this action.