The month of January is already over and, accordingly, so is the Month of Apple Bugs(MoAB). As promised, one advisory was released every day of the month,in some cases addressing numerous vulnerabilities in an application.Unlike the Month of Browser Bugs and Month of Kernel Bugs, this time we saw the interesting twist of a parallel group starting a Month of Apple Fixes.This group was responsible for the release of unofficial run-timepatches for the majority of the issues disclosed, with the exception ofthose affecting the kernel.
The classes of vulnerabilities discovered during the MoAB coveredpretty much the whole gamut, including stack and heap corruption,format strings, integer handling, generic design flaws, resourceexhaustion, and other denial of service issues. Moreover, a wide rangeof associated vectors were covered, including remote code execution,client-side code execution, local privilege escalation, and local andremote kernel flaws.
As far as remote kernel flaws go, MOAB-31-01-2007has yet to be released, but is anxiously anticipated by myself andlikely many in the industry. The information available suggests that itmay be the first publicly available remote kernel exploit for the Appleplatform. These have been developed privately in the past and detailsof the exploitation techniques have also remained private.
There has been some public criticism of the MoAB findings, claimingthat they are not related to Apple or they are simply bugs. But Ithink, overall, the month demonstrated a lot of interesting and/orcritical issues that showed that there is more work that needs to bedone in securing the platform, especially in regards to the user model.The following is a small diagram illustrating how many issues affectedApple applications specifically versus those affecting otherapplications or multiple vendors.
One of the highlights of the vulnerability findings was a criticalclient-side flaw in the Apple’s Quicktime movie player that could becoupled with one of numerous local vulnerabilities disclosed during themonth to remotely obtain root privileges. Another highlight was aninteresting flaw affecting the User Notification Dialog, whicheffectively turns any local crash into a privilege escalation issue.
We haven’t seen the last of the Month of X Bugs and this may notstrictly be a bad thing. Each month has helped expose areas thatvendors need to spend more time auditing and securing. The end resultis always that numerous flaws are fixed and therefore no longeraccessible to attackers.