|Home » Industry Watch (» The Technological » Hall of Monkeys » Heroes Banquet)
Seven Months and Counting
There's no hurry.
THE INTERNET (Rixstep) -- SecurityReason.com discovered a pernicous bug in Unix libc code seven months ago and alerted all affected parties who immediately got with the programme and patched it. All except Apple.
Maintainers of similar OS kernels have long since addressed the vulnerability. These include FreeBSD, NetBSD, OpenBSD, and several Mozilla applications. Apple's OS X is a derivative of Unix that directly uses the FreeBSD source tree. Apple don't even have to work out the fix - it's already been done for them by the FreeBSD group. And still they can't bother to provide the fix.
The bug can cause a kernel panic and with a little tweaking can be turned into an attack from PHP code on a website.
16 modules were known to be vulnerable and twelve are patched. The four remaining vulnerable are Mozilla Sunbird, K-Meleon, the J programming language - and Mac OS X.
Apple were aware of the vulnerability well before the release of Mac OS X 10.6.0 Snow Leopard.
Brian Krebs corresponded with Dino Dai Zovi in the matter. The latter explained that it's unlikely to see the bug exploited in the wild.
This vulnerability is more complex than much simpler vulnerabilities in Mac OS X that did not result in widespread exploitation. There have yet to be any reports of malware exploiting a browser vulnerability in order to install itself in the wild. For that reason, I wouldn't suggest that Mac users need to take action to protect themselves against this issue at this time.
So it's cool. Now all that remains is to tell the maintainers of the BSDs that they can chill out and don't have to rush to fix security vulnerabilities anymore.
The Register: Apple sit on critical Mac bug for 7 months (and counting)
SecurityReason.com: Multiple Vendors libc/gdtoa printf(3) Array Overrun