New Mac OS X flaw exposed
A Mac OS X flaw was exposed as part of the Month of Kernel Bugs. Also, a new Web site vows to follow the lead of researchers LMH and H.D. Moore with a week of Oracle zero-days.
The French Security Incident Response Team (FrSIRT) said in an advisory that the problem is a memory corruption error in the "com.apple.AppleDiskImageController" function that appears when corrupted DMG image structures are handled. Attackers could exploit this to cause a denial of service or execute arbitrary commands by convincing a user to visit a malicious Web page using the Safari Web browser, FrSIRT added.
No patch is available, but users can mitigate the threat by deactivating the option "opening safe files after downloading" in the preferences folder and granting only trusted users access to affected systems.
Meanwhile, another researcher plans to take a page from the playbooks of researchers LMH and H.D. Moore.
Argeniss Information Security CEO Cesar Cerrudo announced on his Web site that he's setting aside one week next month for what he calls the Week of Oracle Database Bugs. He said the goal is to shine a flashlight on the database giant's failure to properly secure its products.
He acknowledged that the idea is based on LMH's Month of Kernel Bugs this month and Metasploit Framework creator H.D. Moore's Month of Browser Bugs project, in which details of new browser flaws were released each day during the month of July.
"An Oracle database zero-day will be released every day for a week in December," he said. "We want to show the current state of Oracle software insecurity [and] we want to demonstrate Oracle isn't getting any better at securing its products."
In an interview with SearchSecurity.com in June, John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, acknowledged that its patching process can be difficult to follow. Last month, Oracle released a revamped version of its security bulletin.
The company has been criticized in the past not only for the complexity of its patch bulletins, but also for inconsistencies in the patches themselves. Its quarterly patch releases are typically followed by reports from security researchers of flaws not being fixed as advertised. The vendor has also been accused of sitting on vulnerabilities that are more than a year old.
Wiles and Heimann acknowledged that a vast array of platforms and mountains of source code can make for some patching mistakes and for complicated bulletins.
