I wasn’t going to write about this because it has such a notoriously self-serving marketing slant (e.g. “we’re just trying to improve OS X by publishing early warning to you about its flaws”) but I just can’t get around the fact that people are still under the impression that life will be safer if they choose X (pun intended) operating system. So, here it is in all it’s glory, the Month of Apple Bugs (MOAB) with four bugs so far (one-a-day):

1. A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution.
2. A vulnerability in the handling of the udp:// URL handler allows remote arbitrary code execution.
3. A vulnerability in the handling of the HREFTrack field allows to perform cross-zone scripting, leading to potential remote arbitrary code execution.
4. A format string vulnerability in the handling of iPhoto XML feeds title field allows potential remote arbitrary code execution.

And just for further perspective, there are some excellent resources by people who notify their user communities about proper patching and maintenance of Apple systems (no scary exploit warning tactics needed). For example, James Madison University has a nice page open to the public. Don’t get me wrong, I’m all for disclosure, but I’m also curious about the fine line between public communication with manufacturers and the risk of narcissism.

Another nasty to follow-up on yesterday’s QuickTime post, GnuCitizen reports that PDFs prior to version 8.0 appear to have a serious XSS flaw, and it only seems to impact Acrobat on certain platforms:

PDF documents can execute JavaScript code for no apparent reason by using the following template.

http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here

You must understand that the attacker doesn’t need to have write access to the specified PDF document. In order to get an XSS vector working you need to have a PDF file hosted on the target and that’s all about it. The rest is just a matter of your abilities and desires.

This finding was originally mentioned by Sven Vetsch, on his blog. The attack vector was discovered by Stefano Di Paola and Giorgio Fedon. This is a very good and quite interesting finding. Good work.

Time to upgrade? Unfortunately the attack is client-side (e.g. uses anchor points, as specified after the # and in page seven of the HighlightFileFormat PDF developer spec). I have to say I’ve been far more wary of PDFs since I noticed Acrobat (writer) code taking up more space than Microsoft Office.

The functionality bundled in by product managers is often overwhelming when most of us really (really!) just want a simple pre-formatted viewer…it’s like being given a top-end massage recliner with built-in multimedia, a cooler, drink holders and remote controllers when all you asked for was a place to sit down.

The original paper by Stefano Di Paola and Giorgio Fedon, released December 2006, can be found here. And, of course, it’s a PDF.

EDITED TO ADD (5 Jan 2007): Local system implication is discussed here, and some comments point to a firefox fix.