Apple has offered fixes for five critical vulnerabilities unveiled during January's Month of Apple Bugs (MoAB) project.Thursday’s security update, Apple’s second of the year, affects Macintosh OS X versions 13.9 and 14.8.
The patches seal a hole in Finder, which can be exploited to cause an application crash or run arbitrary code if a user is duped into mounting a maliciously crafted disk image. Finder is an application that controls Mac desktop processes.
The update also corrects two null-pointer errors in the instant messenger client, iChat, which could be exploited to create an application crash.
Another iChat fix resolves a format string vulnerability that, if a user clicks on the maliciously crafted URL, could lead to arbitrary code execution.
The final patch seals up a privilege-escalation condition in which the UserNotificationCenter can be exploited to allow a local user to overwrite or change system files.
All of the bugs contained proof-of-concept code published in LMH’s and Kevin Finisterre’s MoAB project. The undertaking’s purpose was to raise awareness about holes in Mac OS X, LMH has said.