Apple Researchers Post Quicktime, iPhoto Bugs

Month Of Apple Bugs (MOAB) project

Thursday's bug report affects the iPhoto application in Apple's iLife digital content management suite. To exploit this flaw, a miscreant could create a rigged iPhoto photocast XML feed that exploits the handling of the "title" element, which could open the door for malicious code execution, said the MOAB researchers, who also posted a proof of concept exploit.

The Quicktime bug that spread through MySpace last month used a vulnerability that allowed hackers to launch cross-site scripting attacks, and the same flaw can also be used for so-called cross-zone scripting attacks, the MOAB researchers said Wednesday.

Cross-zone scripting is a browser exploit technique that can allow code in unprivileged zones to be executed with the permissions of a privileged zone. From there, attackers could launch malicious code on the PC using insecure ActiveX components and also view file system contents, according to the MOAB researchers, who also posted an exploit.

Landon Fuller, a former Apple engineer who has pledged to post his own unofficial fixes for each MOAB bug, said the flaw could allow an embedded Quicktime movie located on a Web server to execute Javascript in the context of the enclosing page. The latest version of Apple's Safari browser, 10.4.8 , isn't affected by the flaw, he noted.

Fuller and other security researchers have set up a Google group entitled MOAB Fixes to share information and post future MOAB patches.