Zero-Day Mac OS X Exploit Disclosed
A researcher has posted proof-of-concept code for a zero-day flaw within Mac OS X dealing with its handling of disk image (.dmg) files. The issue causes a memory corruption vulnerability that could allow attackers to execute arbitrary code.
The disclosure of the bug comes as part of a larger effort by an anonymous security researcher that posts to his blog using the initials "LMH." He plans to release one kernel bug every day during the month of November.
Security firm Secunia rates the vulnerability as "highly critical," its second highest rating. Currently there is no known patch for the issue, although Apple has traditionally been very quick to address serious issues in its software.
So far, however, the Cupertino company has remained mum on the disclosure.
"This issue is remotely exploitable as Safari loads DMG files from external sources (ex. visiting an URL)," LMH wrote in a detailed description of the issue. "This can be prevented by changing the Preferences and deactivating the functionality for 'opening "safe" files after downloading'."
As a workaround, Secunia recommends Mac OS users deactivate the "open safe files after downloading" option in Safari users and grant only trusted users access to vulnerable systems.
Traditionally, Mac OS has been considered one of the safest operating systems available. However, the increased popularity is leading malware writers to increasingly looking for vulnerabilities within the platform.