Some Apple MOAB Fixes, iChat Being Particularly Relevant

I forgot about this cause I usually just patch and forget, but a couple days ago Apple released Security Update 2007-002. It has only 4 fixes (as opposed to their normal queuing of quite a few), 1 for Finder, 2 for iChat, and 1 for UserNotification. Only the second iChat one is directly relevant. It fixes MOAB #20 (CVE-2007-0021), a format string vulnerability in the way iChat handles aim:// URIs. However, there were some conditions (i.e. lacking the all-important ability to use %n) which made it so that the authors weren't able to post an exploit. In the Apple security update it is basically giving them the benefit of the doubt and saying that if you click on a malicious aim URI or go to a website which is forcing you to load it for some reason, then you could be exploited.

One thing I found particularly funny about this is that I have Adium, my favorite multi-protocol IM client for OS X installed, and I found that when I click aim:// URIs, they open in Adium. That's not to say that you couldn't just go find a flaw in Adium instead, it's just that I hadn't realized that it had taken over as that URI handler.

If you step back for a second you will realize that actually the web browser is the launching platform for vulnerabilities in any application which is used as a URI handler. An example from Mac OS X which immediately jumps to mind is that there was a flaw in the OS X help application which could be launched by visiting a help:// URI (heh. CVE-2005-1337 ;)).