Flaw found in Apple bug-fix tool

Vulnerability researchers behind the "Month of Apple Bugs" project, which aims to publish one flaw per day throughout January in software used on Apple platforms, announced on Monday that they have found a vulnerability in a tool that is used by a group involved in finding fixes for the flaws.

The application, called Application Enhancer (APE), is used by the "Month of Apple Fixes" project to apply run-time patches.

APE is a third-party piece of software, written by Unsanity, designed to "enhance and redefine" the behavior of applications running on Apple platforms. APE loads plug-ins containing executable code into active applications. Month of Apple Fixes uses the software to apply run-time patches to the flaws found by the Month of Apple Bugs project. The patches insert themselves into applications when they run, find the vulnerable code and apply themselves.

On Monday, the Month of Apple Bugs project published a flaw in APE. The flaw allows local users to gain root privileges in the system, allowing them to compromise machines. This can be achieved by either patching the APE binary or replacing it. According to Month of Apple Bugs, this binary is executed with root privileges. The file is writable, as are others in the same disk location (/Library/Frameworks), allowing this vulnerability to be abused for privilege escalation.

A remote hack is also possible, according to Landon Fuller, the open-source developer leading the Month of Apple Fixes project who has been relying on APE for his work. The APE vulnerability could be combined with a remote exploit to gain root privileges from an administrator account without user interaction, Fuller said in his blog. There are also a number of alternative exploit conditions that could occur due to the admin-writability of other directories.

In its advisory about the vulnerability, Month of Apple Bugs said that people should not use Application Enhancer.

Application Enhancer is "flawed, and not just by this particular issue," it said.

However, Fuller responded by emphasizing that it was only a proof-of-concept flaw, and arguing that it was superfluous to a remote hack. Any APE exploit must be combined with another remote exploit to be effective, and a computer could be compromised by the use of a remote exploit alone.

"The vulnerability is real--it is possible for a local administrator account on the computer to gain root access, without any user confirmation, by replacing pieces of Application Enhancer's installation," said Fuller in his blog. "While this cannot be exploited remotely, it could be used in combination with a remote exploit to acquire escalated privileges. However, a remote exploit alone is sufficient to allow an attacker full access to your important personal data."

Fuller added that a vendor-supplied update is always preferable to a third-party patch. He has devised a short workaround to address the problem, but at the time of writing had not issued or identified a patch.