Month of Apple Bugs web page attempts to hack Mac users?

“Alan Oppenheimer of Open Door Networks (which provides Mac security tools and information) alerted us to an apparent denial-of-service hack embedded in the latest Month of Apple Bugs web page,” MacInTouch reports.

For most of today, we’ve been looking into a situation discovered here where the Month of Apple Bugs project may actually be attempting to hack Mac users who pull up the most recent bug in their browsers. It’s still unclear exactly what browsers in what versions of Mac OS X, but we’re sure enough something’s going on that we thought we should let people know.

MacInTouch reports what is known right now:

• The page for bug #29 contains the following HTML:

<img src=”bug-files/heat-up.jp2″ alt=”” height=”1″ width=”1″ />
<!– Never use the macbook at bed again when browsing the MoAB or you will fry your balls, looper –>

• The referenced .jp2 (JPEG 2000) file hangs up at least one copy of Safari running on Mac OS 10.4.8 (with all security updates installed) and requires a force quit. It’s unknown if anything else bad is done. It does not hang at least one other copy of Safari (on a Leopard build) and various copies of Firefox. The jp2 file, at first glance, looks normal (although we’ve no JPEG expertise here), but is 344KB big.

• There was a JPEG 2000 OSX vulnerability previously, but in theory it was fixed in 10.4.8. This is almost certainly a different bug.

• There’s an ongoing discussion of this issue in the MoAB Fixes Group, confirming some things.

• Apple has been alerted, and others are looking into the issue as well.

Full article here.

37 Comments

  1. Productive, aren’t they?

    Perhaps not as bad the guys just arrested for planning to kidnap, torture and behead a British soldier in the UK… but I’d still squeeze their tiny testicles to pulp. Not that I’m violent or anything. ” width=”19″ height=”19″ alt=”tongue laugh” style=”border:0;” />

  2. I’ll bet this isn’t even the Bug o’ the Month Club people…! You’d have to think they would realize that “we” the Mac community would be able to find that code pretty easy, and I doubt that they would use such vulgar language, if they are truly trying to be taken seriously. I’d be willing to bet that this jpg thingie was hacked onto their page…! Wonder what computer their website is run on? ; )

  3. Get a grip guys. This is actually a good thing. It spots a vulnerability in the OS.

    This may expose other similar weaknesses as well.

    Apple will fix it and that will be one less bug that anyone can exploit.

  4. In case it wasn’t apparent before, the MoAB guy LMH (little mac hater) is a dick.

    I am running Safari on 10.3.9 and it did basically tie up the browser. However the page worked in Opera.

    <sarcasm>I would like to stick a lit cigarette in his eye if I were to ever meet him.</sarcasm>

  5. Got Virus? “It’s only a matter of time until the first one appears.”

    Perhaps, but so far its been almost 6 blissful years without a virus to worry about. Or any other malware for that matter. I think I can live with that.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.