Month of Apple Bugs web page attempts to hack Mac users?

37 Comments

“Alan Oppenheimer of Open Door Networks (which provides Mac security tools and information) alerted us to an apparent denial-of-service hack embedded in the latest Month of Apple Bugs web page,” MacInTouch reports.

For most of today, we’ve been looking into a situation discovered here where the Month of Apple Bugs project may actually be attempting to hack Mac users who pull up the most recent bug in their browsers. It’s still unclear exactly what browsers in what versions of Mac OS X, but we’re sure enough something’s going on that we thought we should let people know.

MacInTouch reports what is known right now:

• The page for bug #29 contains the following HTML:

<img src=”bug-files/heat-up.jp2″ alt=”” height=”1″ width=”1″ />
<!– Never use the macbook at bed again when browsing the MoAB or you will fry your balls, looper –>

• The referenced .jp2 (JPEG 2000) file hangs up at least one copy of Safari running on Mac OS 10.4.8 (with all security updates installed) and requires a force quit. It’s unknown if anything else bad is done. It does not hang at least one other copy of Safari (on a Leopard build) and various copies of Firefox. The jp2 file, at first glance, looks normal (although we’ve no JPEG expertise here), but is 344KB big.

• There was a JPEG 2000 OSX vulnerability previously, but in theory it was fixed in 10.4.8. This is almost certainly a different bug.

• There’s an ongoing discussion of this issue in the MoAB Fixes Group, confirming some things.

• Apple has been alerted, and others are looking into the issue as well.

Full article here.

37 Comments

  7. Productive, aren’t they?

    Perhaps not as bad the guys just arrested for planning to kidnap, torture and behead a British soldier in the UK… but I’d still squeeze their tiny testicles to pulp. Not that I’m violent or anything. ” width=”19″ height=”19″ alt=”tongue laugh” style=”border:0;” />

    Reply

  10. I’ll bet this isn’t even the Bug o’ the Month Club people…! You’d have to think they would realize that “we” the Mac community would be able to find that code pretty easy, and I doubt that they would use such vulgar language, if they are truly trying to be taken seriously. I’d be willing to bet that this jpg thingie was hacked onto their page…! Wonder what computer their website is run on? ; )

    Reply

  13. In case it wasn’t apparent before, the MoAB guy LMH (little mac hater) is a dick.

    I am running Safari on 10.3.9 and it did basically tie up the browser. However the page worked in Opera.

    <sarcasm>I would like to stick a lit cigarette in his eye if I were to ever meet him.</sarcasm>

    Reply

  20. When was the last time you heard anything about the “Month of Mac Bugs”? Three weeks ago?

    The poor slobs expected the Internet to explode in terror as their slew of shocking exploitations chilled Mac users everywhere to their core, unplugging their ethernet cables to protect themselves from the coming storm. Instead, people looked at their first few bugs, said “Is that the best you can come up with?”, shook their head and laughed, and went on with their lives.

    I imagine the MoAB guys are in a pretty bad mood right about now. I’m not surprised that they’d try a bitter stunt like this. “Ignore US, will you? We’ll show you! We’ll show you all!”

    Of course, since most Macs users don’t care about their pissy little crusade, and aren’t visiting the site, very few will be impacted by this.

    Reply

  21. No but really – Is it perfectly alright for anyone to publicly announce that they’re going to be “looking for holes” in someone else’s product? Basically advertising that they will be creating bad things meant to explore the proverbial vulnerabilities of a software product? If something they create gets out, whether its really bad or just sort of a nuisance, is there absolutely no culpability? Ooops, that’s it? You gotta be kind’n me.

    Reply

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.