“Alan Oppenheimer of Open Door Networks (which provides Mac security tools and information) alerted us to an apparent denial-of-service hack embedded in the latest Month of Apple Bugs web page,” MacInTouch reports.
For most of today, we’ve been looking into a situation discovered here where the Month of Apple Bugs project may actually be attempting to hack Mac users who pull up the most recent bug in their browsers. It’s still unclear exactly what browsers in what versions of Mac OS X, but we’re sure enough something’s going on that we thought we should let people know.
MacInTouch reports what is known right now:
• The page for bug #29 contains the following HTML:
<img src=”bug-files/heat-up.jp2″ alt=”” height=”1″ width=”1″ />
<!– Never use the macbook at bed again when browsing the MoAB or you will fry your balls, looper –>
• The referenced .jp2 (JPEG 2000) file hangs up at least one copy of Safari running on Mac OS 10.4.8 (with all security updates installed) and requires a force quit. It’s unknown if anything else bad is done. It does not hang at least one other copy of Safari (on a Leopard build) and various copies of Firefox. The jp2 file, at first glance, looks normal (although we’ve no JPEG expertise here), but is 344KB big.
• There was a JPEG 2000 OSX vulnerability previously, but in theory it was fixed in 10.4.8. This is almost certainly a different bug.
• There’s an ongoing discussion of this issue in the MoAB Fixes Group, confirming some things.
• Apple has been alerted, and others are looking into the issue as well.
Full article here.