Apple bug-fix tool is buggie

EXPERTS who are focusing on Apple's software have found a vulnerability in a tool used by a group involved in finding fixes for any flaws they find.

Researchers behind the "Month of Apple Bugs" project aim to find a flaw a day in Apple products throughout January.

They are rivalled by another group called the "Month of Apple Fixes" project which applies run-time patches.

Now, the bug group says it has found a bug in the tool being used by the fix-group to repair the bugs.

The application, called Application Enhancer (APE), is used by the fix-group to "enhance and redefine" the behaviour of software running on Apple platforms. It loads plug-ins containing executable code into active applications.

The flaw allows local users to gain root privileges in the system, allowing them to compromise machines. All they have to do is patch the APE binary or replace it. It can also be hacked remotely.

Landon Fuller, who is in charge of the fix project, wrote in his bog that the he has been relying on APE for his work.

But the fault was only a proof-of-concept flaw, and was superfluous to a remote hack, he added.

More here. µ