14 DAY TRIAL // Do you remember MOAB? No, I am not talking about the largest conventional bomb in use at this time on Earth, known as the "Mother Of All Bombs", but about the project started by Kevin Finisterre and the hacker known simply as "LMH" that aims to discover an Apple-related bug each day. Apart from issues found in Mac OS X and various applications coming from Apple, this project also discovered bugs in popular programs that run on Mac, such as VLC.
The bug found on the 29th of January, the latest published on the MOAB website, concerns iChat and Bonjour. If you didn't know by now, then you should know that iChat is an instant messaging client for Mac OS X developed by Apple that supports AIM, ICQ, .Mac, GTalk and Jabber networks and uses Bonjour for user discovery. As described by Apple, "Bonjour, also known as zero-configuration networking, enables automatic discovery of computers, devices, and services on IP networks. Bonjour uses industry standard IP protocols to allow devices to automatically discover each other without the need to enter IP addresses or configure DNS servers." OK, these being said, let's move on and talk about the bug!
The vulnerabilities discovered by the two researchers can lead to a DoS (denial of service) attack using Apple's Bonjour "zero configuration" networking technology, and if a malicious program advertises a user's presence using Bonjour repeatedly, iChat will keep adding that user to the contacts list, blocking the user from finding other people on the network and making communication unstable. Even worse, it seems that it's possible to create an application that uses iChat's weaknesses to cause the iChat Agent to crash!
According to Secunia's security experts, the risk involved in these vulnerabilities is not critical, but until Apple issues a new security update, it seems that the only workaround is to stop using iChat with Bonjour on any network that can't be fully trusted, and since today no network seems to be fully trusted... you draw the conclusion!