The Month of Apple Bugs (MOAB) project has released a security exploit for a program being used to temporarily patch MOAB flaws.
The bug targets Application Enhancer (APE), which allows users to modify programs on Mac OS X. Former Apple developer Landon Fuller has been using APE to apply temporary fixes for the MOAB flaws while users await permanent patches from Apple.
But APE is itself easy for attackers to invade, according to MOAB's researchers - though, as yet, only locally. "APE is affected by different issues, one of them is a local privilege escalation vulnerability which allows local users to gain root privileges in the system," wrote two anonymous MOAB researchers, going by the handles LMH and Johnny Pwnerseed, in an advisory.
"The provided exploit will drop a backdoor on the system and possibly perform other hilarious operations," they wrote.
The issue was tested on APE 2.0.2 on the x86 version of Mac OS X 10.4.8, but is likely to affect other versions.
MOAB's researchers advised users to steer clear of APE. "It's flawed, and not just by this particular issue," they wrote.
On his blog, Fuller acknowledged that "a vendor-supplied update is always preferable to a third party patch", but defended his patches, saying third-party fixes "can provide protection against a critical vulnerability before the vendor is able to implement, test, and release a fix".
He noted that MOAB's APE exploit only works locally, and thus would need to be combined with a remote exploit to pose a significant danger. "A remote exploit alone is sufficient to allow an attacker full access to your important personal data," he wrote.
Following the APE bug, MOAB released two more serious bugs - remote exploits involving DMG images.
One is a "memory corruption vulnerability, which leads to an exploitable denial of service condition and potential arbitrary code execution", and could be triggered by a DMG image containing a volume name longer than 255 bytes.
The second is an integer overflow bug in the "ffs_mountfs()" function when handling UFS filesystem and disc images, which can be exploited via a UFS DMG image.
Both allow execution of malicious code, and both could be exploited remotely, though only by using a default feature in the Safari browser which automatically opens certain files after downloading.
Users can protect themselves by switching this feature off, according to various researchers. Secunia said the bug is "highly critical".