While we were away, another Mac security scare blew up.

In a nutshell, someone apparently got fed up with waiting for Apple to distribute a fix for a vulnerability they reported to the company eight months ago, and publicly released a proof of concept exploit.

While the PoC only causes a crash via a memory access error, such buffer overflows can sometimes be exploited to run arbitrary code. Most people's accounts have administrator rights, so there's potential for serious intrusions.

While I haven't heard of any real exploits for this vulnerability, the irritating thing is that this seems to be another example of Apple dragging its feet when it comes to distributing fixes that have been applied to open source software that's used in Mac OS X.

This particular vulnerability is in a routine that converts double-precision values to ASCII strings, but it's already been fixed in other operating systems and applications that use the same code.

The problem with such situations is that the vulnerability is exposed for any malicious coders to investigate. I'd feel more secure if I knew that the vulnerability had been actually fixed rather than having to assume that Apple's experts have looked closely at the problem and determined that it cannot be exploited (for whatever reason) under Mac OS X.