Slashdot Log In
Month of Apple Fixes
Posted by
kdawson
on Tue Jan 02, 2007 04:33 PM
from the mister-fixit dept.
from the mister-fixit dept.
das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."
Related Stories
[+]
Month of Apple Bugs - First Bug Unveiled 240 comments
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
[+]
IT: Hackers Disagree On How, When To Disclose Bugs 158 comments
darkreadingman writes to mention a post to the Dark Reading site on the debate over bug disclosure. The Month of Apple Bugs (and recent similar efforts) is drawing a lot of frustration from security researchers. Though the idea is to get these issues out into the open, commentators seem to feel that in the long run these projects are doing more bad than good. From the article: "'I've never found it to be a good thing to release bugs or exploits without giving a vendor a chance to patch it and do the right thing,' says Marc Maiffret, CTO of eEye Security Research, a former script kiddie who co-founded the security firm. 'There are rare exceptions where if a vendor is completely lacking any care for doing the right thing that you might need to release a bug without a patch -- to make the vendor pay attention and do something.'"
[+]
Flaw Found in Apple Bug-Fix Tool 168 comments
eldavojohn writes "The Month of Apple Bugs (MOAB) is well under way with a startling bug released Monday. From the description: 'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.' APE is the same software used to deploy fixes during 'The Month of Apple Fixes' (MOAF). I know it's confusing but MOAB came first and MOAF was a developer's answer to the bugs — after all, the purpose of posting bugs is to have them identified, confirmed and eradicated. The article talks about potential remote root access by an intruder. Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Response from Kevin Finisterre, second bug (Score:5, Interesting)
(http://das.doit.wisc.edu/)
Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player [info-pull.com] that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...
In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.
(Disclaimer: I am the story submitter.)
Re:Response from Kevin Finisterre, second bug (Score:5, Funny)
Re:Response from Kevin Finisterre, second bug (Score:5, Informative)
Re:Response from Kevin Finisterre, second bug (Score:5, Funny)
(Last Journal: Thursday November 08, @06:00PM)
It's not even shipped by default ! (Score:5, Insightful)
(Last Journal: Friday April 27 2007, @02:20PM)
[simon:~] simon% vlc
tcsh: vlc: Command not found.
[simon:~] simon% perl VLCMediaSlayer-x86.pl
jump address is: 0x41424344
writing to file: pwnage.m3u
[simon:~] simon% open pwnage.m3u
[simon:~] simon% (opens iTunes)
the application for this second bug is not even shipped on Mac's by default! Meaning that this completely 3rd-party software, if installed onto a Mac, can cause problems with the Mac. And this is Apple's problem how, exactly ?
Simon
Sorry, but that's bogus (Score:5, Insightful)
(Last Journal: Friday April 27 2007, @02:20PM)
If Apple don't supply a piece of software, it is *not* their fault that there can be subsequent problems using that piece of software, it's the program-author's fault. Obviously vlc isn't completely necessary (otherwise I would have it installed, I install a fair amount of linux-related s/w). I do have windows-media player and realmedia player installed...
To say that just because Apple don't supply a particular feature (viewing movies that require codec XXX), it's Apple's problem when you install 3rd-party software that does is just
By the same logic, it's Apple's fault that:
- I can't run my FPGA-mapping software on my Mac Pro, because Xilinx don't support the Mac. Apple ought to do something.
- I can't run any game I want on the Mac. Curse those game-producing companies, oh no, wait, it's Apple's fault.
- My Mac doesn't make toast! How simple is making toast? Apple ought to pull their finger out!
- ad nauseum.
Install 3rd-party software, have problems with that software, blame the software author. Don't blame the machine manufacturer / operating-system provider.
Moan like buggery (*) (hmm, unfortunate turn of phrase
Simon
(*) "Moan like buggery" isn't really rude where I come from, oddly enough...
Second bug fix already in progress... (Score:5, Informative)
(http://das.doit.wisc.edu/)
Thanks. (Score:2, Insightful)
(http://slashdot.org/)
Stay tuned.... (Score:1, Funny)
Nothing to see here. Move along. (Score:4, Funny)
(http://trollchat.org/)
Stop the presses (Score:2, Funny)
(http://www.bobselectronics.com/)
To prevent confusion I propose it should be Apple Month of the Bugs. AMOB
Actually... (Score:4, Funny)
(http://www.aardwolf.org/)
AMOB Anna Maria Oyster Bar (Bradenton, FL)
AMOB Automatic Meteorological Oceanographic Buoy
You should try an acronym that is totally original, like:
Exploits & bugS from aPple moNth
Re:Stop the presses (Score:5, Funny)
privsep? (Score:3, Interesting)
(http://rhadmin.org/)
I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?
Is this feature in the works? I certainly hope so.
Unabomber. (Score:3, Informative)
(http://slashdot.org/)
Has anyone verified bug is exploitable yet? (Score:5, Interesting)
MOAB (Score:1)
(Last Journal: Wednesday January 17 2007, @09:51PM)
MOABs (Score:2)
Microsoft Often Anticipates Bugs, but they have a "fix it after it shows itself" policy. Maybe Our Apple Boys will take security more seriously now.
May Omnipotent Allah Bless their efforts.
Teh weak MOAB... (Score:2)
No wonder this guy's hiding.
THIS is an Apple bug? (Score:2)
Well, if that qualifies maybe they should start looking into MS Office for Apple bugs......
You can tell MOAB doesn't have an ax to grind (Score:2)
Month of Apple Fixes ... (Score:2)
(http://purl.org/hritcu/homepage)
good to see (Score:2)
(http://www.telegraphics.com.au/ | Last Journal: Tuesday November 06, @03:35PM)
well never mind... (Score:2)
(http://macwereld.nl/)
Re:rushed fixes, and untested at that (Score:2, Insightful)
(Last Journal: Monday July 17 2006, @03:45PM)
Re:rushed fixes, and untested at that (Score:5, Informative)
(http://das.doit.wisc.edu/)
How do you uninstall these quick fixes? Simple. They'll almost all invariably be runtime fixes with Application Enhancer (APE) [unsanity.com]. APE modules are just self-contained directories; nothing more. They can be unloaded on demand, and APE itself can be easily installed, uninstalled, disabled, and modules can be loaded and unloaded at will.
Also, Landon Fuller is anything but an "Apple fanboy", or in any way remotely interested in "saving Apple's rep". The idea is to look at the bugs, and see if a quick technical solution or remediation can be provided. No one has to install them. Since the code is available, anyone can see what's being done, including the rest of the community. If one wishes to wait for Apple's official patches, fine.
Aside from all of this, of course Mac OS X, like any other operating system or large software project, has bugs. Some of these bugs will enable vulnerabilities that can be exploited. I fail to see how any of this is surprising. If you're actually interested, I've summed up my thoughts on this here [securityfocus.com].
Re:rushed fixes, and untested at that (Score:4, Informative)
(http://das.doit.wisc.edu/)
APE isn't going to be necessary for ANY fixes from Apple. Apple will release their fixes in due course, and they'll be like all their previous fixes have been: normal updates to the OS that come down via Software Update, etc.
But since we can't directly fix Apple's code, this is a little technical exercise that fixes them with runtime patches. One very easy way to do runtime patches and code injection such as this is to use APE.
Also, APE is *very* easy to uninstall. It has its own uninstaller right in the installer, which will, categorically and definitely, uninstall every single last thing that has anything to do with APE.
Also, there is nothing wrong with APE, and here is a very detailed explanation of exactly what APE is and what it does [unsanity.org].
All this project is is just that: a project. The community is welcome to inspect all of the source code, and anyone is free to use these runtime patches. Yes, QuickTime, and VLC, and everything else that will be covered in MOAB will be fixed by Apple and the various applicable vendors/developers. That is not at all the point of providing on-demand runtime fixes each day, and you have apparently totally missed the point of this projects, and the post you responded to where I pretty concisely explain it.
Re:rushed fixes, and untested at that (Score:5, Informative)
(http://landonf.bikemonkey.org/)
If I have time, or if people help me.
I tested thoroughly on Intel and PowerPC Macs. I wouldn't release a fix to the world without being fairly certain that it works correctly. You're welcome to review the code for the first fix -- it's about 10 lines. I'd be happy to explain the various entry points for you, too. We're using these fixes on all our Macs here at Three Rings Design.
Alternatively, you can not use the patch. I won't mind.
You open the Application Enhancer pref pane and hit the "-" (minus) button.
Re:Install a fix not from Apple? Fat Chance (Score:2)
(http://das.doit.wisc.edu/)
Nothing is hidden, and Landon isn't trying to hide anything that's being done.
Also, these fixes are runtime fixes via APE [unsanity.com] modules. They only place they're "installed" is into APE, so they can all be easily removed/disabled at will (as can APE itself). There is nothing wrong with the principle of runtime patching, and this is really a technical exercise more than anything. But again, the code is all right there, and you can see exactly what is being done.
Re:Install a fix not from Apple? Fat Chance (Score:2, Insightful)
(Last Journal: Monday July 17 2006, @03:45PM)
Re:so? (Score:2)
As I understand it, the Quicktime bug of yesterday is particularly bad since it will load automatically without asking if you wish to run it first.
Re:Can they fix (Score:1)
(http://www.quis.cc/)
Re:Month of Slashdot Dupes (Score:2)
One is the month of bugs. The other is the moth of fixes, a response to the first and a different project by different people. You can at least correctly read the title of the article summary before declaring it a dupe. MOAB != MOAF.
Re:Install a fix not from Apple? Fat Chance (Score:5, Informative)
(http://landonf.bikemonkey.org/)
Absolutely -- but I'd still strongly suggest disabling the QuickTime RTSP component:
http://isc.sans.org/diary.php?storyid=1993
You forgot number 4:
4. Have my professional and personal reputation permanently sullied.
I'll pass! =) The code is up for review, but if you don't feel comfortable with my fix, you can disable the primary attack vector by following the directions from the SANS web site.
Re:Can they fix (Score:2)
(http://www.unsanity.org/)
Its not unreasonable & Landon is contributing! (Score:1)
There are pros and cons to third party patches (and you have identified a possible negative case), but there solid ways to validate the decision with the security community, even if you can't read the code yourself.
I think its really cool that Landon is spending his time writing counters and taking a decidedly positive action in this investigation.
Personally, I never heard of APE before this, and knowing something about that software is already a positive result for me, even if I only disable rtsp handler (which I have done).
Re:PR for Vista launch (Score:2)
(http://kelora.org/)
Just keep laughing, and please totally ignore all bug reports. If it was important, Steve Jobs would have called you personally - seriously, Apple service is just *that* good.