Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
OS X Operating Systems Bug Security

Month of Apple Fixes 177

Posted by kdawson from the mister-fixit dept.
das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."
This discussion has been archived. No new comments can be posted.

Month of Apple Fixes More

Month of Apple Fixes

Comments Filter:

  • Re:rushed fixes, and untested at that (Score:5, Informative)

    by daveschroeder ( 516195 ) * on Tuesday January 02, 2007 @05:50PM (#17436094)
    All this is a little fun exercise and a public service, if you will. Also, anyone can examine the code.

    How do you uninstall these quick fixes? Simple. They'll almost all invariably be runtime fixes with Application Enhancer (APE) [unsanity.com]. APE modules are just self-contained directories; nothing more. They can be unloaded on demand, and APE itself can be easily installed, uninstalled, disabled, and modules can be loaded and unloaded at will.

    Also, Landon Fuller is anything but an "Apple fanboy", or in any way remotely interested in "saving Apple's rep". The idea is to look at the bugs, and see if a quick technical solution or remediation can be provided. No one has to install them. Since the code is available, anyone can see what's being done, including the rest of the community. If one wishes to wait for Apple's official patches, fine.

    Aside from all of this, of course Mac OS X, like any other operating system or large software project, has bugs. Some of these bugs will enable vulnerabilities that can be exploited. I fail to see how any of this is surprising. If you're actually interested, I've summed up my thoughts on this here [securityfocus.com].

  • Re:rushed fixes, and untested at that (Score:5, Informative)

    by landonf ( 905751 ) <landonf@plausible.coop> on Tuesday January 02, 2007 @05:51PM (#17436120) Homepage
    So some third party is going to try to rush out daily fixes?

    If I have time, or if people help me.

    How much testing is done on these fixes, none?

    I tested thoroughly on Intel and PowerPC Macs. I wouldn't release a fix to the world without being fairly certain that it works correctly. You're welcome to review the code for the first fix -- it's about 10 lines. I'd be happy to explain the various entry points for you, too. We're using these fixes on all our Macs here at Three Rings Design.

    Alternatively, you can not use the patch. I won't mind.

    And how do you uninstall these quick fix hacks when Apple releases the legit fixes?

    You open the Application Enhancer pref pane and hit the "-" (minus) button.

  • Re:Response from Kevin Finisterre, second bug (Score:5, Informative)

    by 0racle ( 667029 ) on Tuesday January 02, 2007 @06:07PM (#17436290)
    VLC != Quicktime. On top of that Quicktime would be a valid target for the month of Apple Bugs as it ships as part of OS X and is created by Apple, VLC does not and is not. A bug in VLC is no more an apple bug then an SSH bug in PuTTY is a Windows bug.

  • Unabomber. (Score:3, Informative)

    by CODiNE ( 27417 ) on Tuesday January 02, 2007 @06:07PM (#17436294) Homepage
    Nice pic of the unabomber sketch on the release page... quite telling.

  • Re:Install a fix not from Apple? Fat Chance (Score:5, Informative)

    by landonf ( 905751 ) <landonf@plausible.coop> on Tuesday January 02, 2007 @06:29PM (#17436528) Homepage
    I don't care who this guy is... I'm not downloading "fixes" for my iMac from anyone but Apple

    Absolutely -- but I'd still strongly suggest disabling the QuickTime RTSP component:

    http://isc.sans.org/diary.php?storyid=1993

    1. Go to MOAB site, record exploit info 2. Create malicious version of exploit 3. Post to web as a "fix" and tell users to blindly install

    You forgot number 4:

    4. Have my professional and personal reputation permanently sullied.

    I'll pass! =) The code is up for review, but if you don't feel comfortable with my fix, you can disable the primary attack vector by following the directions from the SANS web site.

  • Second bug fix already in progress... (Score:5, Informative)

    by daveschroeder ( 516195 ) * on Tuesday January 02, 2007 @06:51PM (#17436730)
    See here [videolan.org] for details.

  • Re:Has anyone verified bug is exploitable yet? (Score:2, Informative)

    by paimin ( 656338 ) on Tuesday January 02, 2007 @07:15PM (#17437038)
    I tried the exploit on my Powerbook G4, and it did crash Quicktime, but no payload here as well.

  • Re:rushed fixes, and untested at that (Score:4, Informative)

    by daveschroeder ( 516195 ) * on Tuesday January 02, 2007 @07:45PM (#17437340)
    Ugh. :-(

    APE isn't going to be necessary for ANY fixes from Apple. Apple will release their fixes in due course, and they'll be like all their previous fixes have been: normal updates to the OS that come down via Software Update, etc.

    But since we can't directly fix Apple's code, this is a little technical exercise that fixes them with runtime patches. One very easy way to do runtime patches and code injection such as this is to use APE.

    Also, APE is *very* easy to uninstall. It has its own uninstaller right in the installer, which will, categorically and definitely, uninstall every single last thing that has anything to do with APE.

    Also, there is nothing wrong with APE, and here is a very detailed explanation of exactly what APE is and what it does [unsanity.org].

    All this project is is just that: a project. The community is welcome to inspect all of the source code, and anyone is free to use these runtime patches. Yes, QuickTime, and VLC, and everything else that will be covered in MOAB will be fixed by Apple and the various applicable vendors/developers. That is not at all the point of providing on-demand runtime fixes each day, and you have apparently totally missed the point of this projects, and the post you responded to where I pretty concisely explain it.

  • Re:Response from Kevin Finisterre, second bug (Score:1, Informative)

    by Anonymous Coward on Tuesday January 02, 2007 @09:32PM (#17438408)
    Are you daft? Your argument made no sense whatsoever. Yes, it is a problem. Did the GP post deny that it was a problem? Unless you have a deficiency in understanding simple English, I can't see you can try to infer that the GP denied there was a problem. It is a problem, however, that is not Apple's fault. It is VLC developers' fault; thus, the point is not the same.

    The GP was correcting the post that inferred the bug was in QuickTime. It's not since VLC does not depend on QuickTime to playback videos and the bug in VLC does not affect QuickTime.

  • And I can verify it does not work on a MacPro (Score:2, Informative)

    by SuperKendall ( 25149 ) on Tuesday January 02, 2007 @11:20PM (#17439278)
    I finally got a chance to try the exploit on my own Macbook Pro, where it did not work.

    Given that the Ruby script is slightly flawed, how are we to assume that they are even capable of coming up with a real exploit instead of just crashing applications?

    Month of Apple Bugs, indeed! Given the second bug (an error in VLC! Oh My!) I think the whole effort is going to backfire and point, correctly or not, as a shining example as to the lack of serious problems in OS X itself (unless they are saving something good for later, but it seems like they had better produce a real bug shortly or face derision).

    You have to wonder now if the Oracle one was canceled because they couldn't get any of those exploits to work either - or perhaps never figured out how to install Oracle, that took me a few passes the first time I tried to set it up.

Slashdot Top Deals

"And remember: Evil will always prevail, because Good is dumb." -- Spaceballs

Close