Month of Apple Fixes 177
das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."
Response from Kevin Finisterre, second bug (Score:5, Interesting)
Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player [info-pull.com] that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...
In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.
(Disclaimer: I am the story submitter.)
PR for Vista launch (Score:0, Interesting)
Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end.
So why do we have to wait an entire month to get to bug #31. Whats the motivation to keep bug #31 alive for 31 more days?
Also from the FAQ:
7. John Doe has written a 'post' in his blog, saying he debunks the XXX bug, what's that?
No worries. It's probably someone begging for attention or PR-brainwashed
Thats right, anybody who disagrees is psycho. Is that you George?
privsep? (Score:3, Interesting)
I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?
Is this feature in the works? I certainly hope so.
Has anyone verified bug is exploitable yet? (Score:5, Interesting)
Re:THIS is an Apple bug? (Score:3, Interesting)
But, yeah, it's kind of weak. If this is the best they can come up with, Apple can rest easy.