Month of Apple Fixes

das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."

Response from Kevin Finisterre, second bug

[daveschroeder]

Kevin Finisterre, security researcher, founder of Digital Munition [digitalmunition], and co-presenter of the Month of Apple Bugs [info-pull.com], has also responded on the SecurityFocus focus-apple list [securityfocus.com] to some of my concerns [securityfocus.com], expanding on some of the motivations and reasoning behing MOAB (followup [securityfocus.com]).

Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player [info-pull.com] that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...

In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.

(Disclaimer: I am the story submitter.)

PR for Vista launch

[Anonymous Coward]

Whats this guys motivation? He says specifically in his FAQ that he did not tell Apple of these problems, he just releasing it publicly.

Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end.

So why do we have to wait an entire month to get to bug #31. Whats the motivation to keep bug #31 alive for 31 more days?

Also from the FAQ:


7. John Doe has written a 'post' in his blog, saying he debunks the XXX bug, what's that?

No worries. It's probably someone begging for attention or PR-brainwashed

Thats right, anybody who disagrees is psycho. Is that you George?

privsep?

[emil]

I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?

Is this feature in the works? I certainly hope so.

Has anyone verified bug is exploitable yet?

[SuperKendall]

From the other thread, it appeared that no Mac owner posted saying that they had been able to replicate the results - the people that did post results said the quicktime file given crashed Quicktime, but did not run the payload target. Simply being able to crash an application is not the same as actually executing arbitrary code.

Re:THIS is an Apple bug?

[porkchop_d_clown]

In the sense that it affects Apple machines, sure.

But, yeah, it's kind of weak. If this is the best they can come up with, Apple can rest easy.