Today is the third day in the Month of Apple Bugs (a.k.a. MOAB). MOAB is run by a hacker known as LMH, sponsor of the Month of Kernel Bugs and Kevin Finisterre. The project began with Monday's exposure of a rtsp URL handler stack-based buffer overflow in QuickTime where "A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution."
Yesterday's bug was a udp:// format string vulnerability in VideoLANs open source VLC media player which allows remote arbitrary code execution. As evidenced by the VLC exploit, the group isn't only attacking Apple products (although they are "they are the main focus") They'll also "be looking over popular OS X applications as well."
While the group responsible for the exposure of the flaws seems to have a vendetta against Apple and their users, they claim that they don't. "Getting problems solved makes that use a bit more safe each day, for everyone else. Flaws exist, with and without people disclosing them."
A modern day Robin Hood named Landon Fuller has come to the rescue with a mission to patch each of the bugs exposed by LMH and the MOAB:
So, part brain exercise, part public service, I've created a runtime fix for the first issue using Application Enhancer. If I have time (or assistance), I'll attempt to patch the other vulnerabilities, one a day, until the month is out.I hope that Apple is paying attention to MOAB and that smart developers are going to help Fuller in his efforts. We don't need another black cloud hanging over next week's Apple love fest by the bay.