Month of Apple bugs being fixed

Month of Apple bugs being fixed

Summary: Today is the third day in the Month of Apple Bugs (a.k.a. MOAB). MOAB is run by a hacker known as LMH, sponsor of the Month of Kernel Bugs and Kevin Finisterre. The project began with Monday's exposure of a rtsp URL handler stack-based buffer overflow in QuickTime where "A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution."

SHARE:
TOPICS: Apple
105
Today is the third day in the Month of Apple Bugs (a.k.a. MOAB). MOAB is run by a hacker known as LMH, sponsor of the Month of Kernel Bugs and Kevin Finisterre. The project began with Monday's exposure of a rtsp URL handler stack-based buffer overflow in QuickTime where "A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution."

Yesterday's bug was a udp:// format string vulnerability in VideoLANs open source VLC media player which allows remote arbitrary code execution. As evidenced by the VLC exploit, the group isn't only attacking Apple products (although they are "they are the main focus") They'll also "be looking over popular OS X applications as well."

While the group responsible for the exposure of the flaws seems to have a vendetta against Apple and their users, they claim that they don't. "Getting problems solved makes that use a bit more safe each day, for everyone else. Flaws exist, with and without people disclosing them."

A modern day Robin Hood named Landon Fuller has come to the rescue with a mission to patch each of the bugs exposed by LMH and the MOAB:
So, part brain exercise, part public service, I've created a runtime fix for the first issue using Application Enhancer. If I have time (or assistance), I'll attempt to patch the other vulnerabilities, one a day, until the month is out.
I hope that Apple is paying attention to MOAB and that smart developers are going to help Fuller in his efforts. We don't need another black cloud hanging over next week's Apple love fest by the bay.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

105 comments
Log in or register to join the discussion
  • why

    why is the even writers over here are apple fanboys crazy enough that their eyes are completely closed. Why dont you accept the bugs instead of talking about vendatta.
    hopefulcoder
  • The truth, zd can't handle the truth!

    http://www.macobserver.com/editorial/2006/12/20.1.shtml
    Reverend MacFellow
    • Let's be fair

      I find it funny that in the article you link to it is clearly stated "not all security bugs can be turned into effective exploits." Yet, <i>any</i> Microsoft security bug that is found is jumped on by the MS bashers as another example of how Windows can be easily exploited. I'm not a huge proponent or opponent of Microsoft. As a matter of fact, I tend to oppose, more than support the practices of <i>big business</i>, and that includes Microsoft. I also take with a grain of salt, what I read on websites and in publications that are reliant on advertising dollars from the same companies they write reviews and editorials about (Like ZD and MS). However, I do feel that you need to do your assessments fairly. If security bugs are not always an exploit on a Mac, then don't make the assumption that they always are in Windows.
      Flying Pig
  • This is payback

    More of the hacker crowd, still angry at Apple for calling out the faked wifi hack a few months back. Seems they're angry that the reputation of those who presented the hack then refused to prove it or back it up in any way whatsoever were damaged. So this is their childish attempt to teach Apple a lesson.
    tic swayback
    • Conspiracy Theory

      It's those people at Microsoft again, isn't it ticcy.
      Do you hide under your bed at night.
      Moosehouse
      • You should be better informed

        Guess you missed the people behind the Month of Apple Bugs announcing that the treatment of Maynor and Ellch was part of their motivation for doing this. Next time read a little more before shooting your mouth off, you'll look less foolish:

        http://www.pcworld.com/article/id,128282-c,macs/article.html
        LMH said the Apple community's negative response to Maynor and Ellch's claims played a role in the decision to launch the Month of Apple bugs.

        "I was shocked with the reaction of some so-called 'Apple fans,'" he said. "I can't understand why some people react badly to disclosure of issues in their system of choice. ... That helps to improve its security."
        tic swayback
        • No

          Then i'd look like you...
          Moosehouse
          • Huh?

            I tell you how to look less foolish, and your response is "No. Then I'd look like you."?

            Okay, nice to hear you admit I'm less foolish than you, and that you are deliberately trying to look foolish. I guess that last post proved it.
            tic swayback
      • Can't you read?

        ...I read and re-read - Microsoft was not mentioned by tic... Seems you have the problem...
        ladyirol
        • Nope

          Can't weed can't right. Butt still not an dweeb like u...
          Moosehouse
    • Prove it (nt)

      .
      NonZealot
      • Here's your proof

        Quoting one of the two hackers behind this nonsense:

        http://www.pcworld.com/article/id,128282-c,macs/article.html
        LMH said the Apple community's negative response to Maynor and Ellch's claims played a role in the decision to launch the Month of Apple bugs.

        "I was shocked with the reaction of some so-called 'Apple fans,'" he said. "I can't understand why some people react badly to disclosure of issues in their system of choice. ... That helps to improve its security."


        So there's your proof, straight from the horse's mouth. It's really a shame you can't back up your arguments quite as well as I can. Guess that's because you're a ranting zealot and I'm not.
        tic swayback
        • Sorry, that won't suffice

          Until I actually hear it from them directly, I won't believe it. For all I know, PCWorld hates MS and is just trying to make MS look bad and Apple look good. They ALL want to make Apple look bad, including SANS, ZDNET, Secunia, ALL OF THEM!!!!! I mean, if you won't believe that this Quicktime thing is real until you experience it yourself, why should I believe some random quote by some MS hater? Aww, sucks when your (lack of) logic is used against you. :(
          NonZealot
          • Making up more lies? It's getting sad, really.

            ---Until I actually hear it from them directly, I won't believe it---

            Fair enough, but why read any magazine, newspaper or website for information? You're going to have to go to the source for everything. The weather page says it's 48 degrees in New York today. Do you believe it, or must you go to New York to find out for yourself?

            ---if you won't believe that this Quicktime thing is real until you experience it yourself, why should I believe some random quote by some MS hater? Aww, sucks when your (lack of) logic is used against you---

            Wow. Have you been sniffing drain cleaner? What happened to your IQ? You used to be able to carry on a decent argument. When did I ever, even once claim that I wouldn't believe this Quicktime thing was real until I experienced it myself? Find that quote or admit you're a liar. What I said, repeatedly (and this says something about your reading skills), is that I was hoping for confirmation from anyone that the proof of concept worked. You sent me to several security groups that just repeated the original warning announcement, with no actual testing. George Ou posted a link to a proof of concept that no one seemed to be able to get to work. I kept asking to hear from any other party if it worked for them. That would have been evidence enough for me.

            So once again you're misrepresenting my logic, you're putting words in my mouth. You're lying. You're a liar. Over and over again you lie because you're a zealot with an unhealthy obsession with Steve Jobs and Apple. What's wrong with you? Why have you become so unhappy that this is what you're reduced to?
            tic swayback
          • Wow, Landon Fuller is a GOD!!

            [i]You sent me to several security groups that just repeated the original warning announcement, with no actual testing.[/i]

            He was able to provide a patch for this without ever reproducing it!!! AMAZING!! I'm going to feel bad for you when Apple patches this. :(

            [i]Over and over again you lie because you're a zealot with an unhealthy obsession with Steve Jobs and Apple.[/i]

            Funny thing is that this statement actually describes [b]you[/b] perfectly without any editing required!
            NonZealot
          • You still don't get it, do you?

            ---He was able to provide a patch for this without ever reproducing it!!!---

            Actually, no, he didn't. He fixed a flaw that could theoretically lead to an execution of code, but no one has demonstrated an execution of code. Did you forget to take your brain pills today?

            http://www.macfixit.com/article.php?story=20070103085829512
            Developer Landon Fuller has created a a runtime fix for the stack buffer overflow in the QuickTime Streaming component reported yesterday. This flaw could theoretically lead to malicious code execution on a target Mac, though we've yet to see such an occurrence actually demonstrated.
            tic swayback
          • Ohmigod

            NZ, can you say "Conspiracy Theory"? "Until I actually hear it from them directly, I won't believe it." Do you not believe in anything that you have not personally experienced? Do you believe that 9/11 happened? Did you see it happen, or did you just see all of that faked footage on TV? If Katie Couric came to your home and said, "Yes, NonZealot, it's true.", would you believe it then?
            justanitguy
          • Tell me about it!

            It's pretty stupid to say things like that. You might want to have a little chat with tic since he is actually the one stating this, I'm only using his (lack of) logic against him. He won't believe that this Quicktime thing actually exists because he can't test it himself. Doesn't matter that everyone else has been able to reproduce it, it doesn't exist! I'm so glad you think tic is being ridiculous too.
            NonZealot
          • Learn to read

            Sheesh, please learn to read. You're making yourself look more and more foolish.

            ---He won't believe that this Quicktime thing actually exists because he can't test it himself.---

            Where did I say this? Oops, yet another lie from NZ, yet another statement he can't back up, because he's a liar.
            tic swayback
          • OMG!

            NAG is using NZ's ZDNet login. That is the explaination!

            By the way NZ (or NAG) you have yet to post the results of an actual test.
            nomorems