Apple guru combats month of bugs

An open-source developer is attempting to ensure every vulnerability found by the Month of Apple Bugs project has a patch
Written by Tom Espiner, Contributor

An attempt is being made to quickly patch flaws in Apple software that have been announced by vulnerability researchers Kevin Finisterre and LMH this month.

The researchers' Month of Apple Bugs project (MOAB), launched on Monday, promises to feature a new Apple software bug for each day in January. However, a senior open-source developer with extensive experience working for Apple says he is attempting to offer fixes for each flaw found.

Landon Fuller was an engineer in Apple's BSD Technology Group, and one of the principal architects of the Darwin Ports project, which aims to provide an easy way to install various open-source software products on the Darwin OS family. Darwin is an open-source, Unix-like operating system designed to work as a standalone operating system as well as the core set of components for Mac OS X. Fuller has already offered fixes for the two vulnerabilities published by MOAB so far.

On Monday, MOAB published an advisory for a QuickTime vulnerability which relates to how media player software handles the Real Time Streaming Protocol, or RTSP. An attacker could create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow, according to the advisory.

Fuller published a fix on Tuesday for the QuickTime vulnerability which uses Application Enhancer, a piece of software designed to improve how applications behave when running on systems. "So, part brain exercise, part public service, I've created a runtime fix for the first issue using Application Enhancer," wrote Fuller in his blog. "If I have time (or assistance), I'll attempt to patch the other vulnerabilities, one a day, until the month is out."

Also on Tuesday, Fuller published a fix for a second vulnerability found by MOAB — a format string vulnerability in the open-source VLC media player that MOAB warns could be used by a remote attacker to execute arbitrary code. VLC published its fix soon after the vulnerability was reported to them by Kevin Finisterre.

Fuller called for assistance in developing patches for the flaws that have yet to be publicised by MOAB, and said he would start a mailing list if he gets enough interest.

"If you'd like to help with tomorrow's MOAB vulnerability please feel free to send me patches or other information. If there's enough interest, I'll fire up a mailing list," wrote Fuller in his blog.

CNET News.com's Joris Evers contributed to this report.

Editorial standards