Slashdot Mirror

← Back to Stories (view on slashdot.org)

Month of Apple Bugs - First Bug Unveiled

Posted by Zonk on from the apple-must-be-so-proud dept.

ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"

6 of 240 comments (clear)

  1. Re:And a negative side effect? by Anonymous Coward · · Score: 4, Interesting

    Could you give some examples of Apple suing people to cover up security holes then?

  2. Doesn't work for me by Anonymous Coward · · Score: 5, Interesting

    I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?

  3. Re:good thought but I wonder by 99BottlesOfBeerInMyF · · Score: 3, Interesting

    Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't.

    I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.

    They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile.

    No, these guys want publicity for themselves. Apple has been quite responsive to security researchers and most that I know think Apple has been doing a pretty reasonable job. If you're going to argue that bugs need to be publicly released because Apple won't fix them otherwise, you need to support that assertion. Even then, what is your justification for not releasing it immediately, but doling them out more slowly? That doesn't benefit anyone but these researchers for whom it provides prolonged media exposure they hope to gain from financially.

    So they're out to raise the profile of each problem.

    Raising the profile of a problem makes sense, if it is being exploited in the wild or if you've contacted the vendor and they're dragging their heels while people are at risk. Otherwise, it is simply harmful to everyone involved.

    Much better than using the vulnerabilities to build Mac-based botnets...

    Ahh, the classic "we're not as bad as China" argument. Doing something unethical isn't made any less unethical by the fact that someone else is doing something even more unethical. These guys obviously are interested in one thing, getting themselves in the news to make themselves money.

  4. Timing by lord_iain · · Score: 3, Interesting

    Is it just me, or is this event well timed? A month of Apple bugs/exploits on the lead up to Windows Vista's commercial release on January 30th (the most "secure" version of Windows). Sounds sinister to me.

  5. Explain the logic... by jpellino · · Score: 3, Interesting

    "Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure"

    Huh? Apple's users are to blame for Apple's work with security researchers?

    Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  6. Sorta works on a macbook pro by Paradox · · Score: 3, Interesting

    The assumed known address is wrong, but it does crash quicktime on my machine.

    Snips from my crash log:

    OS Version: 10.4.8 (Build 8N1051)
    Report Version: 4

    Command: QuickTime Player
    Path: /Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player
    Parent: WindowServer [57]

    Version: 7.1.3 (7.1.3)
    Build Version: 65
    Project Name: QuickTime
    Source Version: 4650000

    PID: 9548
    Thread: Unknown

    Exception: EXC_BAD_INSTRUCTION (0x0002)
    Code[0]: 0x00000001
    Code[1]: 0x00000000 ...

    Unknown thread crashed with X86 Thread State (32-bit):
        eax: 0xffffffff ebx: 0x41414141 ecx: 0x900012f8 edx: 0xffffffff
        edi: 0x41414141 esi: 0x41414141 ebp: 0xdeadbabe esp: 0xbfffd628 (hello deadbabe!)
          ss: 0x0000001f efl: 0x00010286 eip: 0x918bef3a cs: 0x00000017
          ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037

    Not so good. :)

    --
    Slashdot. It's Not For Common Sense