Month of Apple Fixes

das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."

Thanks.

[easter1916]

Thank you, Landon.

Re:rushed fixes, and untested at that

[inca34]

You're suffering from some serious RTFA syndrome. By doing the patch the way he did you change NO SYSTEM FILES.

Re:Response from Kevin Finisterre, second bug

[Otter]

Man, they're really scraping the bottom of the barrel, and it's only January 2nd! A string handling vulnerability in a cross-platform app I've never heard of? They should at least have been able to make it to the end of the BCS before resorting to filler like that.

Re:Install a fix not from Apple? Fat Chance

[inca34]

See above posts, maybe even RTFA... then RTFSC. All 10 lines of it. Cheers.

Re:privsep?

[cswiger2005]

You could probably try doing this yourself:

chown unknown /Applications/Safari.app/Contents/MacOS/Safari
chmod u+s unknown /Applications/Safari.app/Contents/MacOS/Safari ...and you'll probably need to also change the following:

chown -R unknown ~/Library/Caches/Safari
chown -R unknown ~/Library/Safari

It's not even shipped by default !

[Space+cowboy]

So

[simon:~] simon% vlc
tcsh: vlc: Command not found.
[simon:~] simon% perl VLCMediaSlayer-x86.pl
jump address is: 0x41424344
writing to file: pwnage.m3u
[simon:~] simon% open pwnage.m3u
[simon:~] simon% (opens iTunes)

the application for this second bug is not even shipped on Mac's by default! Meaning that this completely 3rd-party software, if installed onto a Mac, can cause problems with the Mac. And this is Apple's problem how, exactly ?

Simon

Re:Response from Kevin Finisterre, second bug

[fishbot]

WMVs played out of the box on your Mac? You didn't need Flip4Mac or anything else? How did you manage that, then?

Sorry, but that's bogus

[Space+cowboy]

I was going to use a stronger word, but my New Years resolution is still (diminishingly) in effect...

If Apple don't supply a piece of software, it is *not* their fault that there can be subsequent problems using that piece of software, it's the program-author's fault. Obviously vlc isn't completely necessary (otherwise I would have it installed, I install a fair amount of linux-related s/w). I do have windows-media player and realmedia player installed...

To say that just because Apple don't supply a particular feature (viewing movies that require codec XXX), it's Apple's problem when you install 3rd-party software that does is just ... wrong. I can't think how you could think that. It's hard to construct an argument when your starting premise is just nonsense.

By the same logic, it's Apple's fault that:

  - I can't run my FPGA-mapping software on my Mac Pro, because Xilinx don't support the Mac. Apple ought to do something.
  - I can't run any game I want on the Mac. Curse those game-producing companies, oh no, wait, it's Apple's fault.
  - My Mac doesn't make toast! How simple is making toast? Apple ought to pull their finger out!
  - ad nauseum.

Install 3rd-party software, have problems with that software, blame the software author. Don't blame the machine manufacturer / operating-system provider.

Moan like buggery (*) (hmm, unfortunate turn of phrase :-) that QT doesn't support the codecs that you want, but it's not Apple's fault that other 3rd-party codecs have bugs in. Yes, I'm a Mac fan, but not a fanboy - I completely agree with bug #1, but this is just completely ... bogus.

Simon

(*) "Moan like buggery" isn't really rude where I come from, oddly enough...

Because it just creates a false sense of security.

[argent]

I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?

First, let me make one point clear. This is not "just catching on in IE", it has been used for running potentially exloitable applications in UNIX for decades. It's a last resort when applied to interactive programs... it's usually used with applications that are running unattended and providing services to the outside world... and the limitations of this kind of technique are abundantly clear. UNIX environments typically take this kind of thing several stages further, using chrooted environments and jails to really isolate the untrusted code from the rest of the system.

Second, Security is like sex, if you're penetrated you're fucked. Just because an exploit in IE can only have an effect on resources owned by a restricted user should not be considered a big deal. Why?

(1) Once you can run local native code, you're in a MUCH better position to devise a secondary exploit against a local privilege escalation vulnerability.

(2) Resources accessible to Internet Explorer include (of necessity) any security tokens (passwords, etcetera) used for access to online services, as well as anything else that you use the same tokens for... like, say, your local account.

I've repeatedly argued that the fact that the local user runs with lower privileges on Mac OS X than on Windows is not nearly as important as Mac fanatics make out. Well, the converse is true... this new hack Microsoft has come up with to avoid facing the security flaws in the design of IE isn't nearly as importantas Microsoft apologists make out.