Slashdot Mirror

← Back to Stories (view on slashdot.org)

Month of Apple Fixes

Posted by kdawson on from the mister-fixit dept.

das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."

4 of 177 comments (clear)

  1. Response from Kevin Finisterre, second bug by daveschroeder · · Score: 4, Interesting

    Kevin Finisterre, security researcher, founder of Digital Munition, and co-presenter of the Month of Apple Bugs, has also responded on the SecurityFocus focus-apple list to some of my concerns, expanding on some of the motivations and reasoning behing MOAB (followup).

    Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...

    In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.

    (Disclaimer: I am the story submitter.)

  2. privsep? by emil · · Score: 2, Interesting

    I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?

    Is this feature in the works? I certainly hope so.

  3. Has anyone verified bug is exploitable yet? by SuperKendall · · Score: 5, Interesting

    From the other thread, it appeared that no Mac owner posted saying that they had been able to replicate the results - the people that did post results said the quicktime file given crashed Quicktime, but did not run the payload target. Simply being able to crash an application is not the same as actually executing arbitrary code.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  4. Re:THIS is an Apple bug? by porkchop_d_clown · · Score: 2, Interesting

    In the sense that it affects Apple machines, sure.

    But, yeah, it's kind of weak. If this is the best they can come up with, Apple can rest easy.

    --
    Clear, Dark Skies