Month of Apple Fixes

das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."

Response from Kevin Finisterre, second bug

[daveschroeder]

Kevin Finisterre, security researcher, founder of Digital Munition, and co-presenter of the Month of Apple Bugs, has also responded on the SecurityFocus focus-apple list to some of my concerns, expanding on some of the motivations and reasoning behing MOAB (followup).

Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...

In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.

(Disclaimer: I am the story submitter.)

Has anyone verified bug is exploitable yet?

[SuperKendall]

From the other thread, it appeared that no Mac owner posted saying that they had been able to replicate the results - the people that did post results said the quicktime file given crashed Quicktime, but did not run the payload target. Simply being able to crash an application is not the same as actually executing arbitrary code.