Slashdot Mirror

← Back to Stories (view on slashdot.org)

Month of Apple Fixes

Posted by kdawson on from the mister-fixit dept.

das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."

4 of 177 comments (clear)

  1. Re:rushed fixes, and untested at that by daveschroeder · · Score: 5, Informative

    All this is a little fun exercise and a public service, if you will. Also, anyone can examine the code.

    How do you uninstall these quick fixes? Simple. They'll almost all invariably be runtime fixes with Application Enhancer (APE). APE modules are just self-contained directories; nothing more. They can be unloaded on demand, and APE itself can be easily installed, uninstalled, disabled, and modules can be loaded and unloaded at will.

    Also, Landon Fuller is anything but an "Apple fanboy", or in any way remotely interested in "saving Apple's rep". The idea is to look at the bugs, and see if a quick technical solution or remediation can be provided. No one has to install them. Since the code is available, anyone can see what's being done, including the rest of the community. If one wishes to wait for Apple's official patches, fine.

    Aside from all of this, of course Mac OS X, like any other operating system or large software project, has bugs. Some of these bugs will enable vulnerabilities that can be exploited. I fail to see how any of this is surprising. If you're actually interested, I've summed up my thoughts on this here.

  2. Re:rushed fixes, and untested at that by landonf · · Score: 5, Informative
    So some third party is going to try to rush out daily fixes?

    If I have time, or if people help me.

    How much testing is done on these fixes, none?

    I tested thoroughly on Intel and PowerPC Macs. I wouldn't release a fix to the world without being fairly certain that it works correctly. You're welcome to review the code for the first fix -- it's about 10 lines. I'd be happy to explain the various entry points for you, too. We're using these fixes on all our Macs here at Three Rings Design.

    Alternatively, you can not use the patch. I won't mind.

    And how do you uninstall these quick fix hacks when Apple releases the legit fixes?

    You open the Application Enhancer pref pane and hit the "-" (minus) button.

    --
    http://plausible.coop
  3. Has anyone verified bug is exploitable yet? by SuperKendall · · Score: 5, Interesting

    From the other thread, it appeared that no Mac owner posted saying that they had been able to replicate the results - the people that did post results said the quicktime file given crashed Quicktime, but did not run the payload target. Simply being able to crash an application is not the same as actually executing arbitrary code.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  4. Re:Install a fix not from Apple? Fat Chance by landonf · · Score: 5, Informative
    I don't care who this guy is... I'm not downloading "fixes" for my iMac from anyone but Apple

    Absolutely -- but I'd still strongly suggest disabling the QuickTime RTSP component:

    http://isc.sans.org/diary.php?storyid=1993

    1. Go to MOAB site, record exploit info 2. Create malicious version of exploit 3. Post to web as a "fix" and tell users to blindly install

    You forgot number 4:

    4. Have my professional and personal reputation permanently sullied.

    I'll pass! =) The code is up for review, but if you don't feel comfortable with my fix, you can disable the primary attack vector by following the directions from the SANS web site.

    --
    http://plausible.coop