Slashdot Mirror
Apple Responds to MOAB
frdmfghtr writes "Apple has released what appears to be the first security update as a result of the "Month of Apple Bugs." While the Apple site doesn't explicitly say that the fix was a result of the MOAB, it does point to a sample Quicktime file that triggers the overflow flaw (well, sort of...it says the file is there but doesn't provide any links)."
I haven't heard much coverage on the MOAB since the QuickTime revelation -- haven't they dug up any further baloney in the OS or its core of Jobsian iApps?
If the highlight of the month is the damn QuickTime thing, this has worked out to be a fairly dull bug hunt. The submitter should've at least linked up the MOAB reference with some supporting fun.
Also: is Steve Jobs technically a bug or a feature?
These stories are free but worth money.
You seriously don't have a clue do you?
Look at the past security fixes apple has released. For bugs found in both Linux and OSX, look at the CVEs and you can compare when Linux vendors fixed the bug and when the OSX fix was released. Redhat fixed most of the bugs within a day or 2. Apple had release times in months. They are horrible when it comes to timely release of security fixes.
Look at the Security update 11-28-6 for example:
GnuZip (reported 8-24-6)
redhat fixed 9-19-6
Perl (reported 12-01-5) That's a almost a year earlier
redhat fixed 12-20-05
PHP(reported 3-29-6)
redhat fixed 4-25-6
And that is actually not as bad as some of the other security updates. For awhile I was responsible for putting out a security mailing list that required me to manually sort through the bugs to remove duplicates and I always noticed Appple releasing fixes for bugs that I had seen months and months ago in Linux and the other BSDs. The bugs required for a worm are out there (remote arbitrary code execution/privilege escalation). It's surprising that they haven't been taken advantage of, personally I think there aren't as many people interested in writing exploits for Apple products.