Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Responds to MOAB

Posted by CmdrTaco on from the that-was-pretty-fast dept.

frdmfghtr writes "Apple has released what appears to be the first security update as a result of the "Month of Apple Bugs." While the Apple site doesn't explicitly say that the fix was a result of the MOAB, it does point to a sample Quicktime file that triggers the overflow flaw (well, sort of...it says the file is there but doesn't provide any links)."

6 of 126 comments (clear)

  1. Re:So...Is The QT Flaw the Only Notable Bug? by 99BottlesOfBeerInMyF · · Score: 4, Interesting

    I haven't heard much coverage on the MOAB since the QuickTime revelation -- haven't they dug up any further baloney in the OS or its core of Jobsian iApps?

    They've revealed a number of potentially exploitable bugs, although nothing to really worry about right away, and a number more third party bugs that have little or nothing to do with Apple.

    If the highlight of the month is the damn QuickTime thing, this has worked out to be a fairly dull bug hunt.

    The most interesting thing to come out of this so far is actually a third party bug in Colloquy, a popular IRC client. The bug itself is not all that novel, but the explanation of the bug that the MOAB team allegedly, originally posted showed them using the vulnerability to hack users on the popular #macdev on Freenode IRC. Basically, many people are claiming they posted a log of them not only behaving unethically, but illegally before even announcing the vunlerability. The explanation of the bug they now post no longer contains that log. For more information check out the article and the accompanying forums.

  2. Re:Why the propensity to acronyms genetic? by Conanymous+Award · · Score: 2, Interesting

    (Offtopic, but who (besides some disgruntled mod) cares...)

    Acronyms and product names like XY6342w are not a 'human' thing. It's an engineer/geek thing. In fact I was thinking about this today: part of the success of the iPod, for example, could be thanks to its simple, memorable name. It really stands out in the myriad of alphabetic-numerically named 'generic' MP3 players. I'm sure the iPod would still be quite succesful if it was called Apple MP3Player E3807-92i, but that kind of names just aren't nice or 'sexy'. Real word names just hit home harder. (OK, somebody could argue that 'iPod' is not a real word, but I don't care. ;P)

  3. Response? by UnknowingFool · · Score: 2, Interesting
    Apple has released what appears to be the first security update as a result of the "Month of Apple Bugs.

    I don't know about that. Apple releases updates routinely and seem to be on a monthly schedule. I wouldn't say it was clear case of cause and effect.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  4. Re:MOAB? by xoyoyo · · Score: 2, Interesting

    On the contrary the MOAB fits no common definition of WMD. It would cause extensive civilian casualties if dropped in a city, but so would the equivalent amount of explosive dropped as many separate bombs. So would a sufficient quantity of golf balls.

    What it is is something not legislated against but still fairly unpleasant: a terror weapon designed to cow civilian populations. The MOAB is ineffective in its supposed role (that of a bunker buster) but it's extremely good at scaring the shit out of civilian populations it's dropped near. Its blast signature (big flash, big boom, mushroom cloud) is identical to a nuke.

    The US airforce conducted a legal review of the Moab and decided (perhaps unsurprisingly) that it was okay to use it so long as civilians weren't deliberately targeted.

    On the other hand, other US weapon systems such as cluster bombs, bunker buster nukes and white phosphorus based weapons flirt with the definition of WMD, not to mention the c.6,000 nuclear warheads...

  5. Re:ummm by DLG · · Score: 2, Interesting

    I don't know that people posting exploits on a public site, and making press releases about it is the same as reporting bugs to a developer. I mean I am sure there are many people who have posted messages about exploiting bugs in some way in many forums, but mostly they aren't technically reporting those bugs to the developer. In the case of MOAB they explicitly have stated they were NOT reporting the bugs to the Apple, but were doing it a different way to force Apple to respond differently than their normal process. Now you accuse Apple of not treating this with their normal process.

    Perhaps your expectations are the part that needs patching.

  6. Re:Response by DLG · · Score: 4, Interesting

    I just searched around on this, and was also disturbed by what I see which can be summed up by 'they tested it live, the developers fixed the bug based on the attack, the MOAB team posted a release with evidence of the attack, then removed it, then denied it happened, and denounced all potential proof as unreliable'

    The parent shouldn't be modded flamebait, but thats not really important. Even the fact that they used it live was relatively minor (it wasn't infecting peoples computers as far as I could tell). What bothers me is that the lack of transparency they accuse Apple or other developers of, hardly seems valid in light of their own lack of honesty. This has been questioned before, and if they hadn't already made themselves look a bit foolish by targetting open source multiplatform tools, they certainly would have lost credibility based on this stunt.