Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Responds to MOAB

Posted by CmdrTaco on from the that-was-pretty-fast dept.

frdmfghtr writes "Apple has released what appears to be the first security update as a result of the "Month of Apple Bugs." While the Apple site doesn't explicitly say that the fix was a result of the MOAB, it does point to a sample Quicktime file that triggers the overflow flaw (well, sort of...it says the file is there but doesn't provide any links)."

2 of 126 comments (clear)

  1. Re:So...Is The QT Flaw the Only Notable Bug? by 99BottlesOfBeerInMyF · · Score: 4, Interesting

    I haven't heard much coverage on the MOAB since the QuickTime revelation -- haven't they dug up any further baloney in the OS or its core of Jobsian iApps?

    They've revealed a number of potentially exploitable bugs, although nothing to really worry about right away, and a number more third party bugs that have little or nothing to do with Apple.

    If the highlight of the month is the damn QuickTime thing, this has worked out to be a fairly dull bug hunt.

    The most interesting thing to come out of this so far is actually a third party bug in Colloquy, a popular IRC client. The bug itself is not all that novel, but the explanation of the bug that the MOAB team allegedly, originally posted showed them using the vulnerability to hack users on the popular #macdev on Freenode IRC. Basically, many people are claiming they posted a log of them not only behaving unethically, but illegally before even announcing the vunlerability. The explanation of the bug they now post no longer contains that log. For more information check out the article and the accompanying forums.

  2. Re:Response by DLG · · Score: 4, Interesting

    I just searched around on this, and was also disturbed by what I see which can be summed up by 'they tested it live, the developers fixed the bug based on the attack, the MOAB team posted a release with evidence of the attack, then removed it, then denied it happened, and denounced all potential proof as unreliable'

    The parent shouldn't be modded flamebait, but thats not really important. Even the fact that they used it live was relatively minor (it wasn't infecting peoples computers as far as I could tell). What bothers me is that the lack of transparency they accuse Apple or other developers of, hardly seems valid in light of their own lack of honesty. This has been questioned before, and if they hadn't already made themselves look a bit foolish by targetting open source multiplatform tools, they certainly would have lost credibility based on this stunt.