Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac Developer Mulls Zero-day Security Response

Posted by CowboyNeal on from the in-the-nick-of-time dept.

1.6 Beta writes "Landon Fuller, the Mac programmer/Darwin developer behind the 'month of Apple fixes' project, plans to expand the initiative to roll out zero-day patches for issues that put Mac OS X users at risk of code execution attacks. The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches. The article quotes him as saying, 'Perhaps [it could be] the Mac OS equivalent to ZERT,' referring to the Zero-day Emergency Response Team."

6 of 94 comments (clear)

  1. Bonzi buddy auto-installer by User+956 · · Score: 5, Funny

    The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches.

    Windows has an auto-updating mechanism for "third-party patches". It's called Internet Explorer.

    --
    The theory of relativity doesn't work right in Arkansas.
  2. This is not a "move on Apple's part" by daveschroeder · · Score: 5, Insightful

    Apple isn't doing this, and Landon Fuller doesn't have anything to do with Apple, other than having worked there. (And no, conspiracy theorists, he's not doing this at Apple's behest or as part of some coordinated fanboy effort to "make Apple look good".)

    What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now. Apple needs to be patching issues in a much more timely manner. Hopefully the outcome of MOAB, things like Fuller's proposal, and other related things will be a real discourse on Apple security response and Mac OS X security.

  3. Re:no trolls?! by Anonymous Coward · · Score: 5, Interesting
    I think MOAB story is getting stale. I submitted a story on how MOAB website tried to crash Safari using .jp2 vulnerability and include the comment

    <!-- Never use the macbook at bed again when browsing the MoAB or you will fry your balls, looper -->
    in the HTML code. However, /. didn't bother accepting it.

    MOAB includes hack attempt
  4. Unnecessary. by sakusha · · Score: 5, Insightful

    Almost all of the MOAB bugs have already been patched, including OS fixes by Apple. Some of the application fixes were released within hours of the public announcement of the bug. Yet NONE of those fixes have been linked on the MOAB website.

    The normal processes are working. What is NOT working is the MOAB process. If they used the normal procedure of notifying the developers privately, these bugs could have been fixed in days or even hours, before any public disclosure. But that wouldn't achieve what the MOAB hackers wanted. MOAB isn't about security, it's about publicity whoring.

    1. Re:Unnecessary. by Rosyna · · Score: 5, Insightful

      You have to realize that MOAB isn't an unwarranted attack against Apple. It's backlash for years of flaky technical support, deceitful practices and arrogance on the part of the Mac community in general.

      Yeah, that's clearly their intention after you look at the non-apple issues such as the ones in OmniWeb, Transmit, VLC, Flip4Mac, Rumpus, et cetera. Clearly, those are an attack against apple's "flaky technical support".

  5. Re:no trolls?! by Cysgod · · Score: 5, Interesting

    quiet night tonight... not one mac fan boy or anti-mac troll has popped up yet, though im sure its just a matter of time Reversing the broken code that people find and figuring out how to patch it can be a great, fun mental exercise if it's something you're interested in. The personal satisfaction from doing that is sometimes offset by all this seemingly inevitable rabblerousing between fanbois and, their complementary particle, anti-fanbois.

    When fanbois and anti-fanbois come into contact they emit a special radiation that causes a temporal shift, known informally as "a colossal total waste of time", for anyone who happens to be reading or listening. For example, you're reading a technical thread, then two of these subsentient particles come into contact. They insist on threadjacking your discussion into an us versus them discussion that only tangentially involves the subject at hand and is logically irritating since it represents a false dilemma. As you skip past the messages looking for some meaningful discussion and swearing about the state of technical discourse, you suddenly discover two hours have passed due to the temporal-moronic radiation.

    Maybe people could study training Bayesian filters to delete those messages (or just delete the authors).