MonthOfAppleBugs
Latest
More MOAB fixes from Landon Fuller
It was a busy weekend for Landon Fuller and his crew of white-hat hackers working to plug the holes in Mac OS X and associated applications revealed by Month of Apple Bugs. His most recent two posts detail patches for Transmit and iChat, a mount warning for disk image downloads in Safari, and a patch for a zero-day vulnerability that's not even on the MOAB hit list: a heap overflow in the Java GIF image handling code, which has been fixed in Sun's releases of the Java virtual machine but not yet in Apple's release.Landon also points to the BOM Shelter python script, written by his buddy William Carrel; the script modifies permissions on several items to avoid the vulnerabilities of MOABs 5, 8 and 15.The thanks and appreciation of the entire Mac-using community are due to these guys, who are volunteering their time and considerable expertise to keep us all a little bit safer.
VLC patched with MOAB fix
See, that didn't take long! VideoLAN's VLC media player has been revised to version 0.8.6a, which closes the vulnerability noted by Month of Apple Bugs and also makes improvements to Full Screen Mode.If you aren't already using VLC for its incredible powers of playback and streaming, now would be an ideal time to start.[via Versiontracker]
Former Apple engineer offers fixes for Month of Apple bugs silliness
Landon Fuller, programmer and former Apple BSD Technology Group engineer extraordinaire, has offered to try and provide fixes for the exploits that appear during this asinine Month of Apple Bugs. Landon has already posted workarounds for the QuickTime vulnerability, and he links a change the VLC team has already made to their codebase (which is likely to be rolled out soon). I join many others in thanking Landon for his work, but I still wish he didn't have to do it. Why should a former Apple engineer use his free time to chase after publicized exploits, when Apple themselves (and any 3rd parties) should be the ones to fix these problems at their core?Thanks Bill I
"The Month of Apple bugs" begins, rationality surrenders
Kevin Finisterre and someone we only know as "LMH" have launched the Month of Apple Bugs, a site they dub a 'project' with the supposed goal of publishing bugs, hacks and exploits they have found in Apple's software any and all Apple-related software. Already they have published a QuickTime exploit they've found which could allow remote code execution (for which Mr. Gruber's proposed solution might not cut it), and yesterday they posted a VLC exploit (and how is this an 'Apple bug?') which supposedly offers the same vulnerability.If you're the type who enjoys cliff notes, let me summarize my feelings about the decision Kevin and "LMH" have made with this site: I spent almost all of last night sketching and brainstorming ideas, but I honestly can't think of anything more pathetically ego-massaging or FUD-drudging one could do with this information outside of writing, directing and starring in a horror movie about code exploits. Thankfully, I wager such a movie wouldn't do so well at the box office.Let me be clear: if these guys have actually found enough problems with software (be it Apple's or otherwise) to fill a whole month of releases, I honestly and sincerely thank them - they can help whoever makes that software to make it better. What is so horrendously wrong with this 'project' is that they're stirring up hype and making news headlines with these exploits, instead of sticking with the traditional and ethical practices of reporting and discussing these bugs with the relevant parties.Who knows, maybe they already filled out the form (though after reading FAQ #4, I doubt it), but publishing this information and landing themselves all over digg and Yahoo! News isn't going to accomplish anything productive. They complain about slow processes and being annoyed at auto-responders to bug reports but they fail to offer any legitimate reason or positive justification for publishing code like this. Patience and civility are virtues, and while I can completely understand being annoyed at faceless bureaucratic processes that fail to tingle the 'hooray I did something good!' bone, publishing this code in this manner has absolutely no positive merit for anyone, and causes nothing but undue harm to the Mac community they so smugly feign an interest in.But I would hate to end on such a bad note. Instead, I'll promise to stomp my feet about this 'project' as little as possible, as we at TUAW would rather focus on the positive. Over the month, we'll offer context and solutions for the bugs Mr. Finisterre and "LMH" publish, in an effort to help the Mac web create something positive out of this questionable month-long bug report. Stay tuned.
