iTechNote

The Month of Apple Bugs (MOAB) started off smoothly with the release of three bugs so far on day 3. They are all related to media player.

• Apple QuickTime rtsp:// URL Handler Stack-based Buffer Overflow - A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution.
• VLC Media Player udp:// Format String Vulnerability - A vulnerability in the handling of the udp:// URL handler allows remote arbitrary code execution.
• Apple QuickTime HREFTrack Cross-Zone Scripting vulnerability - A vulnerability in the handling of the HREFTrack field allows to perform cross-zone scripting, leading to potential remote arbitrary code execution.

What is interesting is not OS X has enough bugs for a whole month but the voluntary efforts by Mac guru, Landon Fuller. He has provided patches or fixes for all three bugs disclosed so far. He also offers to patch all other vulnerabilities, one a day, until the month is out.

As of today, the efforts quickly get support from William Carrel, who has set up a MOAB Fixes Google Group and put Landon as the coordinator. The Google Group is not very active yet with only seven members. It is nonetheless a perfect place to serve as a gathering place to discuss the technical and coding issues for MOAB bug fixes. It also serves as an additional patches download mirror to Landon’s blog.

The MOAB rarely reports disclosed bugs to Apple. The main concern is the amount of time OS X users will have to wait for trivial fixes if the work is left to Apple. This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third party applications designed for the operating system.

One of the researchers that kicked off MOAB, Kevin Finisterre is an interesting person. He said in an interview back in Feb 2006,” I honestly love Mac hardware, but do not care too much for the OS. … My personal preference is Mac hardware running the Linux OS.” What do you think?