An attempt is being made to quickly patch flaws in Apple software that are announced by vulnerability researchers Kevin Finisterre and LMH this month. The researchers’ ‘Month of Apple Bugs’ project, launched on Monday, promises to feature a new Apple software bug for each day in January. However, a senior open-source developer with extensive experience working for Apple says he is attempting to offer fixes for each flaw found.
Maybe efforts, from both sides (aka finding AND fixing) should continue even after this month is out.
Who knows, the speed at which the community can fix vaulnerabilities might even convince Apple to create some sort of external developer group in which people can submit some sort of application, and then be given a channel to assist with these things in the future.
I think you may be on to something there. It seems a lot of Open Source folks like OS X. I think if Apple opened things up a bit, there would be some who would be willing to donate their time making OS X better. Similar to what they do for Linux and other OSS projects.
I think you may be on to something there. It seems a lot of Open Source folks like OS X.
But they like it for the Unix part, or for the fact that you can port a lot of free stuff to it. It’s interesting though, there is the “FLOSS” domain and the “Unix” domain and a part where those two overlap. Unix lovers think OS X is all right for being Unix, but FLOSS lovers think it sucks for being closed.
I think if Apple opened things up a bit, there would be some who would be willing to donate their time making OS X better.
The problem is that “opening things up a bit” doesn’t exist. The underlaying BSD layer is not very interesting as compared to other BSD operating systems, so they’d have to open up a lot more than that too. Apple will never take that (in their eyes) risk.
I don’t know, I’m a FLOSS lover and I think OS X is exactly what a commercial OS should be.
I also think if Apple created a program for OSS developers who would like to help out, they could have them sign an NDA prior to joining and then grant them early access to builds and accept fixes from them without too much risk.
Of course, I probably wouldn’t be willing to sign an NDA, so perhaps you are right on that score.
I still don’t understand how on Earth this guy can consider a bug in VLC to be an “Apple bug.” Surely there’s got to be plenty more real bugs in Apple’s software that he doesn’t have to resort to things like this on only the second day?
“””I still don’t understand how on Earth this guy can consider a bug in VLC to be an “Apple bug.”””
Look at it this way. If, on day one, they are already reduced to citing bugs in third party apps, what does that say about the platform they are trying to discredit?
If I were a conspiracy theorist, which I’m not, I might suspect that they were actually Apple advocates trying to make OSX look good.
Who says they *are* trying to discredit the platform?
Do you know there were also similiar months of the kernel bugs etc.?
“””Do you know there were also similiar months of the kernel bugs etc.?”””
Yes, I have followed the whole sordid affair, and taken an equally dim view of their activities at each turn.
However, you are correct that discrediting platforms is not their primary goal. Publicity and self-promotion seem to be the motivating factors. The rest is just “collateral damage”, I suppose.
However, it does appear that Apple might come out looking pretty good.
Just to be clear, I’ve not owned an Apple since I sold my II+, and Apple is (obviously) not my platform of choice.
But irresponsible behavior is irresponsible behavior no matter who the current victim happens to be.
Edited 2007-01-04 02:30
from the FAQ:
“3 Are Apple products the only one target of this initiative?
Not at all, but they are the main focus. We’ll be looking over popular OS X applications as well.”
Well the month isn’t over yet;-)
Well not that I totally disagree with you, but lets look at it this way. VLC is a cross platform app that runs on Windows, OSX, BSD, Linux and probably some other operating systems. VLC is not distributed by Apple but did this vulnerability affect Linux? NO. Windows? NO. BSD? NO. Any other OS but OSX? NO. It would seem to me that if the same codebase has no issue on any other platform, you might want to look a bit deeper and see what is wrong with OSX that allowed this in the first place.
@fsckit
“but did this vulnerability affect Linux? NO. Windows? NO.”
Well at least Windows is also affected.
http://projects.info-pull.com/moab/MOAB-02-01-2007.html
Affected versions
This issue has been successfully exploited in VLC version 0.8.6 for Mac OS X. Previous versions and other platforms might be affected (thanks to David Maynor for confirming the issue in the Microsoft Windows version).
Nice catch. I was not aware that Windows was also affected, so I stand partially corrected. However, that’s still not the kind of company I would want to be in when making comparisons on security.
…the two “best and brightest minds” named Kavin Finisterre and LMH was patching the bug directy instead of this stupid f**king bugs release. But as I said they are two “best and brightest minds” and they can’t do that…
Someone want to be famous…
So far I’ve only seen 1 bug, and that was with Quicktime.
I did note these guys were saying they were looking for Apple bugs and 3rd party program bugs on OS X.
How is that fair? Like MikeGA said, a VLC bug shouldn’t really be classed as an Apple bug, unless it’s specifically a way OS X handles VLC, even then it would need more info to determine it is.
It’s good to see they are patching them quickly.
Has Microsoft come out with a patch for that MS Word vuln? Haven’t seen anything yet anyway.
I’d say it depends upon the context.
Apple bundles a lot of third party software with their operating system. I believe that that sort of thing is legitimate to report as an Apple bug, because it is part of what they are shipping as Mac OS X and it can be exploited.
But if you are talking about stuff that the end user has to install, that’s crazy. Any old Joe can write software for Mac OS X, and it can be filled with bugs due to shoddy work or inexperience. What does Apple have to do with that?
I used to think that this would be a useful exercise. But having VLC as the second bug leads me to believe that they are unwilling to do their homework (homework that they assigned to themselves) and are just looking for filler.
I agree you cannot call a third party application an apple issue when the application is not installed by default with the OS or is even supported by the vendor. OS X has nothing to do with VLC aside from the fact that it can run on OS X. INMHO VLC should not count against Apple, someone is reaching and this is not an Apple defense the same would be true if it was Windows or Linux again Quicktime I agree, VLC your reaching.
I get the feeling after mentioning VLC they’ll probably start writing their own buggy apps and tell everyone it’s Apples fault, only in order to keep the bugs coming in every day.
I can’t get it. Really.
There are folks out there who have fun spending their time to find bugs, security related ones, in software. They do it for free. They give enough information to locate the bug and fix it.
Others get paid for this! Talking about “fair” because they allowed themselves to also publish bugs in other software (in their sense “related”)? What’s the problem, oh my, how UNFAIR! Unbelievable, they just do this, Apple now needs to cry!
Sorry. Take it with, in german, “Sportsgeist”. That’s what the Apple guy is doing. Or ignore it. But stop this crap, just because you think it scratches on your favourite company’s image… (the image you have from it?)
You obviously missed the point so let me help you. VLC is not installed by default nor is it an Apple product, maintained , or supported by Apple there for it is a VLC issue not apple. When Oracle has a flaw you call Oracle. No one is whining it is about the perception and theirs is skewed with the VLC issue.
I didn’t miss the point. In my point of view, they just didn’t find a “real” apple bug, so they at least wanted to push this “it at least runs on OS X” bug…
But that’s no reason to be pissed off. And if you read this comments, and to the earlier news about this projects, there are lots of people who feel pissed and whine about how unfair this is and rubbish!
Sorry, I just wanted to say “grow up” to those people. Nobody attacked them, nobody even attacked Apple with publishing a lame VLC bug.
they are saving the best stuff for later?
This is the third, somebody owes me two bugs.
Obviously, bugs need to be addressed. As long as the information is given fairly responsibly, who cares? Get things fixed and let’s go on. I want to use my machine. If someone else wants to use it, let them buy it from me, rather than sending me a virus to take control of it.
The VLC bug was apparently confirmed with the Windows version too so that’s also a good thing for everyone.
I’m just glad that the platform is getting some unwanted attention so that my machine will be safer.
So tell me since it is confirmed in the windows version and is not produced by Apple would that make it a Apple bug or VLC my thought is that is a VLC bug not apple.
It is a VLC bug but in their FAQ they said they would be looking at 3rd party stuff that RUNS on OSX as well.
As was mentioned, they’re looking at anything Mac OS X related.
The VLC bug has been patched in version 0.8.6a, that’s already available.
Whatever you think of publishing bugs, it already showed its beneficial nature. As of now, two out of three bugs have already been fixed and there is noise that some people are looking into (the one month old) bug #3.
Wether you like your computer OS manufacturer or not, you can’t deny that the project already produced beneficial results for you.
My hat’s off to Mr. Fuller.
It’s a shame Apple let him go.
nda
The Apple fanboys are getting a little defensive about this whole thing. No one is trying to get away with calling a VLC bug an OSX bug. From the very beginning it was stated that the scope of this project was not limited to Apple’s products but included third party applications. Maybe you guys should wait until the month is over to get your panties in a bunch. We still have a long way to go and a lot of bugs to be exposed.
So why call it “Month of Apple Bugs” when as you say it isn’t just limited to Apple software, but 3rd party apps that run on OS X? What they’re doing is as daft as forming a “Month of Linux bugs” and counting MySQL and Apache bugs as “Linux” bugs.
What they’re doing is as daft as forming a “Month of Linux bugs” and counting MySQL and Apache bugs as “Linux” bugs.
Uhh apache, mysql, firefox, insert_random_oss_app_here has been included in Linux security surveys countless times. The Linux users have for the most part learned to overlook it and so should you.