Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Month Of Apple Bugs: January 2007
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yea, it is just a VLC exploit in a OSX environment. Without the program, OSX is not affected.
I will reply with the exact same thing I did to someone else's statement later in this thread.
Guess they should have waited until next month. That way they may have been able to hit thier one-a-day Apple bug target.
Now i just feel embarased for them...
Now i just feel embarased for them...
Nice to know this guy is providing a "fix" for every bug posted on MOAB. I'll just do this until I can get official updates for everything.
Especially when:#2 is a VLC exploit? How is this an Apple bug?
- it's not an Apple-made application
- you have to download VLC voluntarily
- you have to view a udp:// stream
- the stream has to be malicious
- the hacker has to find some way to get people to view the bad stream for his exploit to take effect
I use VLC mostly for offline viewing of files QuickTime cannot handle. I think most people do not use VLC for random streaming media; more likely they would use their own LAN, or a trusted internet source. I understand that MOAB also involves Apple applications, but I have a feeling we'll see a few Apple bugs and a lot more bugs in non-Apple applications (probably open-source), that will be fixed almost immediately upon announcement.
There is some sort of a "trade off" when disclosing bugs in either case.
You could tell the vendor, then release the bug, with all the details included, making some script kiddie very happy.
Same scenario, but without the details you might keep to yourself, script kiddies will be deterred, only temporarily. (they have information to point them in the right direction).
Or, in what you stated, they keep the important information to themselves, and leave the community with an idea of where to look for said exploit.
God Bless the honor system.
Also, if I misinterpeted your post in any way, sorry in advance.
Actually I don't think it is too bad they do this.
They raise awareness and will hopefully make Apple and its users think.
They should be given a copy of Leopard early
They raise awareness and will hopefully make Apple and its users think.
They should be given a copy of Leopard early
#2 is a VLC exploit? How is this an Apple bug?
It isn't and it was confirmed on Windows. It's also been fixed already.
I suppose you have to look at their website.
It looks as though they're still finding things, but they're not really being fixed.
Number 3 is the MySpace-reported bug.
As far as I know, numbers 4 and 5 were previously reported.
Number 6 was fixed by upgrading to Acrobat Reader version 8, but Preview still has the problem.
Number 7 affects OmniWeb, but apparently not Shiira or Safari, which seems odd since they're using the same JavaScript engine.
Wouldn't that make it an OmniWeb problem?
I love this. The Month of Apple bugs has pretty much fallen off the radar of all the media. Two of these "Apple Bugs" have nothing to do with Apple itself. Didn't the VLC exploit work on Windows too? The author is using the loosest definition of "Apple" bugs in existence, any bug that works on the MacOS counts.
I was on the verge of disagreeing with you, and pointing out that on the surface it doesn't matter where the bug is, as long as it can effect an OSX machine.
However I remembered the "spirit" of the original idea, to help improve OSX security. And the only reason anyone could use to defend the blatant public nature of letting Apple know about the bugs at the same time as anyone wanting to exploit them was just that, that it was Apple.
However if we are now publicly pointing out exploitable flaws in FREEWARE programs, that is just wrong. The fact that the freeware is a widely used program doesn't make it any morally better, it makes it worse. I'm sitting here working on a BS in Computer Science, and the idea that one of my freeware programs, no matter how popular, could one day have it's exploits publicly displayed for the world to see WITHOUT informing me first, boils my blood. To make matters worse there is a chance that I may never hear about such exploits and thus get around to fixing them either quite late, or never.
I like this guy less and less...
It was corrected by OmniGroup with version 5.5.2 of OmniWeb.
Also, the PDF bug apparently has a fix, but I'm waiting for Apple to officially patch it.
Either way, you can bet the media and CNet will have a field day announcing how Mac OSX isn't "quite secure as some people might think" (watch for that direct quote). I know I will have to spend at least an hour on the phone with my Dad who just bought a new 20" Imac because he was sick of virus and spyware on his 2 year old windows machine, which had replaced a 1 year old windows machine - now that is longevity
Perhaps your first order of action should be to educate your dad how to use a computer?? My dad has had a WinXP machine for several years without major problems. I remind him to have uptodate virus and firewall software, and that's about it.
I agree. I don't think it takes much effort to make any computer last. My dad is using an eight year old Windows 2000 computer, albiet a workstation. He wants a new one but the current one does do the job.
I think the dropping the ball on the unspoken agreement is partly Apple's fault. Apple is known to have ignored a notification of a problem for months until a whistleblower threatens to release the exploit, then they finally get their act together. It is even worse than that at the moment, it's been a month since the Myspace HREF/javascript worm was publicized and I still haven't seen any mention that Apple has fixed it in any manner.
The last seven days appear to be Apple specific problems.
Apple has never been really fast fixing stuff.
Considering the bugs that are already on that page I sure hope that Apple gives us a fix soon.
-Diatribe
This is the one problem I have with MoAB. They aren't giving Apple the opportunity to fix stuff.
IMHO it is disingenuousness at its most blatant, childish at least, irresponsible at best, and criminal at its worst.
This is the one problem I have with MoAB. They aren't giving Apple the opportunity to fix stuff.
IMHO it is disingenuousness at its most blatant, childish at least, irresponsible at best, and criminal at its worst.
They're so concerned about not looking vulnerable and putting everything into one batch that they're leaving us somewhat vulnerable.
Remember the huge number of changes they sent back to the KHTML people? That really messed with them. It's one thing to have policies and procedures but when it doesn't help the people using your products, something needs to change.
It's a smack at the smugness of Apple's fanatics and that's not a bad thing. Too many times we've had people here go on about how their machines are impervious to attack.
Here's to bringing reality to the Macintosh platform again.