Software engineer vows to tackle Apple flaws

Powered by SC Magazine
 

A software engineer has vowed to provide solutions to the flaws in Apple's OS X operating system exposed as part of the Month of Apple Bugs project (MoAB).

The two security researchers behind the project, Kevin Finisterre and a former hacker, known as LMH, aim to publicise bugs in the Apple software throughout January and propose to produce working code used to exploit any loopholes they find.

So far this month they have found two vulnerabilities in the software giant's operating system. But, former Apple employee Landon Fuller has set up an unofficial scheme to fix the flaws.

The project has discovered a shortcoming in Apple's QuickTime Version 7.1.3 media player that could lead to a compromised system.

It also found a bug in the VLC function, a Mac version of the free video software made by VideoLAN that can be exploited by hackers to take control of an affected system, according to an advisory on the MoAB site.

However, Fuller has already released patches for these two vulnerabilities.

"If I have time I will attempt to patch the other vulnerabilities, one a day, until the month is out," he said on his blog. "Part brain exercise, part public service, I have created a runtime fix for the first issue using Application Enhancer."

Fuller asked for help in fixing any other bugs soon to be published by the project. "Please feel free to send me patches or other information. If there is enough interest, I will fire up a mailing list," he said.

The project revealed a third vulnerability yesterday. However, the bug is not new and is a different way of exploiting a known flaw in QuickTime, used by hackers to spread a worm in MySpace last month.

The vulnerability can be used in a cross-zone scripting attack, which could allow malicious users to remotely execute arbitrary code on the user's computer, said the researchers in a MoAB statement.

Apple has yet to release an official statement on the month-long project.

 
 
 
Top Stories
 
Beyond ACORN: Cracking the infosec skills nut
[Blog post] Could the Government's cybercrime focus be a catalyst for change?
 
The iTnews Benchmark Awards
Meet the best of the best.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  38%
 
Your insurance company
  4%
 
A technology company (Google, Facebook et al)
  8%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  3%
 
A Federal Government agency (ATO, Centrelink etc)
  19%
 
An Australian law enforcement agency (AFP, ASIO et al)
  14%
 
A State Government agency (Health dept, etc)
  6%
TOTAL VOTES: 1897

Vote
Do you support the abolition of the Office of the Information Commissioner?