Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Month of Apple Fixes

kdawson posted more than 7 years ago | from the mister-fixit dept.

OS X 177

das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."

cancel ×

177 comments

Sorry! There are no comments related to the filter you selected.

Response from Kevin Finisterre, second bug (4, Interesting)

daveschroeder (516195) | more than 7 years ago | (#17435922)

Kevin Finisterre, security researcher, founder of Digital Munition [digitalmunition] , and co-presenter of the Month of Apple Bugs [info-pull.com] , has also responded on the SecurityFocus focus-apple list [securityfocus.com] to some of my concerns [securityfocus.com] , expanding on some of the motivations and reasoning behing MOAB (followup [securityfocus.com] ).

Also, the second bug was just posted a few minutes ago: a udp:// URI handling vulnerability in VLC Media Player [info-pull.com] that affects both the Mac OS X and Windows versions of VLC Media Player. While not exactly what I'd call an "Apple bug" (yes, yes, I know the FAQ says they're also looking at "popular applications" that run on Mac OS X as well), it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X...

In any event, Apple's immediate technical response and longer-term strategic response to MOAB should be interesting.

(Disclaimer: I am the story submitter.)

Re:Response from Kevin Finisterre, second bug (4, Funny)

0racle (667029) | more than 7 years ago | (#17436054)

Month of apple bugs over in one Bug? They had to go to an application already? Also, who would have known, an application writer that makes a mistake on one platform might make that same mistake on another.

Re:Response from Kevin Finisterre, second bug (0)

cswiger2005 (905744) | more than 7 years ago | (#17436160)

Well, a lot of people do have Quicktime installed and configured as an automatic content handler when surfing-- and this includes not just Mac users but Windows users of QT as well. The shellcode or malware would be different for each platform, but the underlying bug is the same.

Re:Response from Kevin Finisterre, second bug (4, Informative)

0racle (667029) | more than 7 years ago | (#17436290)

VLC != Quicktime. On top of that Quicktime would be a valid target for the month of Apple Bugs as it ships as part of OS X and is created by Apple, VLC does not and is not. A bug in VLC is no more an apple bug then an SSH bug in PuTTY is a Windows bug.

Re:Response from Kevin Finisterre, second bug (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#17438248)

Call it what you want, ignore it if you want, defend [insert OS here] all you want, but the point is the same. If it runs on your system and you have it on your system, you ARE susceptible. You can rally around a specific group of people that all agree with each other and say, "Hey, it is not a [insert OS name here] problem so screw you!". Bottom line, it IS a problem. The excuse of "Well it affects [insert other OS here]" and stick your tongue out if that that makes you feel better. You do realize doing that does not make it go away or make it any less of a problem.

- My Ford caught on fire, but so did my neighbors Honda.
- My Firestone tires on my Ford exploded but so did the Firestone tires on my neighbors Honda.
- My Firestone tires on my Ford exploded because I never checked the tire pressure but so did the Firestone tires on my neighbors Honda and he never checked either.
- I drove my Ford with no oil and it died, but my neighbor with a Honda did the same.

Re:Response from Kevin Finisterre, second bug (1)

MicrosoftRepresentit (1002310) | more than 7 years ago | (#17436552)

To be fair, although the exploit uses VLC, it looks like the vulnerability is still in the way the OS handles strings, ie it is something Apple could fix. VLC may still crash, though.

Re:Response from Kevin Finisterre, second bug (1, Insightful)

Otter (3800) | more than 7 years ago | (#17436058)

Man, they're really scraping the bottom of the barrel, and it's only January 2nd! A string handling vulnerability in a cross-platform app I've never heard of? They should at least have been able to make it to the end of the BCS before resorting to filler like that.

Re:Response from Kevin Finisterre, second bug (3, Funny)

drinkypoo (153816) | more than 7 years ago | (#17436278)

On one hand you're right. On the other hand, if you've never heard of vlc, you've been living under a fucking rock.

Re:Response from Kevin Finisterre, second bug (4, Funny)

Otter (3800) | more than 7 years ago | (#17436380)

See, the point of switching back to Mac from Linux for recreational desktop use is that I just click on files and they play. If I wanted abuse for not being familiar with some media player minutia, I'd still be in #mplayer trying to figure out what to install to view a WMV.

Re:Response from Kevin Finisterre, second bug (1)

Inner_Child (946194) | more than 7 years ago | (#17436546)

If I wanted abuse for not being familiar with some media player minutia, I'd still be in #mplayer trying to figure out what to install to view a WMV.
You install VLC. All of that is handled, and this is why it's such a popular cross-platform media player - you just click on files and they play.

Re:Response from Kevin Finisterre, second bug (2, Insightful)

fishbot (301821) | more than 7 years ago | (#17436580)

WMVs played out of the box on your Mac? You didn't need Flip4Mac or anything else? How did you manage that, then?

Re:Response from Kevin Finisterre, second bug (1)

rdoger6424 (879843) | more than 6 years ago | (#17437858)

vlc. VLC can do it ootb (out of the box).

Re:Response from Kevin Finisterre, second bug (1)

delire (809063) | more than 7 years ago | (#17436758)

.. while others are switching from OS X to Linux because they feel more comfortable about the transparency under which security vulnerabilities are handled..

Anyway, as on Linux and on OS X, if you install mplayer you'll still need to find external support to play WMV's. Just as on OS X, as on Linux, if you install VLC [videolan.org] you can click a WMV and it'll play.

Re:Response from Kevin Finisterre, second bug (1)

Otter (3800) | more than 7 years ago | (#17436868)

.. while others are switching from OS X to Linux because they feel more comfortable about the transparency under which security vulnerabilities are handled..

Well, as the OP points out, they seem to have run out of Apple vulnerabilities after one day. So perhaps it would be more accurate to say "others are switching from OS X to Linux because they feel more comfortable about the transparency under which a security vulnerability was handled." Tell 'em to say hi to the 12-year-olds in #mplayer for me!

Re:Response from Kevin Finisterre, second bug (1)

Goaway (82658) | more than 6 years ago | (#17437888)

while others are switching from OS X to Linux because they feel more comfortable about the transparency under which security vulnerabilities are handled.

"Others"? There are two of you?

Re:Response from Kevin Finisterre, second bug (1)

drinkypoo (153816) | more than 7 years ago | (#17437002)

See, the point of switching back to Mac from Linux for recreational desktop use is that I just click on files and they play.

sure, unless you want to play them full screen when the author doesn't want you to - you actually have to pay for quicktime pro for that.

Or unless you want to play ogg vorbis or theora content, you'll need to install additional software.

Or unless you want to play any of these: FLV, Flash Screen Video, or AVIs with AAC, AC3, H.264, MPEG4, or VBR MP3 audio. Which is why there's Perian [perian.org] .

Or you could just install vlc and update it occasionally, since it seems to correctly play more media formats than any other player - and that definitely includes Apple's Quicktime.

If I wanted abuse for not being familiar with some media player minutia, I'd still be in #mplayer trying to figure out what to install to view a WMV.

vlc is the most popular video player amongst geeks for two reasons: one, it was the first player worth half a crap to work on linux; and two, it really is quite excellent. This is also why everyone but you knows what it is. Well, everyone who hasn't deluded themselves into thinking that Quicktime plays everything.

Re:Response from Kevin Finisterre, second bug (1)

Hes Nikke (237581) | more than 6 years ago | (#17437592)

i've found that Quicktime Pro + Flip4Mac + some divx dirivitive does give VLC a run for it's money on my mac mini attached to my TV, particularly from a UI point of view.*

now if i don't have the time to set everything up so that it purrs, i'll throw VLC onto a system.

*i'm sure front row will be just stellar with this setup, but i have a PPC in my mini, so apple said "wait 'till leapard... or install an older version of OS X and patch it." sometimes apple's idiotic policies (.mac, quicktime pro, front row being tied to hardware, etc) make so little sence that i sometimes wonder how meny switchers are getting pissed off and swtiching right back to dell....

Re:Response from Kevin Finisterre, second bug (1)

Goaway (82658) | more than 6 years ago | (#17437916)

Or you could just install vlc and update it occasionally, since it seems to correctly play more media formats than any other player - and that definitely includes Apple's Quicktime.

Mac users actually appreciate well-designed interfaces, so that's not really an option.

It's kind of sad when a program is beaten on interface design by mplayer, of all things.

Re:Response from Kevin Finisterre, second bug (1)

drinkypoo (153816) | more than 6 years ago | (#17437970)

Mac users actually appreciate well-designed interfaces, so that's not really an option.

If you don't like the interface that comes with vlc, pick another one [videolan.org] . Incidentally I've found quicktime to be one of the most annoying fucking apps ever. The wanky little pull-outs that slide out unnecessarily are just stupid. I guess "pretty" is what stands in for "well designed" in apple-land these days.

Re:Response from Kevin Finisterre, second bug (1)

Ash-Fox (726320) | more than 6 years ago | (#17437552)

I'd still be in #mplayer trying to figure out what to install to view a WMV.
ffmpeg supports WMV9 already... What would you need to figure out in mplayer? It should work just fine.

Re:Response from Kevin Finisterre, second bug (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17436138)

I just heard this and I don't understand this. Kevin Finisterre can't be serious about this. It's supposed to be Apple, right? Everyone can be up in arms because Michael Richards or Mel Gibson call someone something racially motivated and then when other people do something like this it's just fine. I guess it wasn't true what they said about OS X. I'm mixed but I have a light complexion so no one really called me that, but plenty of my cousins were called that. Black girls often called them that for being friends with white people and I always thought that was completely ridiculous but it was also meant to be an insult just the way anyone would use any other racial slur. But this will be a drop in the bucket because black people can say whatever they want. In my entire life the only people who have ever been "racist" toward me were black people. No one acknowledges how racist black people can be. It's like they get a free pass.

It's not even shipped by default ! (4, Insightful)

Space cowboy (13680) | more than 7 years ago | (#17436554)

So

[simon:~] simon% vlc
tcsh: vlc: Command not found.
[simon:~] simon% perl VLCMediaSlayer-x86.pl
jump address is: 0x41424344
writing to file: pwnage.m3u
[simon:~] simon% open pwnage.m3u
[simon:~] simon% (opens iTunes)

the application for this second bug is not even shipped on Mac's by default! Meaning that this completely 3rd-party software, if installed onto a Mac, can cause problems with the Mac. And this is Apple's problem how, exactly ?

Simon

Re:It's not even shipped by default ! (0)

jafac (1449) | more than 7 years ago | (#17437480)

It's not shippped on Macs by default - but, by the virtue of it being the ONLY way to play some popular video formats on Macintosh, I'd say it may as well be installed by default.

Does every Mac get VLC installed on it by a user who's sick of downloading videos that won't play? Probably not. But it's still a compelling reason to have VLC.

I give Apple partial blame here, for not more vigorously pursuing codecs (or formats, or wrappers, or packages, or whatever technical jargon is used as an excuse) for Quicktime, and not more vigorously promoting wider use of non-assinine codecs among video content providers on the web. I'm not sure what they can do - but apparently, Microsoft has got to be doing something to encourage the use of these video formats that only play in Windows, or VLC.

Sorry, but that's bogus (4, Insightful)

Space cowboy (13680) | more than 6 years ago | (#17437730)

I was going to use a stronger word, but my New Years resolution is still (diminishingly) in effect...

If Apple don't supply a piece of software, it is *not* their fault that there can be subsequent problems using that piece of software, it's the program-author's fault. Obviously vlc isn't completely necessary (otherwise I would have it installed, I install a fair amount of linux-related s/w). I do have windows-media player and realmedia player installed...

To say that just because Apple don't supply a particular feature (viewing movies that require codec XXX), it's Apple's problem when you install 3rd-party software that does is just ... wrong. I can't think how you could think that. It's hard to construct an argument when your starting premise is just nonsense.

By the same logic, it's Apple's fault that:

  - I can't run my FPGA-mapping software on my Mac Pro, because Xilinx don't support the Mac. Apple ought to do something.
  - I can't run any game I want on the Mac. Curse those game-producing companies, oh no, wait, it's Apple's fault.
  - My Mac doesn't make toast! How simple is making toast? Apple ought to pull their finger out!
  - ad nauseum.

Install 3rd-party software, have problems with that software, blame the software author. Don't blame the machine manufacturer / operating-system provider.

Moan like buggery (*) (hmm, unfortunate turn of phrase :-) that QT doesn't support the codecs that you want, but it's not Apple's fault that other 3rd-party codecs have bugs in. Yes, I'm a Mac fan, but not a fanboy - I completely agree with bug #1, but this is just completely ... bogus.

Simon

(*) "Moan like buggery" isn't really rude where I come from, oddly enough...

Re:Response from Kevin Finisterre, second bug (1)

fishbot (301821) | more than 7 years ago | (#17436672)

"it is interesting to note that vulnerabilities in cross platform applications may transfer more easily to the Intel-based Macs running Mac OS X..."

You appear to have completely missed the phrase "Both x86 and PowerPC versions are provided." in the reproduction steps section. The problem is that, like many people these days, you see an apparent coincidence (that both use the same architecture, even though it's a false observation) and assume causality. If you write code with a buffer overflow and compile it for x86, PPC, ARM, MIPS and your toaster, the code will still have a buffer overflow on all of them.

What I'm saying is that the architecture doesn't magically make a bug appear in a system just because it is similar to another system. The vulnerability didn't "transfer" to OS X, it simply exists in the OS X version, just like it does in the other versions. Note that only the Mac and Windows version are confirmed, but it could just as easily exist in others.

Second bug fix already in progress... (4, Informative)

daveschroeder (516195) | more than 7 years ago | (#17436730)

See here [videolan.org] for details.

Typical "open source" security (0)

Anonymous Coward | more than 7 years ago | (#17436930)

This should be a darling situation for the Lunix/OSX love-fest community.

Someone points out all the ways their OS can easily get h@xxor3d, and someone not affiliated with the official product has to fix it.

So in other words, Lunix and Apple get a free ride concerning their lack of security... while every obsure, situational, irrelevant problem with Windows is celebrated like a holiday here.

w00t! Three Cheers for "Security Through Obscurity"!!!

Re:Typical "open source" security (1)

Blikkie (569039) | more than 7 years ago | (#17437416)

I'd rather say that it is rather typical of open source security that there is a source to fix to begin with. While there is a lot uf closed code in Apple software, this one was apparently quite easily fixable by a Darwin developer. Actually the last few big windows scares had a third party fix before the official fix as well, because some people took the trouble to hack the windows bugs.

THEY FOUND A CURE FOR AIDS?!?!?!?!?! (1)

CmdrTaco (troll) (578383) | more than 7 years ago | (#17435936)

Cool.

Thanks. (1, Insightful)

easter1916 (452058) | more than 7 years ago | (#17435952)

Thank you, Landon.

Re:Thanks. (1)

Tragek (772040) | more than 7 years ago | (#17435978)

Three Cheers for Landon Fuller! As a technical question, does anyone know how efficient using Application enhancer is? I tried Shapeshifter, and found performance lacking. Was that specific to ShapeShifter, or is it a general problem with application enhancer extentions?

Re:Thanks. (1)

inca34 (954872) | more than 7 years ago | (#17436008)

Completely OT, but it seems the APE framework is cool but its modules may lack. =\

I have a patch for the second bug... (-1, Troll)

inca34 (954872) | more than 7 years ago | (#17435984)

The pretty version, compliments of jasonc from #od:
find / -iname "vlc" | xargs rm -rf

so? (0)

Anonymous Coward | more than 7 years ago | (#17435994)

These bugs are not exploitable obviously right? Otherwise we'd be seeing mad mac oriented spyware.
It's simply not possible to make spyware for macs.

Re:so? (1)

megaditto (982598) | more than 7 years ago | (#17436306)

They are exploitable if you make the target visit a webpage you scripted that contains the exploits. Which is not that hard if you send a link in a personal message to someone who knows you (a virus could harvest email addresses/names from your computer and it will look like coming from you): "Hey Bob, our office party pictures are online here. Love, Jane"

As I understand it, the Quicktime bug of yesterday is particularly bad since it will load automatically without asking if you wish to run it first.

Re:so? (1)

cswiger2005 (905744) | more than 7 years ago | (#17436418)

Yes, that's exactly right.

It's not as dangerous as a bug which requires no interaction whatsoever, but it's common enough for people to boink on random links that the risk level of that exploit could be fairly high. It will be interesting to see whether malicious exploits appear widely for any of these Mac bugs, and how quickly they spread if so...

rushed fixes, and untested at that (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17436004)

So some third party is going to try to rush out daily fixes? How much testing is done on these fixes, none? And how do you uninstall these quick fix hacks when Apple releases the legit fixes?

And this is being done all to save Apple's rep, so Apple fanboys can say, "ALREADY FIXED!!!"?
I'll wait for the real fixes than deploy some untested hack that some kook cooked up in his basement without having the first clue as to the wider impact of his "fix". 10 to 1, the "fix" will be worse than the bug. Hell, it might even be an exploit itself.

Re:rushed fixes, and untested at that (2, Insightful)

inca34 (954872) | more than 7 years ago | (#17436046)

You're suffering from some serious RTFA syndrome. By doing the patch the way he did you change NO SYSTEM FILES.

Re:rushed fixes, and untested at that (0)

Anonymous Coward | more than 7 years ago | (#17436064)

I guess you missed the "download the source" link. Moron.

Re:rushed fixes, and untested at that (5, Informative)

daveschroeder (516195) | more than 7 years ago | (#17436094)

All this is a little fun exercise and a public service, if you will. Also, anyone can examine the code.

How do you uninstall these quick fixes? Simple. They'll almost all invariably be runtime fixes with Application Enhancer (APE) [unsanity.com] . APE modules are just self-contained directories; nothing more. They can be unloaded on demand, and APE itself can be easily installed, uninstalled, disabled, and modules can be loaded and unloaded at will.

Also, Landon Fuller is anything but an "Apple fanboy", or in any way remotely interested in "saving Apple's rep". The idea is to look at the bugs, and see if a quick technical solution or remediation can be provided. No one has to install them. Since the code is available, anyone can see what's being done, including the rest of the community. If one wishes to wait for Apple's official patches, fine.

Aside from all of this, of course Mac OS X, like any other operating system or large software project, has bugs. Some of these bugs will enable vulnerabilities that can be exploited. I fail to see how any of this is surprising. If you're actually interested, I've summed up my thoughts on this here [securityfocus.com] .

Re:rushed fixes, and untested at that (0)

chochos (700687) | more than 7 years ago | (#17437240)

I'm sorry but the APE is not easy to uninstall at all. And it causes a lot of trouble; I once used x-shade or whatever its name was and it installed APE; after some time I started having some problems with the machine being slow and some other stuff, I looked for solutions and a lot of people were posting about how APE causes many problems. I uninstalled it by following the directions in the forums (which include removing files buried deep in some directory) and my problem was fixed. Why would the solutions require using a third-party application such as APE? QuickTime can be fixed by Apple and they can issue a security update; VLC is open source and it would only require downloading a newer version. I really hope APE is not necessary for any fixes (except for fixing the unsanity stuff, which I stay away from).

Re:rushed fixes, and untested at that (3, Informative)

daveschroeder (516195) | more than 7 years ago | (#17437340)

Ugh. :-(

APE isn't going to be necessary for ANY fixes from Apple. Apple will release their fixes in due course, and they'll be like all their previous fixes have been: normal updates to the OS that come down via Software Update, etc.

But since we can't directly fix Apple's code, this is a little technical exercise that fixes them with runtime patches. One very easy way to do runtime patches and code injection such as this is to use APE.

Also, APE is *very* easy to uninstall. It has its own uninstaller right in the installer, which will, categorically and definitely, uninstall every single last thing that has anything to do with APE.

Also, there is nothing wrong with APE, and here is a very detailed explanation of exactly what APE is and what it does [unsanity.org] .

All this project is is just that: a project. The community is welcome to inspect all of the source code, and anyone is free to use these runtime patches. Yes, QuickTime, and VLC, and everything else that will be covered in MOAB will be fixed by Apple and the various applicable vendors/developers. That is not at all the point of providing on-demand runtime fixes each day, and you have apparently totally missed the point of this projects, and the post you responded to where I pretty concisely explain it.

Re:rushed fixes, and untested at that (0)

Anonymous Coward | more than 6 years ago | (#17437600)

Aside from all of this, of course Mac OS X, like any other operating system or large software project, has bugs. Some of these bugs will enable vulnerabilities that can be exploited. I fail to see how any of this is surprising.

This attitude is why we'll continue to see more and more security vulnerabilities (from all vendors). Which become more and more dangerous as our society's dependencies on software become deeper.

You've basically reached the conclusion that there's no reason for vendors to even try. Because it's "okay" to screw up and ship security holes, and some "responsible security researcher" will be nice, and do the vendor's work for free, and "responsibly disclose" the vendor's mistake.

I'll stick to my personal prediction: only legislation will cure this disease and teach people that software security is important, and training programmers is important, and paying for secure software is important. This legislation would be awful and might even destroy open source software, but I'm tired of the endless stream of security holes. I'm tired of downloading popular open-source apps and finding security holes just by scrolling through the code (no I don't report them. I fix them in my clients' copies.)

Can you imagine a parallel universe where arrogant doctors, or bridge designers, or any other profession, routinely say things like "most patients die" .. "most bridges randomly fall down" .. "most stock trades are off by 2-3 cents"?

I don't believe that all software contains an endless stream of security holes. I believe that all these idiotic off-by-one or buffer overflow errors can be tested for and avoided. If an independent individual can discover these bugs, so can Apple, "at the factory". Software isn't a physical process, it's just a bunch of ones and zeros going in and out. It should be possible to make sure no sequence of bytes will cause a security breach.

Re:rushed fixes, and untested at that (5, Informative)

landonf (905751) | more than 7 years ago | (#17436120)

So some third party is going to try to rush out daily fixes?

If I have time, or if people help me.

How much testing is done on these fixes, none?

I tested thoroughly on Intel and PowerPC Macs. I wouldn't release a fix to the world without being fairly certain that it works correctly. You're welcome to review the code for the first fix -- it's about 10 lines. I'd be happy to explain the various entry points for you, too. We're using these fixes on all our Macs here at Three Rings Design.

Alternatively, you can not use the patch. I won't mind.

And how do you uninstall these quick fix hacks when Apple releases the legit fixes?

You open the Application Enhancer pref pane and hit the "-" (minus) button.

Thanks Landon! (1)

5plicer (886415) | more than 6 years ago | (#17437972)

I really appreciate what you're doing.

Stay tuned.... (1, Funny)

Anonymous Coward | more than 7 years ago | (#17436024)

for a Month of I Don't Care.

Nothing to see here. Move along. (3, Funny)

PurifyYourMind (776223) | more than 7 years ago | (#17436040)

Apple products don't have bugs. They have worms.

Re:Nothing to see here. Move along. (1)

Anarchitect_in_oz (771448) | more than 7 years ago | (#17436200)

What about fruit fly?
It's done a lot of damage to Apple crops near my house.

Can they fix (-1, Flamebait)

Piroca (900659) | more than 7 years ago | (#17436042)


The stupid anti-aliased font rendering in OS X?

Re:Can they fix (1)

quis (737516) | more than 7 years ago | (#17436416)

Why is it "stupid", just out of curiosity?

Re:Can they fix (1)

Weston O'Reilly (1008937) | more than 7 years ago | (#17436762)

I think the poster is referring to a bug/quirk that will sometimes render a line of text with a slightly bolder appearance than other lines on the screen. Scrolling or highlighting and unhighlighting will usually make it redraw properly. It is irritating and has been around for awhile, at least since I started using Tiger.

Re:Can they fix (0)

Anonymous Coward | more than 7 years ago | (#17437144)

I don't know about the grandparent, but I think it makes the text really blurry and fuzzy, to the point where it's harder to read than decently-rendered aliased fonts, even on the lowest setting. It's a bit frustrating for me; I can finally afford an LCD, and now every OS (not just OS X) wants to make everything blurrier than the worn-out CRT I'm replacing. Looking at an OS X, Vista, or recent Linux screenshot makes me think I need glasses; everything looks slightly out of focus.

I understand that a lot of people seem to like text anti-aliasing, I just don't, and wish I could just shut it off. Unfortunately, with more and more OSes and applications, it seems I can't.

Re:Can they fix (1)

Piroca (900659) | more than 7 years ago | (#17437430)


Maybe we should do some kind of lobby to push for no anti-aliasing in Leopard. Nowadays I have to use windows over Parallels just to use Firefox and Eclipse. At least in windows I have the option to turn anti-aliasing off...

Re:Can they fix (1)

Rosyna (80334) | more than 7 years ago | (#17437358)

Well, there is Silk [unsanity.com] which allows you to turn off antialiasing. Sure, everything looks like crap with corn in it... but at least it's not "blurry".

Re:Can they fix (1)

Piroca (900659) | more than 7 years ago | (#17437458)


You could use TinkerTool too. But it won't solve the problem, OS X doesn't allow you to change the default font used everywhere (Lucida Grande) and that font looks terrible in the user interfaces when not aliased. Besides, a lot of applications just seem to think that anti-aliasing is the rule and do whatever they want.

Re:Can they fix (1)

Rosyna (80334) | more than 6 years ago | (#17438064)

OS X doesn't allow you to change the default font used everywhere (Lucida Grande) and that font looks terrible in the user interfaces when not aliased.

Perhaps OS X doesn't, but Silk does. That was kinda my point, just kinda.

Re:Can they fix (1)

Piroca (900659) | more than 6 years ago | (#17438232)


TinkerTool supposedly allows it too. It's just that OS X doesn't respect settings for the "core" fonts as it should.

Depressing (0, Offtopic)

geekmansworld (950281) | more than 7 years ago | (#17436084)

The immaturity of the tech community is quite disappointing.

Re:Depressing (0)

Anonymous Coward | more than 7 years ago | (#17437486)

Yes, if only vendors didn't make security researches sign non-disclosure agreements.

Stop the presses (2, Funny)

Swimport (1034164) | more than 7 years ago | (#17436086)

The acronym MOAB has already been taken http://en.wikipedia.org/wiki/Massive_Ordnance_Air_ Blast_bomb [wikipedia.org]
To prevent confusion I propose it should be Apple Month of the Bugs. AMOB

Actually... (3, Funny)

aardwolf64 (160070) | more than 7 years ago | (#17436198)

Sorry... that acronym is already taken:
AMOB Anna Maria Oyster Bar (Bradenton, FL)
AMOB Automatic Meteorological Oceanographic Buoy

You should try an acronym that is totally original, like:
Exploits & bugS from aPple moNth

Re:Actually... (1)

blugu64 (633729) | more than 7 years ago | (#17436330)

hey now ESPN is already taken, just put a 2 after it so we know it's the second one ;)

Re:Stop the presses (4, Funny)

UnknowingFool (672806) | more than 7 years ago | (#17436358)

I thought the military renamed the MOAB to BFB2000.[ducks}

Re:Stop the presses (1)

Swimport (1034164) | more than 7 years ago | (#17436636)

Do you mean the BFG9000 (Big Fucking Gun) from doom? http://www.doomworld.com/pageofdoom/weapons.html [doomworld.com]

Re:Stop the presses (1)

Moofie (22272) | more than 7 years ago | (#17436852)

Um, no, probably not. But thanks for playing.

BFG is a gun.

BFB is a...wait for it...bomb.

Re:Stop the presses (1)

UnknowingFool (672806) | more than 7 years ago | (#17436864)

No. Big Fucking Bomb 2000. :)

Re:Stop the presses (1)

vistic (556838) | more than 6 years ago | (#17437968)

And, computer related, it's also the name of some cluster management software made by Cluster Resources [clusterresources.com] of Utah.

Install a fix not from Apple? Fat Chance (0)

aardwolf64 (160070) | more than 7 years ago | (#17436102)

I don't care who this guy is... I'm not downloading "fixes" for my iMac from anyone but Apple:
Steps to Recreate
1. Go to MOAB site, record exploit info
2. Create malicious version of exploit
3. Post to web as a "fix" and tell users to blindly install

Thanks, but I'd prefer to maintain ownership of my machine...

Re:Install a fix not from Apple? Fat Chance (0)

Anonymous Coward | more than 7 years ago | (#17436154)

You also missed the "download the source" link didn't you, doucheface?

Re:Install a fix not from Apple? Fat Chance (1)

daveschroeder (516195) | more than 7 years ago | (#17436186)

Uh...then look at the source code [bikemonkey.org] yourself.

Nothing is hidden, and Landon isn't trying to hide anything that's being done.

Also, these fixes are runtime fixes via APE [unsanity.com] modules. They only place they're "installed" is into APE, so they can all be easily removed/disabled at will (as can APE itself). There is nothing wrong with the principle of runtime patching, and this is really a technical exercise more than anything. But again, the code is all right there, and you can see exactly what is being done.

Re:Install a fix not from Apple? Fat Chance (1)

NineNine (235196) | more than 7 years ago | (#17436516)

Uh...then look at the source code yourself.

Worst possible response. Are you suggesting that all Apple users become professional software developers? My girlfriend has trouble getting iTunes to work correctly. I don't think that the source code would mean anything to her. And no, I would NEVER suggest installing any Apple fixes that are not directly from Apple. I wouldn't care if it was Linus Torvalds, himself that was posting fixes.

Re:Install a fix not from Apple? Fat Chance (1)

Overly Critical Guy (663429) | more than 7 years ago | (#17436910)

Worst possible response. Are you suggesting that all Apple users become professional software developers?

Talk about an exaggerated response. Nobody's telling your girlfriend to look at source code or become a professional software developer. Source code is available for those smart enough to understand it, and if anything bad is in it, the community would be warned.

Re:Install a fix not from Apple? Fat Chance (1)

NineNine (235196) | more than 7 years ago | (#17437308)

And will "the community" notify my GF about not installing this patch? No, it's NEVER a good idea to install non-official patches, unless you like trojans.

Re:Install a fix not from Apple? Fat Chance (1)

Rosyna (80334) | more than 7 years ago | (#17437420)

Sure it is, especially when the code is peer-reviewed and fixes a security problem that could theoretically invite malware.

It's just like not taking the polio vaccinations because you've heard they might cause HIV as a western plot [wikipedia.org] even though there's no evidence and no rational mind would think that. Sigh, I wish I was kidding about that.

Re:Install a fix not from Apple? Fat Chance (1)

inca34 (954872) | more than 7 years ago | (#17437422)

Will somebody please root this kid's so-called girlfriend already?

Re:Install a fix not from Apple? Fat Chance (2, Insightful)

inca34 (954872) | more than 7 years ago | (#17436196)

See above posts, maybe even RTFA... then RTFSC. All 10 lines of it. Cheers.

Re:Install a fix not from Apple? Fat Chance (0)

Anonymous Coward | more than 7 years ago | (#17436254)

If he can't read C++, what good does reading the source code do?

Re:Install a fix not from Apple? Fat Chance (1)

inca34 (954872) | more than 7 years ago | (#17436332)

I think it's within the breathing computer tech IQ's capability to google enough to understand 10 lines of straightforward code. Otherwise, ask someone you trust. Like your mechanic for cars, we have technicians for computers.

Re:Install a fix not from Apple? Fat Chance (5, Informative)

landonf (905751) | more than 7 years ago | (#17436528)

I don't care who this guy is... I'm not downloading "fixes" for my iMac from anyone but Apple

Absolutely -- but I'd still strongly suggest disabling the QuickTime RTSP component:

http://isc.sans.org/diary.php?storyid=1993

1. Go to MOAB site, record exploit info 2. Create malicious version of exploit 3. Post to web as a "fix" and tell users to blindly install

You forgot number 4:

4. Have my professional and personal reputation permanently sullied.

I'll pass! =) The code is up for review, but if you don't feel comfortable with my fix, you can disable the primary attack vector by following the directions from the SANS web site.

Its not unreasonable & Landon is contributing! (1)

IM Scary (747897) | more than 6 years ago | (#17438254)

If Apple would be as slow about the fix as MS was about the WMF fix, I might indeed install a patch from a 3rd party (as I chose to do for WMF).

There are pros and cons to third party patches (and you have identified a possible negative case), but there solid ways to validate the decision with the security community, even if you can't read the code yourself.

I think its really cool that Landon is spending his time writing counters and taking a decidedly positive action in this investigation.

Personally, I never heard of APE before this, and knowing something about that software is already a positive result for me, even if I only disable rtsp handler (which I have done).

PR for Vista launch (0, Interesting)

Anonymous Coward | more than 7 years ago | (#17436192)

Whats this guys motivation? He says specifically in his FAQ that he did not tell Apple of these problems, he just releasing it publicly.

Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn't pay off in the end.

So why do we have to wait an entire month to get to bug #31. Whats the motivation to keep bug #31 alive for 31 more days?

Also from the FAQ:


7. John Doe has written a 'post' in his blog, saying he debunks the XXX bug, what's that?

No worries. It's probably someone begging for attention or PR-brainwashed


Thats right, anybody who disagrees is psycho. Is that you George?

privsep? (2, Interesting)

emil (695) | more than 7 years ago | (#17436216)

I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?

Is this feature in the works? I certainly hope so.

Re:privsep? (2, Insightful)

cswiger2005 (905744) | more than 7 years ago | (#17436344)

You could probably try doing this yourself:

chown unknown /Applications/Safari.app/Contents/MacOS/Safari
chmod u+s unknown /Applications/Safari.app/Contents/MacOS/Safari ...and you'll probably need to also change the following:

chown -R unknown ~/Library/Caches/Safari
chown -R unknown ~/Library/Safari

Re:privsep? (-1, Troll)

Anonymous Coward | more than 7 years ago | (#17436632)

pfft... like a Mac fanboy/mouse jockey would know what the hell you're talking about. I *still* don't know why there's a command line in OS X. Mac hipsters are too mentally challenged to use it.

Because it just creates a false sense of security. (2, Insightful)

argent (18001) | more than 6 years ago | (#17438044)

I realize that the idea is just catching on in IE and has not been implemented anywhere else, but why doesn't Safari setuid() the rendering engine to guest (or some other nonprivileged user)?

First, let me make one point clear. This is not "just catching on in IE", it has been used for running potentially exloitable applications in UNIX for decades. It's a last resort when applied to interactive programs... it's usually used with applications that are running unattended and providing services to the outside world... and the limitations of this kind of technique are abundantly clear. UNIX environments typically take this kind of thing several stages further, using chrooted environments and jails to really isolate the untrusted code from the rest of the system.

Second, Security is like sex, if you're penetrated you're fucked. Just because an exploit in IE can only have an effect on resources owned by a restricted user should not be considered a big deal. Why?

(1) Once you can run local native code, you're in a MUCH better position to devise a secondary exploit against a local privilege escalation vulnerability.

(2) Resources accessible to Internet Explorer include (of necessity) any security tokens (passwords, etcetera) used for access to online services, as well as anything else that you use the same tokens for... like, say, your local account.

I've repeatedly argued that the fact that the local user runs with lower privileges on Mac OS X than on Windows is not nearly as important as Mac fanatics make out. Well, the converse is true... this new hack Microsoft has come up with to avoid facing the security flaws in the design of IE isn't nearly as importantas Microsoft apologists make out.

Unabomber. (2, Informative)

CODiNE (27417) | more than 7 years ago | (#17436294)

Nice pic of the unabomber sketch on the release page... quite telling.

Month of Slashdot Dupes (0, Funny)

Anonymous Coward | more than 7 years ago | (#17436320)

On the same day as slashdot ran this article [slashdot.org] slashdot also ran this dupe, indicating that it's editing problems have still not been solved. When asked to comment, a slashdot spokesperson replied "My hovercraft is full of eels".

Re:Month of Slashdot Dupes (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17436514)

One is the month of bugs. The other is the moth of fixes, a response to the first and a different project by different people. You can at least correctly read the title of the article summary before declaring it a dupe. MOAB != MOAF.

Re:Month of Slashdot Dupes (1)

spectral (158121) | more than 7 years ago | (#17437108)

Yeah, you tell that MOFO.

I examined the source (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17436342)

I think I'll wait to apply Landon's fix until Preston, Spencer, and Chaz have had a chance to review it.

Seriously, who would give their kid some fag name list Landon?

Has anyone verified bug is exploitable yet? (5, Interesting)

SuperKendall (25149) | more than 7 years ago | (#17436370)

From the other thread, it appeared that no Mac owner posted saying that they had been able to replicate the results - the people that did post results said the quicktime file given crashed Quicktime, but did not run the payload target. Simply being able to crash an application is not the same as actually executing arbitrary code.

Re:Has anyone verified bug is exploitable yet? (2, Informative)

paimin (656338) | more than 7 years ago | (#17437038)

I tried the exploit on my Powerbook G4, and it did crash Quicktime, but no payload here as well.

MOAB (1)

Omeger (939765) | more than 7 years ago | (#17436378)

Also means = Mother of All Bombs. Hmm...

MOABs (1)

El_Smack (267329) | more than 7 years ago | (#17436538)

I bet they find the Mother Of All Bugs during the Month of Apple Bugs. Will S. Jobs have to take Management Of Aggressive Behavior classes so as not to snap under the strain? I sense the Mother Of All Battles coming from the Apple fanbase.
Microsoft Often Anticipates Bugs, but they have a "fix it after it shows itself" policy. Maybe Our Apple Boys will take security more seriously now.
May Omnipotent Allah Bless their efforts.

OS X -only fix ? (0)

Anonymous Coward | more than 7 years ago | (#17436846)

As I understand it, the QuickTime bug also affects Windows, but the runtime fix is Mac-only.

Teh weak MOAB... (1)

jpellino (202698) | more than 7 years ago | (#17436944)

So far it's 50% Apple Bugs.

No wonder this guy's hiding.

THIS is an Apple bug? (1)

skingers6894 (816110) | more than 7 years ago | (#17437214)

A VLC bug is an Apple Bug?

Well, if that qualifies maybe they should start looking into MS Office for Apple bugs......

Re:THIS is an Apple bug? (0)

Anonymous Coward | more than 6 years ago | (#17437528)

Yes, it is. Check VLC's source the string "pbclevtug (p) Nccyr Pbzchgre, Vap. Nyy Evtugf Erfreirq"

MOAB is BS (0)

Anonymous Coward | more than 6 years ago | (#17437640)

What, pray tell, is Apple supposed to do about A BUG IN VLC? Being able to run an application is by definition arbitrary code execution. What is Apple supposed to do to stop people from running arbitrary code (i.e., run applications)? How is Apple supposed to know what an application is supposed to do, v. what it is actually trying to do?

Why is this classified as an Apple bug when it affects VLC on Windows too?

This whole MOAB thing is lame, lame, lame.

Frist psOt (-1, Troll)

Anonymous Coward | more than 6 years ago | (#17438208)

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>