January 3, 2007 12:22 PM PST

Apple guru combats month of bugs

By Tom Espiner
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: QuickTime zero-day bug threatens Macs, PCs
January 2, 2007

A software engineer has vowed to quickly provide a patch for flaws in Apple Computer software that are set to be made public by researchers Kevin Finisterre and the pseudonymous LMH this month.

The vulnerability researchers' "Month of Apple Bugs" project, launched Monday, promises to announce a hole in Apple software on each day in January. However, a senior open-source developer with extensive experience working for the Mac maker says he is attempting to offer a fix for each flaw found.

Landon Fuller was an engineer in Apple's BSD Technology Group and is one of the principal architects of Darwin, an open-source, Unix-like operating system designed to work alone or as a core set of components for Mac OS X. He has already offered patches for the two vulnerabilities published by the Month of Apple Bugs project so far.

On Monday, the project published an advisory for a QuickTime vulnerability related to how media player software handles the Real Time Streaming Protocol, or RTSP. An attacker could create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow, according to the advisory.

Fuller published a fix on Tuesday for the QuickTime vulnerability that uses Application Enhancer, a piece of software designed to improve how applications behave when running on systems. "So, part brain exercise, part public service, I've created a runtime fix for the first issue using Application Enhancer," Fuller wrote on his blog. "If I have time (or assistance), I'll attempt to patch the other vulnerabilities, one a day, until the month is out."

Also on Tuesday, Fuller published a fix for a second vulnerability found--a format string vulnerability in the open-source VLC media player that the project warns could be used by a remote attacker to execute arbitrary code. VLC published its fix soon after the vulnerability was reported to it by Kevin Finisterre.

Fuller called for assistance in developing patches for the flaws that have yet to be made public by the project and said he would start a mailing list if he gets enough interest.

"If you'd like to help with tomorrow's MOAB vulnerability please feel free to send me patches or other information. If there's enough interest, I'll fire up a mailing list," Fuller wrote in his blog.

Tom Espiner reported for ZDNet UK from London. CNET News.com's Joris Evers contributed to this report.

See more CNET content tagged:
Landon Fuller, vulnerability, VLC, Apple QuickTime, patch management

Latest tech news headlines

Ad trade group opposes Yahoo-Google search deal
Posted in News - Digital Media by Dawn Kawamoto

September 7, 2008 1:43 PM PDT
DemoFall preview: 10 to watch
Posted in Webware by Rafe Needleman

September 7, 2008 1:34 PM PDT
Creating a 'Facebook for spies'
Posted in News - Digital Media by Steven Musil

September 7, 2008 10:30 AM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

News - Business Tech
Chrome's JavaScript challenge to Silverlight
The advent of Google's Chrome browser, software pros say, should spur a big speedup for JavaScript, which would raise its standing against Microsoft's Silverlight technology.
Gallery
Photos: Top 10 reviews of the week
Here are CNET Reviews' 10 favorite items from the past week, including the TiVo HD XL, Sony Cyber-shot DSC-H50, and the Dish Network's newest digital TV converter box.
News - Apple
Apple watchers spot 'iPod Nano' pix, iTunes hints
The rumor mill has long been predicting a longer, leaner new version of the iPod Nano, and now it's conjuring up some pictures.
Coop's Corner
Chris Shipley 1, Internet lynch mob 0
Demo's impresario goes public with a tart and smartly written riposte to the shoot-from-the-lip crowd.
Video
Katie Couric reflects on first Webcast
The political conventions are over and so are CBS Evening News anchor Katie Couric's first series of Webcasts. CNET's Kara Tsuboi sat down with Couric on the final night of the Republican National Convention to discuss what she liked about Webcasting, some of her most memorable guests, and whether TV news will still be around by the next round of conventions.
News - Digital Media
Ad trade group opposes Yahoo-Google search deal
Association of National Advertisers announces it has sent a letter to the top antitrust chief for the U.S. Department of Justice, issuing its objections to the controversial Yahoo-Google search ad partnership.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Gaming and Culture
Are Demo and TechCrunch50 fragmenting their audiences?
With both events scheduled to start Monday, many press, as well as venture capitalists and others are having to choose which one to attend.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Images: The art of 'Spore' prototypes
Will Wright and his Maxis team worked on dozens of prototypes to test the elements of their soon-to-be-released evolution game. Here's a sampling.
Webware
DemoFall preview: 10 to watch
If you can only watch 10 pitches from DemoFall, these would be good ones.
Green Tech
Duke Energy to invest in mini solar power plants
Can hundreds of rooftop solar panels collectively operate like a central power plant? Duke Energy launches $100 million distributed solar program to find out.