“The third instalment of the Month of Apple Bugs is less impressive than the first two, since it is apparently just a new way of exploiting a known vulnerability in QuickTime (as previously used by the MySpace XSS QuickTime worm),” Stephen Withers reports for iTWire.
Withers reports, “The disclosure page does not indicate whether the Mac OS X version of QuickTime is affected as well as the one for Windows, and the proof of concept appears to rely on other Windows vulnerabilities. Furthermore, the exploit is described as a ‘cross-zone scripting attack,’ which is a Windows concept.”
Full article here.
LMH’s MoAB #3 page here.
MacDailyNews Take: Month of Apple Bugs: In like a paraplegic kitten, out like a…
Related articles:
MoAB #2: VLC Media Player udp:// Format String Vulnerability – January 03, 2007
MoAB #1: Apple Quicktime RTSP URL Handling Buffer Overflow Vulnerability – January 02, 2007
…parasitic worm?
Saving the big ones for last?
Scraping the bottom on only the third day.
LMH is looking more and more like an immature fool.
Does this only affect Internet Explorer? Seems to me that other browser players can do HREFs too…like Flash and Shockwave, Real and so on. Is the same vulnerability there?
So far all of the supposed vulnerabilities have been so minute that I would hardly call them anything but future minor fixes. The second one didn’t even have anything to do with Apple as it was a bug in VLC player not Apple’s software.
The whole thing is to get hits on this persons website I’m sure. Because so far nothing even comes close as to something that anyone should even think of as a vulnerability.
It’s a fricken sherade if you ask me. I’m not in impressed at all. And I know OSX is safe.
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Strike TWO!
R….my sentiments exactly
Yawnnnn…..
I’ve got a list of a few bugs from OS9 if they’re really struggling to fill up the month that much…….
LAME!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
suggestion to MDN…do a summary at the end of the month so these guys don’t get the daily attention they are after.
this is a scam for hits.
Landon Fuller says that OS X 10.4.8 is not vulnerable to the Day 3 bug:
http://landonf.bikemonkey.org/code/macosx/MOAB_Day_3.20070104063131.4037.zadder.local.html
This appears to be a Windows only issue.
Also, see my blog post for some amusing stats:
http://www.blogger.com/comment.g?blogID=7066219&postID=5212358955910973699
Well, I guess it IS a month of “Apple” bugs, so since QuickTime is made by Apple and is some of the oldest and most convoluted code still being maintained by Apple (most still in Carbon), it would make sense that some of these have slipped through the cracks.
From the FAQ
“And the reward (automated responses and euphemism-heavy advisories) doesn’t pay off in the end.”
This is the point of the entire excercise. Apple doesn’t bend over backwards for their finding an exploit with an improbable vector (while they’re actually working on fixing more likely scenarios reported by responsible researchers) and they’re tired of getting sand kicked in their faces by the researchers who get their names tied to advisories given by Apple. Left with nothing to be proud of, they go to the public to say that “AAAHHH! DANGER!!! Retail water bottles when refilled contain bacteria!!!” to rile them when people in-the-know will tell you “yeah, but the bacteria you find are the bacteria that are ALREADY IN YOUR MOUTH! You PUT them there when you drank from it!”
This low level crud didn’t stop the BBC making it into a report item. This isn’t unusual for the beeb in atempting to peddle the story that Mac’s are as vunerable as PC’s.
gforce,
Listing them here actually keeps me from visiting their site to see what the new one is. I no longer have to visit their page and give them hits!
I’m starting to think by week two they will be talking about “leaving your back door unlocked when you walk the dog” as an Apple issue…
MW: One, as in they really only found one minor bug
I’d like to see this dude run out of bugs halfway through the month and then come out and make a statement about how secure OS X is. But, won’t happen. He’s looking for publicity.
And maybe a new job.
Already getting desperate…. hahaha
“For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users… In contrast, Internet Explorer’s closest competitor in terms of market share — Mozilla’s Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.”
Via slashdot http://it.slashdot.org/it/07/01/04/162238.shtml
BBC = Baloney Bull$*it Crap
I stopped watching BBC long ago, because their “news” is so bad, it reminds of Goebbles propaganda machine.
Actually Al Reuters is given the BBC good competition for a while, as far as pathetic journalistic standards are concerned.
All the fake war “news” phots was just the tip of the iceberg.
Bugs, bugs, bugs, bugs. What a mess(not)-but on the other hand we’re all still waiting breathlessly for that FIRST self-replicating virus. These guys should be focusing on what’s important. Instead they want to be idiots.
Cubert,
The guys are not looking for jobs. The way Microsoft has been financing FUD and astroturf campaigns lately, they are already on the payroll.
To Max who said:
“This low level crud didn’t stop the BBC making it into a report item. This isn’t unusual for the beeb in atempting to peddle the story that Mac’s are as vunerable as PC’s.”
Of course BBC is going to suck up to M$ they are buddies:
http://www.infoworld.com/article/06/09/29/HNmsbbccollaboration_1.html?STREAMING MEDIA SERVERS
They claim non-exclusive, but a partnership just the same.
Have you noticed that three of the bugs require a “working Ruby interpreter” and the other requires a “working Perl interpreter”.
That’s probably why so many Mac users are not getting these so-called exploits to work. They don’t have Ruby and Perl installed.