The “Month of Apple Bugs” (MoAB) continues:
LMH writes, “The following description of the software is provided by vendor (VideoLAN):”
VideoLAN is a software project, which produces free software for video, released under the GNU General Public License. The main product is the cross-platform VLC media player. The VLC media player is a highly portable multimedia player for various audio and video formats (MPEG1, MPEG2, MPEG4, DivX, mp3, ogg, …) as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.
LMH writes, “A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.”
LMH writes, “This issue has been successfully exploited in VLC version 0.8.6 for Mac OS X. Previous versions and other platforms might be affected (thanks to David Maynor for confirming the issue in the Microsoft Windows version).”
Full article here.
VideoLAN plans an update to VLC soon: “Updated binaries for Windows and MacOS X are not available yet. The VideoLAN project apologizes for any user inconvenience; as a volunteer activity, we cannot keep up with a zero-day security vulnerability disclosure.” More info: http://www.videolan.org/sa0701.html
Already — on just the second day of his irresponsible odyssey — LMH* is forced to try to make a bug in VideoLAN’s VLC qualify as an “Apple bug.” Fool.
We have no problem with people identifying “bugs,” if they report them to Apple first so that they can be fixed. To simply post “bugs” online for everyone, including Apple (and, in this case, VideoLAN) to find out about simultaneously is irresponsible, contemptible, and smacks of a desperate cry for attention/FUD campaign.
Doing it the right way means finding the issue, reporting it to Apple, and a fix being issued with a credit/thank you from Apple.
Doing it LMH’s way means finding the “bug,” posting it online, jeopardizing users, getting his name in articles, generating a bunch of sensationalist and incorrect Apple Mac security articles, and a fix being issued from Apple (or, in this case, VideoLAN).
So, on Day #2, with only one Apple “bug” revealed so far, LMH’s batting average has already been sliced in half. How long until he strikes out? Or do you think he’s out already after today’s caught foul tip?
*Just guessing: Loser Most Hated?
Related MacDailyNews articles:
MoAB #1: Apple Quicktime RTSP URL Handling Buffer Overflow Vulnerability – January 02, 2007
Starting January 1st: “Month of Apple Bugs” – December 19, 2006
2 things:
1 – VLC is a major media player in the Mac world. Not an Apple bug per se, but if the OS allows a program failure to execute arbirtrary code, then it’s a problem for them.
2 – Clinton was not impeached. Impeachment was proposed, and censure was chosen instead. To parallel US criminal proceedings, he had what amounts to an arrest warrant issued. Impeachment would be indictment (he was not) and then conviction would be like… um, conviction.
Happy New Year, you guys.
“This issue has been successfully exploited in VLC version 0.8.6 for Mac OS X. Previous versions and other platforms might be affected (thanks to David Maynor for confirming the issue in the MICROSOFT WINDOWS version).”
So isn’t this as much of a Windows bug as it is an Apple bug????
LMH-???
L=Ellch ?
M=Maynor ?
H=?
Still playing with lit cigaretts.
VLC is not an Apple application. LMH is on crack.
When the choice is between funding less-than-savory characters to topple gigantic totalitarian regimes, liberals declare that totalitarian regimes are bastions of peace and prosperity. Just ignore the millions of bodies and the gulags — nothing to see here! That is much more reprehensible than funding the opposition. Conservatives opposed the commies and oppose the Islamic madmen now. Liberals do nothing but leak national secrets. Just shut up and stop hating yourself, your country, your economy, and George Bush, and get a life.
So, how is this an Apple bug? Apple has nothing to do with VideoLan.
This was soppused to be Month Of Apple Bugs, not Month Of VLAN Bugs, or Month Of Firefox Bugs.
There’s better be an Apple bug tommorow.
To keep up the MDN anology, after two at-bats, .500 ain’t bad – but in the bigs, 2 career at-bats doesn’t get you jack attention unless they’re both home runs. So far, we have a tipped ball that happened to stay in the field but is clearly not a serious threat against the home team and a clear foul ball which hit a vendor in the stands.
So, LMH is not out yet, but they do have one big, glaring, obvious strike. Let’s see what tomorrow’s at-bat is like and whether the average goes up, or down.
I’m sure MDN will help us keep score.
Flash sucks and I can’t type because the goddam ad is covering this text field
Magic Word: “terms” as in “whatever terms lead you to accept Flash ads were not good enough”
Sorry, I did have something to say about MoAB but since I can’t see what I’m typing I’m not going to try.
Flash sucks and I can’t type because the goddam ad is covering this text field
Magic Word: “terms” as in “whatever terms lead you to accept Flash ads were not good enough”
Sorry, I did have something to say about MoAB but since I can’t see what I’m typing I’m not going to try.
Flash sucks and I can’t type because the goddam ad is covering this text field
Magic Word: “terms” as in “whatever terms lead you to accept Flash ads were not good enough”
Sorry, I did have something to say about MoAB but since I can’t see what I’m typing I’m not going to try.
LMH = Little Mac Hater
Buster,
Not contradictory, in that you can be indicted for a crime but not convicted. It’s a two step process. Impeachment is the same as a formal indictment.
PC Apologist,
Beg to differ, but Clinton was formally impeached by the House, and tried by the Senate. As the article on Wiki states, impeachment is the equivalent of a criminal indictment, and is basically a summons to stand trial for the charges specified in the impeachment articles. Remember, they got Rhenquist (Chief Justice of the Supreme Court) to preside at the trial since Gore was President of the Senate. Just because the Senate voted to censure (ie find him guilty of a lesser charge) instead of removing him from office does not erase the fact that he was impeached in the first place.
See http://en.wikipedia.org/wiki/Impeachment#United_States
“The impeachment procedure is in two steps. The House of Representatives must first pass “articles of impeachment” by a simple majority. (All fifty state legislatures as well as the District of Columbia city council may also pass articles of impeachment against their own executives). The articles of impeachment constitute the formal allegations. Upon their passage, the defendant has been “impeached.”
Next, the Senate tries the accused. In the case of the impeachment of a President, the Chief Justice of the United States presides over the proceedings. Otherwise, the Vice President, in his capacity as President of the Senate, or the President pro tempore of the Senate presides. This may include the impeachment of the Vice President him- or herself, although legal theories suggest that allowing a person to be the judge in the case where she or he was the defendant wouldn’t be permitted. If the Vice President did not preside over an impeachment, the duties would fall to the President Pro Tempore.
In order to convict the accused, a two-thirds majority of the senators present is required. Conviction automatically removes the defendant from office. Following conviction, the Senate may vote to further punish the individual by barring them from holding future federal office (either elected or appointed). Despite a conviction by the Senate, the defendant remains liable to criminal prosecution. It is possible to impeach someone even after the accused has vacated their office in order to disqualify the person from future office or from certain emoluments of their prior office (such as a pension.) If a two-thirds majority of the senators present does not vote “Guilty” on one or more of the charges, the defendant is acquitted and no punishment is imposed.”
“Bill Clinton was impeached on December 19, 1998 by the House of Representatives on grounds of perjury to a grand jury (by a 228–206 vote) and obstruction of justice (by a 221–212 vote). Two other articles of impeachment failed—a second count of perjury in the Jones case (by a 205–229 vote), and one accusing President Clinton of abuse of power (by a 148–285 vote). He was acquitted by the Senate. “
Thus ends the civics lesson.
B-Sabre…I also had read up on it after your correction. You are indeed correct but I diagree about the contradiction. Indeed they are. In a land where you are innocent before being found guitly, why do they switch it around at that level where you are guilty (impeachment) until found not guilty (senate’s final decision) but yet the former charge (impeachment) is not removed so you are still considered guilty. That seems contradictory to me.
Judge: Guilty or not guilty:
Bailiff: Welllllll…………
Maybe Clinton should have written a book entitled. “If I was going to have sex with Monica and try to hide it, this is how I whould have done it”. Might as well be a good capitalist and make some $$$ out of it if they guilt charge sticks anyway.
Oh and sorry everyone for getting off topic.
LMH is a poo-poo head.
This is a joke. So VLC has a bug that allows arbitrary code to be executed. The only thing Apple can possibly do is make sure that code doesn’t execute with escalated privileges and it doesn’t.
This is no more an “Apple bug” than a tank of bad gasoline would be a “Chrysler bug”.
Ok this sentence is what gets me.
“You may want to use a suitable shellcode of your choice. The exploit will need some adjustment. “
Yeah he has the mac community’s best interest at heart.
See that’s what gets me, its one thing discussing bugs but giving the code away is quite another.
BTW-on the whole impeachment thing –
“former charge (impeachment) is not removed so you are still considered guilty”
being impeached doesn’t mean that person is considered guilty, just like being indicted doesn’t mean someone is considered guilty. Jane Doe may have been indicted for murder, and found not guilty (or the case dismissed); however, that doesn’t change the fact that she was in fact indicted. The term has nothing to do with guilt or innocence.
I think we are ready for the millenia of MS bugs.
But seriously, I wonder how long it would really take to document MS related bugs.
Can anyone tell me why the email links for “LMH” and his cohort say [at] instead of @?
Is this standard? or at they just trying to make it harder for people to email them via a script.
Best President Ever! Stupid Republican Witch Hunt over matters unrelated to Governance.
Lincoln used to take foreign dignitaries down the street to the brothels!
French Politicians are EXPECTED to have a mistress!
Victorian Sexual Repression is alive and well.
It is more acceptable to depict the “penetration” of a bullet than a penis. How sickening is that!
MW = slowly
as in, slowly back away from the backlash
MDN wrote: “Doing it LMH’s way means finding the “bug,” posting it online, jeopardizing users”
I don’t think they found the QT bug, I believe this was a known issue.
In the same way as the MacBook airport exploit was a known vulnerability.
LMH/Ellch Maynor are providing “working” exploits.
MoAb is a black PR operation, to discredit AAPL and Macintosh.
Perhaps we should start the “CoWB” – the Century of Windows Bugs. I flat guarantee that we’d find more legitimate Windows flaws than LMH is going to find in MacOS.
Here we go again. LMH says, “
“a remote attacker could cause an arbitrary code execution condition,
under the privileges of the user running VLC.”
Once again, a non-issue. IF they could write some code that would escalate user privileges or execute under a ‘sudo’ shell, then they’d have something to talk about.
But:
Nothing to see here. Move along, please.
Nice job that this isn’t an Apple bug. It doesn’t matter what OS you’re running, you’ll always find 3rd party bugs that the OS developer can’t deal with because they didn’t write that app. It sounds like these guys are getting desparate to keep this going.
I’d be amused if the while month of “Apple” bugs turned out to be entirely cross-platform. (yeah, yeah, the first one was a valid bug)
Mr. Re-ElectClinton,
You, like most Americans, missed the point of Clintons wrong doings. He was not put on trial for having sex. Hew was put on trial for lying about it. Big difference!
VLC has already posted an update for download that corrects this vulnerability. So they can scratch #2 off the list (lame as it was).