Trilight Zone

[tricore]

A former Apple engineer has launched an effort to fix the security flaws disclosed by the Month of Apple Bugs project as they appear.


Landon Fuller, a BSD developer and one of the principal architects of Apple's BSD-based Darwin operating system core, said he stumbled across the Month of Apple Bugs (MOAB) project and would fix as many of the bugs as possible.

He has already released fixes for the first three flaws, and has started a newsgroup to coordinate patch efforts.

MOAB is releasing a bug related to Apple software such as Mac OS X or QuickTime every day in January, following similar programmes directed at Linux and browsers.

Fuller released a fix for the first bug, a serious flaw in QuickTime that exposes systems to attack via malicious websites, on the same day it was disclosed. Application Enhancer must be installed for the fix to work.

"Part brain exercise, part public service, I've created a runtime fix for the first issue using Application Enhancer," Fuller wrote on his blog, where the fix is made available. "If I have time (or assistance), I'll attempt to patch the other vulnerabilities, one a day, until the month is out."

The second MOAB bug affects the VLC media player on Mac OS X, and was patched by VLC developers. Fuller released his own version of the fix.

The third bug is a cross-site scripting flaw related to the QuickTime-based attacks carried out on MySpace in December.

Fuller's patch was developed with three other programmers, he said. "The patch replaces any javascript: URL requests with a javascript alert box," Fuller wrote.