Stephen Withers
Friday, 02 February 2007 11:05
Your IT -
Home IT
Page 1 of 2
The Month of Apple Bugs ended not with a bang, but with a whimper - assuming you're prepared to classify an Arnold "Terminator" Schwarzenegger audio clip as a whimper.
The web page for the January 31 disclosure appears to be no more that a parting shot at the project's critics, though it's possible that this writer has been "pwned" without knowing it.
So what's the tally for the month? Of the 30 disclosures, 22 related to software from Apple. Only one of those has been officially fixed, although the MoAB and MoAB Fixes projects have released patches, tools or workarounds to mitigate another 12.
Seven bugs were found in third party software. All except two have been rectified by the relevant vendors or open source project, including one update that was issued following an attack using the exploit shortly before to its public disclosure. One exception is the Flip4Mac vulnerability: a patch has been released by MoAB Fixes pending an update from Telestream. The second is the Application Enhancer (APE) Local Privilege Escalation, which is more contentious. Nonstandard privileges on /Library/Frameworks may help ("BOM Shelter" provides a degree of protection); others say Application Enhancer is fundamentally flawed.
A flaw in more than one implementation of PDF readers had already been fixed in Adobe Reader 8, but remains in the Preview utility that's a part of Mac OS X. Again, MoAB Fixes provides a temporary patch for Apple's software.
On top of the disclosures, an 'Easter egg' was provided in the form of a malformed JPEG2000 image imbedded in day 29's disclosure that caused Safari to hang for an extended period. No indication was given that this was a deliberate prank or an unfortunate accident.
So what can we learn from the Month of Apple Bugs?
LATEST HEADLINES FROM YOUR IT
