Former Apple engineer patching Month of Apple Bugs-revealed flaws

Share this article:

A software engineer has vowed to provide solutions for flaws in Apple's OS X operating system exposed by the Month of Apple Bugs project (MoAB).

The two security researchers behind the project, Kevin Finisterre and a former hacker known as LMH, are revealing bugs in Apple software throughout January, as well as exploit code for any flaws they find.

However, former Apple engineer Landon Fuller has set up an unofficial operation to fix the flaws.

"If I have time, I will attempt to patch the other vulnerabilities, one a day, until the month is out," he said on his blog. "Part brain exercise, part public service, I have created a runtime fix for the first issue using Application Enhancer."

Fuller asked for help in fixing any other bugs soon to be published by the project.

"Please feel free to send me patches or other information. If there is enough interest, I will fire up a mailing list," he said.

MoAB first disclosed a shortcoming in Apple's QuickTime Version 7.1.3 media player that could lead to a compromised system.

It also found a bug in the VLC function, the free video software made by VideoLAN, that can be exploited by hackers to take control of an affected system, according to an advisory on the MoAB site.

Fuller has already released patches for these two vulnerabilities.

The project revealed a third vulnerability yesterday. However, the bug is not new and is a different way of exploiting a known flaw in QuickTime, used by hackers to spread a worm in MySpace last month.

The vulnerability can be used in a cross-zone scripting attack, which could allow malicious users to remotely execute arbitrary code on a victim's computer, according to a MoAB advisory.

Apple has yet to release an official statement on the month-long project.

Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.