AppleInsider StaffApple on Tuesday released a security update for its QuickTime digital media software in response to a vulnerability discovered by security researchers associated with the Month of Apple Bugs website.
"A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution," the company said. "A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007)."
Apple added that its fix for the issue includes performing additional validation of RTSP URLs.
The security update is available for QuickTime 7.1.3 on Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.8, Mac OS X Server v10.4.8, and Windows XP/2000.
The Month of Apple Bugs initiative is an effort by security analysts to improve Apple's Mac OS X operating system, uncovering and finding security flaws in different versions of the company's software and third-party applications.
Apple's security update released Tuesday targets the first of those reported flaws. The Month of Apple Bugs website has since gone on to list 21 additional vulnerabilities in Mac OS X related software, one for each day of the month.
Andrew Orr
Christine McKee
Sponsored Content
Wesley Hilliard
Amber Neely
33 Comments
I believe this was the first bug released during the Month of Apple Bugs.
Though fixing anything with even minimal security exploits is important, I can't help but laugh at what has been uncovered during this month so far. I also praise Apple for patching it within a few weeks. It takes time to figure out how to patch exploits and still maintain stability / compatibility.
This fix is in line with the typical timing and attention given Apple security updates - relatively quick and competent.
This pretty much busts MOAB's claims of Apple's ignorance and/or hostility at bug reports.
Apple has been doing better than most, fixing 99.9% of their problems through their established channels without MOAB's brand of nonsense. IIRC a third of their "Apple Bugs" are 3rd party problems to begin with.
MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.
MOAB are still flaming Apple Inc., Apple users, and anyone else who critiques their methods, and it's gotten personal and insulting. They come out swinging their fists at the Apple community, then cry foul because someone hits back.
I agree. I personally think this was for attention over anything. They were / are publicly announcing the bugs without submitting to apple first. They made large statements about releasing a bug a day. They have insulted the user base. I'm over the MOAB at this point. They have released 2-3 that I know of and all have been 3rd party so far. Completely a waste of time if you ask me.
I agree. I personally think this was for attention over anything. They were / are publicly announcing the bugs without submitting to apple first. They made large statements about releasing a bug a day. They have insulted the user base. I'm over the MOAB at this point. They have released 2-3 that I know of and all have been 3rd party so far. Completely a waste of time if you ask me.
Well, you are severely misstating the facts. Have a look at the MOAB page: http://projects.info-pull.com/moab/
Definitely not all 3rd party exploits and definitely more than 2 or 3 exploits.
Please don't interpret my comment as support for what MOAB is doing. I think it is reprehensible.
Luckily, beyond being reprehensible, they're also getting minimal coverage. Only Macintouch reports on their daily announcements.