Apple guru combats month of bugs

Open-source developer is attempting to ensure that a patch exists for every flaw found by the Month of Apple Bugs project.

Tom Espiner Special to CNET News
2 min read
A software engineer has vowed to quickly provide a patch for flaws in Apple Computer software that are set to be made public by researchers Kevin Finisterre and the pseudonymous LMH this month.

The vulnerability researchers' "Month of Apple Bugs" project, launched Monday, promises to announce a hole in Apple software on each day in January. However, a senior open-source developer with extensive experience working for the Mac maker says he is attempting to offer a fix for each flaw found.

Landon Fuller was an engineer in Apple's BSD Technology Group and is one of the principal architects of Darwin, an open-source, Unix-like operating system designed to work alone or as a core set of components for Mac OS X. He has already offered patches for the two vulnerabilities published by the Month of Apple Bugs project so far.

On Monday, the project published an advisory for a QuickTime vulnerability related to how media player software handles the Real Time Streaming Protocol, or RTSP. An attacker could create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow, according to the advisory.

Fuller published a fix on Tuesday for the QuickTime vulnerability that uses Application Enhancer, a piece of software designed to improve how applications behave when running on systems. "So, part brain exercise, part public service, I've created a runtime fix for the first issue using Application Enhancer," Fuller wrote on his blog. "If I have time (or assistance), I'll attempt to patch the other vulnerabilities, one a day, until the month is out."

Also on Tuesday, Fuller published a fix for a second vulnerability found--a format string vulnerability in the open-source VLC media player that the project warns could be used by a remote attacker to execute arbitrary code. VLC published its fix soon after the vulnerability was reported to it by Kevin Finisterre.

Fuller called for assistance in developing patches for the flaws that have yet to be made public by the project and said he would start a mailing list if he gets enough interest.

"If you'd like to help with tomorrow's MOAB vulnerability please feel free to send me patches or other information. If there's enough interest, I'll fire up a mailing list," Fuller wrote in his blog.

Tom Espiner reported for ZDNet UK from London. CNET News.com's Joris Evers contributed to this report.