The first Apple bug (Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow) of Month Of Apple Bugs has been unveiled - as promised - by LMH and Kevin Finisterre. This bug is the first in a month long series.
To read all comments associated with this story, please click here.
Member since:2006-11-08
I don't really believe the method in which they are disclosing the problems can be viewed as responsible. Providing the information that they are providing is really putting the users at more risk. The level of information and how to is opening the door for wannabe's. I am just saying hard timelines disclose to the company if they fail to meet the timeframe then disclose but give them a chance.
As an OS X user I would love for apple to setup a security team that these issues could be disclosed to and resolved properly. Again it is not that I don't think this is a good idea I just disagree with the method
Member since:2006-04-29
I didn't say it was responsible. 
It helps users. I now know to avoid all quick time files until Apple puts out a fix.
If they reported it directly to Apple I wouldn't know about these issues. Chances are the only people that would know about them are: the researcher, Apple's security team, and the "bad guys" that have been using this information already.
Member since:2005-07-07
So the developer's egos are dented by some companies. Therefore, they do all they can to irresponsibly disclose bugs on the web which could potentially be exploited to affect millions of users? Once that happens, and it becomes apparent that it was all the result of such irresponsible disclosures, will it be Apple people are angry with? Or will it be these "researchers"?
What they're doing is good for OS X, but it is still irresponsible.
Member since:2005-07-10
"Therefore, they do all they can to irresponsibly disclose bugs on the web which could potentially be exploited to affect millions of users? Once that happens, and it becomes apparent that it was all the result of such irresponsible disclosures, will it be Apple people are angry with? Or will it be these "researchers"?"
Well, you see, these bugs can be exploited anyway. Who's to say they haven't been exploited by others allready before they got published now, only that nobody knew?
Now that they are out in the open, users at least have a chance to react, which I as a user prefer to being kept in the dark.
Member since:2005-12-09
>> What they're doing is good for OS X, but it is still irresponsible.
+1 here. *What* these guys are doing is definitely a right thing and deserves respect, but *how* they do it - isn't good, imho. I believe they should have warned Apple developers beforehand. 1 month could be a good period of undesclosure ...
Member since:
2006-04-29
Some researchers feel slighted by the "give a company a time frame" idea. Often times the company doesn't keep the researcher in the loop, demands more time, or doesn't report the issue properly. And remember, often times researchers aren't the first people to find the hole. they're just the first ones to talk about it.
Full immediate disclosure lessens this hassle, forces the company to fix the issues or face their customers, and keeps users in the know so they can better protect themselves.
As a Mac user I'm glad they're doing this. If Apple plays their cards right this will only strengthen the system.