Home > Mac OS X > Month of Apple Bugs: First Bug Unveiled Month of Apple Bugs: First Bug Unveiled Submitted by odnomzagi 2007-01-02 Mac OS X 70 Comments The first Apple bug (Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow) of Month Of Apple Bugs has been unveiled – as promised – by LMH and Kevin Finisterre. This bug is the first in a month long series. About The Author Thom Holwerda Follow me on Twitter @thomholwerda 70 Comments 2007-01-02 5:54 pm Rayz … amazing. I can’t really see the point of this. 2007-01-02 5:58 pm altair The point is to generate news. 2007-01-02 6:12 pm TownDrunk I think someone wants to see their name in the paper. 2007-01-02 10:10 pm h3rman I think someone wants to see their name in the paper. They’re not Apple employees; is there a fundamental ethical reason why it should be immoral for them to expose some bugs and in the mean time, get a few minutes of fame for themselves? If they had to give what they found to Apple first – guess who’ll get the credits then when it gets fixed? – it would be less fun, and they might just stop finding the bugs in the first place. At least the information they provide is sufficient for users to avoid some of the risks. Hardly anything immoral in that. I was always told “security by obscurity” didn’t work. 2007-01-02 10:18 pm brewmastre “If they had to give what they found to Apple first – guess who’ll get the credits then when it gets fixed? – it would be less fun, and they might just stop finding the bugs in the first place. At least the information they provide is sufficient for users to avoid some of the risks. Hardly anything immoral in that. ” Why not report to the public that a bug has been found in a specific application and state what it is capable of, but only report the specifics and actual code to the owner of the code? At least if they do that, people can make the connection of who really discovered it, but not in a way that it puts more users at risk. 2007-01-02 10:42 pm h3rman Why not report to the public that a bug has been found in a specific application and state what it is capable of, but only report the specifics and actual code to the owner of the code? At least if they do that, people can make the connection of who really discovered it, but not in a way that it puts more users at risk. Sounds reasonable at first sight. But, will that make it much harder for malicious exploits? Erm.. ten minutes harder? Won’t make me feel more secure. How do you think bug reports are filed in open source? Out in the open, and noone thinks that’s immoral. I’m not a fan of software security firms (and obviously these guys want to be part of that business) because I think all the security should be provided by the OS/distro itself – including MSW – there’ll always be conspiracy theories that the security firms are writing the exploits they protect from themselves, won’t there. That just feels real bad.* The moment I need Symantec to secure my Fedora box I’ll check out OpenBSD. But this stuff at least gives Apple the incentive to not just leave this to those external firms. *Conspiracies do exist, BTW, I thought I’d mention for the naive among us. 2007-01-03 3:26 am Moulinneuf Security by obscurity work , its security by being blind to one own problem that as been discovered that don’t work , its called security by denial , “the problem don’t exist even do some people use it to exploit system.” Its preferable that the flaw is fixed instead of denying it exist. 2007-01-02 6:22 pm rodda …and users need to be aware prior to Apple fixing these bugs. I don’t really see a problem with this approach and the following statement from the website is reasonable enough: “This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple. Also, we want to develop and provide tools and documented techniques to aid security research in this platform.” 2007-01-02 9:38 pm usr0 The point is to generate negative propaganda about Apple. 2007-01-02 10:21 pm h3rman The point is to generate negative propaganda about Apple. That’s incredible nonsense. You’ll appreciate that when you read this: http://www.securityfocus.com/columnists/389 Furthermore, in the past the same guys were doing the same thing with a.o. Linux; which is the OS Kevin F. prefers to use on his… Apple hardware. 2007-01-03 4:45 pm Duffman Furthermore, in the past the same guys were doing the same thing with a.o. Linux; which is the OS Kevin F. prefers to use on his… Apple hardware. Yes, Apple’s hardware running on Linux. So the point of view of usr0 is not a nonsense… They released the second bug today. It’s about VLC. Tell me what Mac OS X has to do with VLC (the bug also affects windows …) ? Apple is now responsible for third party application bugs ? 2007-01-03 5:49 pm milles21 I agree please tell me what that VLC has to do with OS X that is a third party application. I mean not only are we tlking disclosure but we are talking skewed. You wouldn’t report an Photoshop bug to Apple you would report it to VLC. Quicktime yes VLC no this is looking more like FUD than informative. I can say that if this is the trend third party apps not associated with Apple their credability should suffer. Please deal with OS X or apple related flaws not. “Well your mac data can be compromised if you steal the hard drive fluff” 2007-01-03 6:04 pm ddpbsd From the FAQ: “3. Are Apple products the only one target of this initiative? Not at all, but they are the main focus. We’ll be looking over popular OS X applications as well.” VLC is the only way to get support for a LOT of videos on Mac OS X, so a lot of Mac people probably have it installed. 2007-01-03 7:34 pm milles21 Again optional not apple’s software regardless if someone installs it, it does not qualify as Apple’s issue. 2007-01-02 6:14 pm ligurmatic By using such language, their message is diluted and it’s them, not Apple, who look foolish. 2007-01-02 6:29 pm ddpbsd To get apple to take security seriously. All about the Pwnies! 2007-01-02 6:37 pm jamesrdorn Your right, this group is all about exposing Apple Secuirty. If you would take more than 3 seconds to read the headline, you would know that this group does this for all kinds of OS’s and projects. 2007-01-03 1:53 am Soulbender “To get apple to take security seriously. ” Bullshit. It’s all about generating news coverage for themselves. If they did indeed have the users best interest in mind they’d have followed best practices, notified Apple and given them due time (say a week or two, it’s not like you HAVE to wait forever, as their lame-o FAQ states) to engineer a fix *before* going public. 2007-01-03 2:33 am jessta Getting apple to take security seriously would be reporting the security bugs to apple first and allowing them time to create a patch. 2007-01-02 6:36 pm ActiveMan Only one bug per month. Others OS are more active, for example “One Windows Bug per Minute” 2007-01-02 6:39 pm aGNUstic I am a Linux and OSX user. I say bring it on. 🙂 2007-01-02 7:10 pm brewmastre “I am a Linux and OSX user. I say bring it on. :-)” Amen brother One question though…has anybody else tried these exploits to see if they are real? How do we know that they’re not just a hoax? Also, does it state somewhere what version of OS X they are running? Here’s the reason I ask: “$ ruby exploit.rb (…) (gdb) r pwnage.qtl The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /Applications/QuickTime Player.app/Contents/MacOS/QuickTime Player pwnage.qtl Reading symbols for shared libraries . done Reading symbols for shared libraries + done sh-2.05b$ id” Anybody else notice that the shell prompt changes, but the almighty ‘haxor’ didn’t change shell’s?! Something seems a little strange. Edited 2007-01-02 19:15 2007-01-02 7:57 pm ddpbsd The exploit is supposed to return a shell. It probably didn’t end up being a login shell. 2007-01-02 6:39 pm thecwin I was expecting either all of the bugs released to be pointless little crasher bugs (which aren’t hard to find in OS X), or for the page to be full of adverts. While I dislike the idea of putting users at risk whether they’re careful on their platform or not, at least he’s so far maintained some sort of dignity (bar pwnage). 2007-01-02 6:42 pm ddpbsd Users are at risk whether these bugs are released to the public or not. 2007-01-02 6:53 pm evangs Instead of posting the details on the web for everyone to read, how about posting it directly to Apple first and allowing them to fix it before releasing said exploits to the entire world? 2007-01-02 7:27 pm ralph From the FAQ (http://projects.info-pull.com/moab/#faq): “Are the issues being reported to the vendor before public disclosure? Rarely, the point is releasing them without vendor notification. Although, sometimes we may decide to pass an issue through the appropriate people. The problem with so-called ‘responsible disclosure’ is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial. And the reward (automated responses and euphemism-heavy advisories) doesn’t pay off in the end.” I’d agree that this isn’t a very easy issue to decide, but if you want to put some pressure on companies to do better when it comes to security, this just might be the right approach. And, I as a user like to know about problems, so that I at least have a chance to avoid them. 2007-01-02 8:05 pm evangs That’s a load of crap, really. So the company may take their own sweet time in releasing a patch, therefore we just release the entire documentation of the exploit to the web without first notifying them? I agree that companies should be pressured to issue a timely fix. The method these guys are taking isn’t the most responsible one. A better approach would be to alert Apple to the security holes, telling them that the details will be published in a month (week, 2 weeks, some reasonable timeframe). This alerts the company to the existence of the flaw, and it gives them a hard deadline by which to issue a fix. As it stands, while these guys are helping buff the security of OS X, I can’t help but think that they’re in it to get their names in the papers. 2007-01-02 11:45 pm milles21 I think it is very appropriate computers are a foundation of mission critical systems across the board risk is risk. If I were to disclose vulnerabilities like this in government anti-terrorism systems everyone would be singing a different tune. FYI computer compromises have been linked to terrorist funding so although not likely could be an aid. Again no one is saying this is a bad idea or that OS X is without flaws merely that their method of disclosure is self-serving and irresponsible. when you don’t give the vendor the chance to correct the problem. You are putting users at a greater risk because you are supplying less talented people the full code prior to a possible solution! 2007-01-03 12:13 am antwarrior @evangs I agree with most of what you have said and that is probably the way I would lke at if I didn’t take a quick step back at the situation. A Company like Apple and Microsoft are always continously scouring the ‘net for details of securtiy related bugs in their software. A day or two delay in a company knowing about an exploit is not going to make much of a difference. Secondly with alerting exploits to the company includes the aspect of entering in “formal communication” with the company which never really amounts to anything , if not giving you undue pressure not to release the details to the public ( even in a reasonable timeframe ). They begin to start dictating how the exploit should be handled , as if it is was theirs ,depending on THEIR TIME SCHEDULE , which might be affected by their interenal release schedules for patchees etc i hope you get my drift….alerting a company early or posting on a “visible” web space does not cause that much of delay. Why give yourself the extra hassle ? 2007-01-03 7:24 am evangs Being responsible has always been more hassle than being irresponsible, hence it is always tempting to take the easy way out (not that easy == bad all the time). To see why this is so irresponsible, imagine the following contrived scenario. A security expert goes to your house to examine it for potential points of entry. He finds quite a few, and instead of telling you about it, he publishes it on the web with a catchy title “A month of breaking into your house”. Sure, you can read about it on the web, and it may take you a few days to correct the problems as they’re published, but it means that while a fix is being done, your house is compromised allowing easy access to any burglar/robber/murderer/criminal. In such a scenario, if your house was broken into will you blame the builders of your house for making it insecure? Or will the blame lie on the shoulders of the so-called security “experts” who published a HOWTO on breaking into your house, without first alerting you? Like I’ve said, this is a contrived scenario, but it does serve to illustrate how irresponsible the actions of these guys are. Finding bugs is good for OS X, as there are too few eyeballs going over the OS. It is the way these guys go about disclosing the flaws which I find irresponsible. 2007-01-03 8:20 am antwarrior @ebangs I don’t want to pick at what you are saying and make this a meaningless debate so I will try and stay on point as much as possible. I slightly disagree with your illustration. Let’s try and get the correct perspective on this. It’s not like a howto into breaking into my house, it is more like a description of technical failing in the equipment used to protect millions of other houses, including mine, being made public. I would like to know now, rather than later. I don’t think the danger to the average user is that much greater or that much smaller. Chancss are this exploit and ones like it have benn known about for a while longer, and script kiddies would probably be scouring less high profile sites for their “script” fixes. IMHO it is not a irresponsible action. Irresponsible is how the company may respond considering that they are in direct control of how much risk the user is exposed to, when they learn of security flaws, whether it be directly or indirectly , as it was in this case. 2007-01-03 2:08 pm Soulbender “Chancss are this exploit and ones like it have benn known about for a while longer, and script kiddies would probably be scouring less high profile sites for their “script” fixes. ” If it has been known for a longer time then it wouldn’t matter if they waited one or two more weeks then, would it? By the way, I love how people buy into this “the blackhats knows all the weaknesses first” mythology that the media’s been dishing out. 2007-01-02 8:12 pm milles21 I think it is really disappointing to see them take this approach. Although I can applaud their technical ability I do think the manner that they are going about it is self-serving. I think that their efforts could be better served notifying Apple and then after X, Y, Z timeframe releasing. This approach makes them seem more of look at me and not about improving software. Disappointing indeed 2007-01-02 8:28 pm ddpbsd Some researchers feel slighted by the “give a company a time frame” idea. Often times the company doesn’t keep the researcher in the loop, demands more time, or doesn’t report the issue properly. And remember, often times researchers aren’t the first people to find the hole. they’re just the first ones to talk about it. Full immediate disclosure lessens this hassle, forces the company to fix the issues or face their customers, and keeps users in the know so they can better protect themselves. As a Mac user I’m glad they’re doing this. If Apple plays their cards right this will only strengthen the system. 2007-01-02 8:39 pm milles21 I don’t really believe the method in which they are disclosing the problems can be viewed as responsible. Providing the information that they are providing is really putting the users at more risk. The level of information and how to is opening the door for wannabe’s. I am just saying hard timelines disclose to the company if they fail to meet the timeframe then disclose but give them a chance. As an OS X user I would love for apple to setup a security team that these issues could be disclosed to and resolved properly. Again it is not that I don’t think this is a good idea I just disagree with the method 2007-01-02 8:50 pm ddpbsd I didn’t say it was responsible. It helps users. I now know to avoid all quick time files until Apple puts out a fix. If they reported it directly to Apple I wouldn’t know about these issues. Chances are the only people that would know about them are: the researcher, Apple’s security team, and the “bad guys” that have been using this information already. 2007-01-03 7:27 am evangs Yes, but how many users actually know about the issue? How many OS X users read tech sites? So you and the handful of technical OS X users know about the flaw and the temperory solution. Great. How about the creative type people, who are Apple’s primary market? These users are fscked until Apple issues a fix, or they have friends who know enough about OS X to tell them about the problem and how to fix it. 2007-01-03 1:32 pm ddpbsd Whose fault is it if they live under a rock and don’t pay attention to the news? 2007-01-03 5:54 pm evangs So because I use a computer, I am compelled to read tech sites now? Not everyone is a computer enthusiast, who lives/breathes computers. Many have better things to do than to follow up on the latest happenings in the IT world. It isn’t about living under a rock. Some people do not have the time or the desire to spend more effort than is necessary to use their computer. 2007-01-03 6:02 pm ddpbsd Yes. If you own something you should do your best to keep up with the important things happening relating to whatever it is. If you own a car you should keep up on recalls and whatnot for that car. The MoAB has been on a number of news sites, not knowing about it seems kind of silly at this point. To me at least, but I’m an Apple user, what do I know? 2007-01-03 6:29 pm sbergman27 “””If you own something you should do your best to keep up with the important things happening relating to whatever it is.””” Thanks so much for reminding me. I’d forgotten to renew my subscription to “Toasters Today”! Edited 2007-01-03 18:29 2007-01-02 9:21 pm evangs So the developer’s egos are dented by some companies. Therefore, they do all they can to irresponsibly disclose bugs on the web which could potentially be exploited to affect millions of users? Once that happens, and it becomes apparent that it was all the result of such irresponsible disclosures, will it be Apple people are angry with? Or will it be these “researchers”? What they’re doing is good for OS X, but it is still irresponsible. 2007-01-02 9:35 pm ralph “Therefore, they do all they can to irresponsibly disclose bugs on the web which could potentially be exploited to affect millions of users? Once that happens, and it becomes apparent that it was all the result of such irresponsible disclosures, will it be Apple people are angry with? Or will it be these “researchers”?” Well, you see, these bugs can be exploited anyway. Who’s to say they haven’t been exploited by others allready before they got published now, only that nobody knew? Now that they are out in the open, users at least have a chance to react, which I as a user prefer to being kept in the dark. 2007-01-02 9:57 pm tacit_one >> What they’re doing is good for OS X, but it is still irresponsible. +1 here. *What* these guys are doing is definitely a right thing and deserves respect, but *how* they do it – isn’t good, imho. I believe they should have warned Apple developers beforehand. 1 month could be a good period of undesclosure … 2007-01-03 1:18 pm ddpbsd One month is too long. That’s potentially 1 more month users have their asses in the wind. 2007-01-02 8:43 pm SK8T very good thing! in the end a lot of improvments for the customer, and that matters 2007-01-02 9:33 pm JohnOne … a TERRIFIC bug!!! [sarcasm mode off] 2007-01-02 9:46 pm sbergman27 According to slashdot, a fix has already been posted by a Darwin developer, the intent being to match MoAB bug by bug in real time. http://apple.slashdot.org/apple/07/01/02/2058239.shtml Edited 2007-01-02 21:49 2007-01-02 10:02 pm mrhasbean Ummm, I’m just wondering why this is being classed as an OSX bug? It supposedly effects both Windows and OSX versions of Quicktime! Granted its a bug, and it needs to be fixed – well, it would seem it HAS been fixed – but the immature little “You’re a PC now. Mac” is not only wrong, but it shows the real motives of these twits… 2007-01-02 10:15 pm hechacker1 Their motive is simple, force Apple to think about security and make their systems safer. I can already see script kiddies downloading the provided scripts and trying to hack away.. but you know what? That just means Apple has no choice but to patch their systems or else be accused of being negligent. yes, these guys are stroking their ego, and obviously trying to make Apple look bad, but what other method besides this would produce the fastest results? None. Apple users should be thanking this guy. He obviously knows what he is doing, and proves it with the provided scripts so that fanboys can’t yell that he is lying. Read the FAQ, his agenda is clearly spelled out. 2007-01-02 10:16 pm Matt24 The only rational argument to do this; Bad publicity for Apple. And who is desparate enough to choose this kind of slander? It would not surprise me at all if MS is the sponsor of this kind of FUD publicity. 2007-01-02 10:41 pm ronaldst @Matt24 I am sure MS is behind all of this. LOL 2007-01-02 10:28 pm mrhasbean When are we going to get past this stupid idea that OSX is seen as more secure because it isn’t used by as many people? During the past 6 years since OSX was released there have been security holes and exploits found in OSX – just like in any other operating system. The REALITY is though that in nearly every case these security holes cannot be exploited unless you are sitting at the keyboard of the machine. And those that could work remotely were so trivial it really wasn’t even worth discussing them – other than to get the problem fixed. The fact of the matter is that OSX – like all *nix derived OSes – is fundamentally more secure because of the inherent security model – period. I guarantee that none of the things we see in this month long “exposé” will be a show stopper – its method even suggests that it is all merely a sideshow being run by a bunch of (brilliant) sideshow clowns trying to get their 5 minutes in the spotlight. 2007-01-03 6:43 am Rayz When are we going to get past this stupid idea that OSX is seen as more secure because it isn’t used by as many people? Well, that’s part of the reason, but there are others. Remember that most of these so-called vulnerabilities (or overflow bugs as developers call them) do not occur in the Unix layer; they crop up in the layers above, such as QuickTime or that nasty mess they made of Dashboard when it was first released. And the same can be said of MS; very few vulnerabilities crop up in the low-level stuff; they are usually found in the application layer or the APIs for their frameworks. The real difference is what has to be done to take advantage of the vulnerabilities. The fact that Apple has a fraction of the market share of Windows, means that they have a fraction of the number of experts available to take advantage of these bugs. Meanwhile, there are huge numbers of people who have detailed knowledge of the Windows subsystems. The other problem that MS has a shockingly poor public image with the geek fraternity, many of whom have an axe to grind. A case in point is this business with the stock options; if Gates had been caught doing something like this, then people would be quite rightly, calling for his head; not so with Mr Jobs. Web sites happily declaring that he has been cleared of doing anything wrong, when the fact is that Apple board knows that without Jobs at the helm, then they lose the ‘hero worship’ element,that helps keep the company riding high. Meanwhile, Microsoft hands out a few free laptops and geek crowd behave like someone just shot the pope. Amazing. Apple is a much more popular company which leads people to defend it no matter what, and by the same token, gives it a certain amount of immunity from folk looking too deeply at what its doing. In short, people are more likely to mount attacks against MS products because they don’t like MS. The other reason is that exploiting vulnerabilities is no longer something geeks do for jollies; it’s big business, and when you are running a business you have to examine the return you get on your investment. Windows has a larger user base and a larger base of experts. You can attack more machines for less money. And if you are a script kiddy, then you still have a decision to make. If you want to attack the Mac, then you have to buy a Mac, and as the figures show, the vast majority of people for one reason or another, are still not prepared to do that. Edited 2007-01-03 06:51 2007-01-02 10:37 pm mrhasbean “is there a fundamental ethical reason why it should be immoral for them to expose some bugs and in the mean time, get a few minutes of fame for themselves?” Is there a fundamental ethical reason why it should be immoral for someone to expose security flaws in the anti-terrorism systems at the major international terminals in America, England and Australia? Not at all – if those who could fix the problems are first notified and then given appropriate time to fix the problems so that millions of people aren’t potentially put at risk… 2007-01-02 10:53 pm h3rman Is there a fundamental ethical reason why it should be immoral for someone to expose security flaws in the anti-terrorism systems at the major international terminals in America, England and Australia? I’ll expose the major flaws in the anglo-saxon anti-terrorism system for you right there: it’s the CIA, Al-CIAda, the ISI and the neo-con regime.* I just wish there was someone trustworthy I could report this to. Back on topic, I don’t think comparing a Quicktime bug to a failure to detect Evil Arabs with box cutters in airport terminals is appropriate. *I might mention the word “stand-down order”, for example. 2007-01-03 7:33 am evangs How dare you make such a claim?! It is an outright lie, and is offensive to the British. I ask you to retract that statement before any more harm is done. There are no security flaws at major international terminals in England. How can there be flaws when no security system exists? *cough* http://news.google.co.uk/news?hl=en&ned=uk&q=PC+Veil+Suspect&btnG=S… *cough* 2007-01-03 6:40 am SEJeff So you guys know… This is LMH, who prefers to remain nameless to those unless they know him (/me raises hand). He is the exact same guy behind the month of kernel bugs: http://kernelfun.blogspot.com and http://www.info-pull.com These bugs are not bogus and he does have actual root OS X exploits… I know that he is not lying because I’ve known him for some time. 2007-01-03 8:49 am Kroc Yes, I’ve never doubted the actual exploits, time will tell for those, but the man hasn’t a shread of decency and is doing this stunt to make as much noise as possible and put down Apple users in the most trollish way. When this is all over, and not one person actually got exploited, and every piece of software is patched, the karma will come back to him. His only valid career path is to setup a research group and troll profressionally like Gartner. 2007-01-03 9:02 am SEJeff You are slightly incorrect… Actually, he is an OS X user/lover himself. The apple security team decided to speak with MacObserver and write articles like this one after speaking with them: http://www.macobserver.com/editorial/2006/12/20.1.shtml When someone makes fun of you after you are showing them problems and it is their job to fix them… well… I should be quiet now. Full disclosure is the only way to force vendors to work on good software to start out with. The public side of this starts here: http://lists.grok.org.uk/pipermail/full-disclosure/ 2007-01-03 10:32 am s_groening What lame argumentation! ‘I know this guy so he’s not lying’ – doesn’t that imply we have to know you to know you’re not lying? Following your argumentation, since I don’t know you I might as well distrust you on that account, even though LMH might very well be right in all of his accusations… And like many others, I simply care about Apple fixing the bugs fast no matter the severity of them… 2007-01-03 9:19 am Governa Fair question: as far as I know, this ‘event’ has been done in the past against other operating systems but I don’t recall OS News posting every new bug they found for any of those Operating Systems. Am I right? My question is, will we be presented with every new bug they post about Mac OS X ? Understand what I mean? Not quite fair, is it? Same thing with Apple’s options backdating scandal (were many people were quick accusing Steve Jobs of wrong doing), there looks like mostly bad stuff gets published against every OS with some exceptions mostly for Vista posts that even get special Editor comments when the news look bad. Example: http://www.osnews.com/story.php/16822/Flaws-Detected-in-Microsofts-… I remember posting loads of interesting news about Apple stuff yesterday but everything got rejected. For those of you curious enough, I leave you some of them: – Apple Safari web browser market share up year-over-year http://marketshare.hitslink.com/report.aspx?qprid=0 – Apple options probe shines spotlight on former execs Anderson and Heinen http://online.wsj.com/article/SB116769300537264292.html – The Washington Times’ 2006 Best Tech Company: Apple Computer http://washingtontimes.com/technology/20070101-111214-8651r.htm – MediaPost’s 2006 Marketer of the Year: Apple Computer http://publications.mediapost.com/index.cfm?fuseaction=Articles.sho… – Apple Mac Pro, MacBook Pro win InfoWorld 2007 Technology of the Year Awards http://www.infoworld.com/archives/t.jsp?N=s&V=84655 Also unless someone is actually being rude, I don’t think locking posts and modding them down automatically is the right thing to do to us, everyday posters. We make OS News, most of the news are submited by us. Everyone that criticized OS News article about Apple options scandal got a -5 automatically: http://www.osnews.com/comment.php?news_id=16826 This isn’t the way to deal with news or the users and only benefits trolls that constantly accuse OS News editors of using ‘special’ modding down options to try to silence opinions which they disagree with. If you guys in the first place don’t allow us to mod down a comment because you disagree with it, how can you publicly state that you will be doing it? Quote: “(…)I’m getting SICK of posts like yours. From now on, any such post will be modded down and locked(…)” To be able to get respect, you also need to respect the users and be impartial, even if you hate Windows, Mac OS X, Linux, Unix, BSD, Amiga OS, Solaris, etc. As you could see in the excelent “show your your desktop” post (the most fun an relaxed post in many months!), there are A LOT of non Windows users here and if they criticize some of OS News options, its because we have reasons to do it. There are a lot or professionals here that deserve more respect. Auto modding down is plain childish. I hope 2007 will see a more impartial and democratic OS News, with no “modding down as a revenge”. 2007-01-03 10:42 am Thom Holwerda My question is, will we be presented with every new bug they post about Mac OS X ? No. Same thing with Apple’s options backdating scandal (were many people were quick accusing Steve Jobs of wrong doing), there looks like mostly bad stuff gets published against every OS with some exceptions mostly for Vista posts that even get special Editor comments when the news look bad. We posted an article stating Jobs might be in trouble, we later updated the article when it became clear he was out of danger , just as with that Vista article. Your point? I remember posting loads of interesting news about Apple stuff yesterday but everything got rejected. For those of you curious enough, I leave you some of them: In case you have not noticed, I have barely linked to any end of the year lists this year. People do not like them, and they’re most of the time completely arbitrary. You keep posting lots of links to only positive Apple news in a lot of threafs; this could be considered spamming. Why don’t you start your own Apple newssite? Also unless someone is actually being rude, I don’t think locking posts and modding them down automatically is the right thing to do to us, everyday posters. We make OS News, most of the news are submited by us. Everyone that criticized OS News article about Apple options scandal got a -5 automatically: We have a new rule  on OSNews which states that ANY comment along the lines of “Why is this OSNews?” gets modded down to -5 and locked, simply because we refuse to explain ourselves in every damn article. This rule is unanimously supported by the staff. I hope 2007 will see a more impartial and democratic OS News, with no “modding down as a revenge”. OSNews IS impartial. It is all in your head. Let me just say that accusing us of bias in every Apple thread (like you do) is not what we agreed upon when we lifted your ban. Accusing us of bias is a direct attack on the staff, and they are not allowed.  http://www.osnews.com/story.php?news_id=16839  http://www.osnews.com/read_thread.php?news_id=16826&comment_id=1966… Edited 2007-01-03 10:44 2007-01-03 12:15 pm Governa QUOTE: “We have a new rule  on OSNews which states that ANY comment along the lines of “Why is this OSNews?” gets modded down to -5 and locked, simply because we refuse to explain ourselves in every damn article. This rule is unanimously supported by the staff.” Where can we read the full rules? I would suggest that every time the rules change without the users knowing it, that at least an auto email with the new rules would be sent to all users. I would also suggest that those comments are just ignored by OS News staff or deleted. By modding them down to -5 you guys are giving the modding points system a bad image. You can see many users don’t trust the voting as it seems to be easily tampered by you guys and still look like a legit result coming from regular votes. You guys are not solving problems that way, I would suggest you reconsider it. Just ignore or delete those. QUOTE: “You keep posting lots of links to only positive Apple news in a lot of threafs; this could be considered spamming.” Unless there is now a rule that prevents users from sending only positive news about anything, I don’t see what your point is. I’m not sending made up or fake stories, they are published in solid and respected news sites like the Wall Street Journal and the Washington Times. Also since I’m actually sending news to be reviewed and approved before posting, I don’t see how it could ever be considered spam. I have never sent more than 5 news on a full day to be reviewed. Can someone actually be banned for submitting too many articles to be reviewed by ‘the staff’ of OS News? Edited 2007-01-03 12:27 2007-01-03 1:19 pm aGNUstic Apple has always been a road bump in McSoft’s way. Security issues have always been a McSoft issue. Surprisingly, McSoft’s code problems come from both the design of software McSoft purchased, er, hm, innovated, and the code it assimilates into it from software it purchases, cough, develops. Yes, I know AD is great success! It after all was developed from Banyan. Again, I say to the `bright` light bulbs trying to find the security hole in Apple’s software you could park a vehicle in – bring it on. The *nix model of security is superior to the McSoft model. 2007-01-03 3:29 pm Governa This one just came up: VLC Media Player udp:// Format String Vulnerability LMH writes, “The following description of the software is provided by vendor (VideoLAN):” VideoLAN is a software project, which produces free software for video, released under the GNU General Public License. The main product is the cross-platform VLC media player. The VLC media player is a highly portable multimedia player for various audio and video formats (MPEG1, MPEG2, MPEG4, DivX, mp3, ogg, …) as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network. LMH writes, “A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.” LMH writes, “This issue has been successfully exploited in VLC version 0.8.6 for Mac OS X. Previous versions and other platforms might be affected (thanks to David Maynor for confirming the issue in the Microsoft Windows version).” Full article here: http://projects.info-pull.com/moab/MOAB-02-01-2007.html — Ok I lost track here. How can VLC’s bug qualify as an Apple bug? We are only on day 2 and this one is a bit ridiculous… 2007-01-03 5:12 pm DigitalAxis I dunno, it sounds like a VLC bug to me; so I guess they must be protesting that Mac OS X is not adequately safeguarded against buffer overflows in applications or preventing those stubs from being overwritten. I’m not entirely sure what I make of that. 2007-01-03 5:52 pm milles21 I don’t see how it’s relevant it doesn’t even ship with OS X. VLC is a choice and not an apple maintain app at that it is third party! 2007-01-03 9:36 pm sp29 Funny I’ve been using OS X without the virus protection since 2002 and I’ve never been effected by these “so called” flaws. These bug finders are out to make names for themselves. Why don’t they contact Apple first, but I think they are trying to get publicity and somekind of ego-trip from all of this kind of reporting.