By John Gruber
WorkOS launches auth.md — an open protocol for agent registration.
Linked List: January 2, 2007
Tuesday, 2 January 2007
- Landon Fuller’s Application Enhancer Patch for the MOAB QuickTime ‘rtsp://’ Exploit ★
-
My gut feeling is that it’s overkill to install this — especially if you aren’t already running any Application Enhancer haxies — but it’s a nice idea. Note, too, that Fuller says disabling the “rtsp://” URL protocol isn’t a complete defense.
- Design Quotes ★
-
Examples:
“The greatest challenge to any thinker is stating the problem in a way that will allow a solution.” —Bertrand Russell
“I’ve been amazed at how often those outside the discipline of design assume that what designers do is decoration. Good design is problem solving.” —Jeffrey Veen
(Via Cameron Moll.)
- Second Issue in ‘Month of Apple Bugs’ Is a VLC Buffer Overflow ★
-
How does a bug in VLC qualify as an “Apple bug”?
- Martin Pittenauer on the Chaos Communication Congress ★
-
Good summary of the Mac-related topics at this conference last week, including the FileVault session and Amit Singh’s session on Mac OS X internals and TPM.
- Month of Apple Bugs: QuickTime ‘rtsp://’ URL Handler Stack-Based Buffer Overflow ★
-
The first Month of Apple Bugs exploit is out, and it’s an attack that takes advantage of a buffer overflow in QuickTime’s handler for “rtsp” URLs. Their example exploits are all Intel-specific, but it’s probably a potential problem for PowerPC systems, too. (It’s a problem with QuickTime, not Mac OS X, so it apparently works on Windows systems with QuickTime installed as well.)
The example exploits use the /usr/bin/say command to speak “Happy new year shit bag”, but if that works, it could just as easily do something destructive like deleting the contents of your home folder. If you want to play defense while waiting for Apple to fix the bug, you can disable ‘rtsp’ URLs using RCDefaultApp.