I wrote about Xacktunes, now Bandwagon, before and now it is set to launch real soon.
Bandwagon helps make life easier for music geeks that backup using rsync/ftp or to cds + dvds.
Until our official launch on Feb 22 PST, we are giving away one-year subscriptions to Bandwagon. You get the full application and unlimited storage (need Mac OS 10.4 + iTunes 7).
What do I think?
Apple releases Security Update 2007-02 that fixes several MOAB bugs that were reported last month. The bugs fixed are MOAB-09-01-2007, MOAB-29-01-2007, MOAB-20-01-2007 and MOAB-22-01-2007.
I do not know why Apple decided to delay the fixes for the other MOAB bugs – 31 reported bugs, 5 of which are from third-party software developers/companies. I am sure that the others will be addressed soon but the question is how soon?
Frankly, I’d rather not see 10.4.9 but instead see 10.5 released soon (with these bugs fixed!).
Image courtesy of fridgerock
Granting that Apple is not going to allow third-party applications to be installed in the iPhone, I began re-thinking why I want a phone that is “open”. The only reason is the limited (read: crappy!) applications that are bundled with the phone. Third-party developers often answer that need. What apps do I want in the iPhone anyway?
(more…)
Ultimate iPhone FAQs List, Part 2:
Jobs: “Java’s not worth building in. Nobody uses Java anymore. It’s this big heavyweight ball and chain.”
I am wondering if Jobs even has a clue that mobile Java is different compared to the desktop Java that Apple implements themselves and bundles with Mac OS X. Java ME, or Mobile Edition to those who live under a rock, requires such a small footprint that adding it to a 4GB pseudo-Mac OS X-running wanna-be smartphone shouldn’t be an issue. C’mon, if you can add Flash, why not Java ME?
Heck, I expect the iPhone to come with CDC (Connected Device Configuration) since it is oh-so-powerful. However, considering that Jobs wants a closed-platform, then I do not see the need to even add Java ME. Bummer!
You must have heard, seen or read about Apple’s new all-in-one device that will revolutionize the mobile phone industry. I am sure that the other phone manufacturers are scrambling now – trying to figure out how they can come up with a better product as soon as possible. The problem is, the iPhone is peppered with patents, which will make it more difficult to copy.
What do I think about the new phone?
(more…)
I have stopped posting blog entries covering the Month of Apple Bugs and MOAB Fixes. I will let the two groups slug it off until the end of the month and see if and when Apple finally fixes these bugs.
As it is, the bugs reported so far are those from applications that are non-essential to the operation of the entire Mac OS X. I mean, it can run without Quicktime, VLC or even iPhoto’s photocasting. I am still waiting for that critical bug that can crash the OS.
As to the MOAB cause, well, personally, I’d rather that they inform Apple about the said vulnerability first before they released it – I mean, give Apple a week headstart just so they are deemed as “ethical”. Unfortunately, some camps consider the MOAB a publicity stunt crafted by these individuals.
Stunt or not, ethical or otherwise, I am glad that these bugs are being brought into the open. Whilst the fix are being released at the same rate as they’re exposed, I am wondering when Apple will finally release a statement about these bugs and the accompanying fixes. Maybe Apple is waiting for the month to end and just release on big Security Update to fix everything.
MOAB-03-01-2007: Apple Quicktime HREFTrack Cross-Zone Scripting vulnerability:
A month ago, a vulnerability in QuickTime was exploited to spread a worm in MySpace. The vulnerability was first published by pdp. In his article, pdp describes how HREFTrack attribute in .mov files can be used for malicious scripting. The MySpace worm abused this vulnerability in a cross-site scripting attack vector.This MoAB issue shows that this vulnerability can also be used in a cross-zone scripting attack which could allow, in combination with other vulnerabilities, to remotely execute arbitrary code on the user’s machine, as well as disclosure of the filesystem contents.
I thought that the Security Update released by Apple fixed this problem already. However, checking the details of the bug, only Windows has been tested. I am not sure if it still affects the Mac – if not, who cares about Windows?!
Technorati Tags: quicktime, vulnerability
So, part brain exercise, part public service, I’ve created a runtime fix for the first issue using Application Enhancer. If I have time (or assistance), I’ll attempt to patch the other vulnerabilities, one a day, until the month is out.
Landon Fuller releases a fix to the first bug that was reported during the Month of Apple Bugs. Let us see if he can catch up with the MOAB folks. 
Technorati Tags: quicktime, vulnerability
A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.
VLC vulnerability has been exposed as bug no. 2. I am wondering, since this is a VLC bug and not Apple’s fault, really, why is it part of the MOAB?
And oh, it also affects VLC on other platforms! Hmmm… I am beginning to think that the MOAB folks are starting to get desperate by exposing bugs that are entirely not Apple’s doing.
Technorati Tags: mac os x, vlc, vulnerability
MOAB-01-01-2007 – Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow:
A vulnerability exists in the handling of the rtsp:// URL handler. By supplying a specially crafted string (rtsp:// [random] + semicolon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.
Exploitation of this issue is trivial, and stack NX can be rendered useless via ret-to-libc.
First bug appeared on-line. Good thing that I do not use Quicktime to handle RTSP. 
And oh, it does affect Quicktime on Windows as well.
Technorati Tags: mac, mac os x, quicktime, vulnerability
