Windows also target in month of Apple Bugs

The sun has set on this, the second day of the Month of Apple Bugs (aka MOAB), and patterns have begun to emerge: media files are the bait, URL parsing code is the Achilles heel, and Windows is as much a target as Apple’s OS X.

The MOAB project is being run by the hacker known as LMH, sponsor of the Month of Kernel Bugs and Kevin Finisterre. The effort began on Monday with publication of the details of a vulnerability in the QuickTime 7 player’s handling of the rtsp:// URLs that was rated “highly critical” in a security alert by Secunia.

The vulnerability, which can be exploited remotely, using a malicious file delivered via e-mail or a Web page, could allow attackers to take control of vulnerable OS X and Windows system, according to MOAB.

A similar story can be found in the second Apple bug of the month: a format string vulnerability in the UDP URL handler in VideoLANs open source VLC media player. The vulnerability works with version 0.8.6, released Dec. 10, and — as with the Quicktime flaw — works on both OS X and Windows. Workarounds include disabling the udp:// URL handler or uninstalling VLC.

So two days, two serious sounding holes (though VLC media player is not Quicktime to be sure). According to a post by LMH, MOAB isn’t necessarily fixated on finding holes in code written by Apple, but let’s face it: finding vulnerabilities in applications that work on OS X is different from finding holes in OS X or even that are unique to the OS X platform. With 29 days to go and plenty more vulnerabilities to yet to come, it will be interesting to see how strong the preference for media files is, how many are in Apple code, and how many native to OS X.