'LMH' and Kevin Finisterre have kicked off MOAB, their Month of Apple Bugs project. The hackers say MOAB will "improve Mac OS X by finding security flaws in different Apple software and third-party applications". The initiative has begun with a description of a flaw that affects QuickTime 7.1.3.
Tagged as 'MOAB-01-01-2007', it describes a vulnerability in QuickTime's ability to handle RTSP (Real Time Streaming Protocol) hyperlinks.
"Exploitation of this issue is trivial, and stack NX can be rendered useless via ret-to-libc."
The problem reported affects QuickTime 7.1.3, the current shipping version on both Mac OS X and Microsoft Windows. The MOAB team offers instructions for how to reproduce the problem, and suggest that the only workaround is to disable the rtsp:// URL handler, uninstall QuickTime "or simply live with the feeling of being a potential target for pwnage".
"Pwnage" is internet slang for being badly beaten by an opponent; the term originated with gamers.
LMH is the pseudonym of an as-yet unidentified hacker, and Kevin Finisterre is founder of Digital Munition and a Mac user. Finisterre has been credited with the creation of the InqTana worm, a Java-based proof-of-concept worm that exploited a vulnerability in Bluetooth on some Macs, which first came to light in February 2006.