PDA

View Full Version : Month Of Apple Bugs: January 2007




MacRumors
Dec 19, 2006, 03:31 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Picking off where the Month of Kernel Bugs left off (http://www.macrumors.com/pages/2006/12/20061201145647.shtml), security researcher "LMH" and his team is reportedly set to launch another month-long security-hole finding project, this time targeting only Apple's products. According to the Washington Post, the Month of Apple Bugs (http://blog.washingtonpost.com/securityfix/2006/12/january_2007_month_of_apple_bu.html?referrer=email) will be January 2007, where each day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it.

LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security.

For the Month of Kernel Bugs, software vendors were not given prior warning before vulnerabilities were released, a practice that has ruffled a few feathers in the industry. According to the Post, the Month of Apple Bugs will run similarly, as Apple will not be given advance notice of the bugs.

It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation.

You can read MacRumors' interview with LMH regarding the Month of Kernel bugs here (http://www.macrumors.com/pages/2006/12/20061201145647.shtml).

Update: IDG/MacWorld provides additional information (http://www.macworld.com/news/2006/12/20/securitybugs/index.php).

Apple enthusiasts and security researchers have been at odds since last August, when David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple’s wireless device drivers. They played a video at the Black Hat conference demonstrating how this flaw could be used to run unauthorized code on a MacBook. However, their claims have been slammed because the demonstration used a third-party wireless card rather than the one that ships with the MacBook, and because the two hackers still have not published the code used in their attack.

LMH said the Apple community’s negative response to Maynor and Ellch’s claims played a role in the decision to launch the Month of Apple bugs.

“I was shocked with the reaction of some so-called ‘Apple fans,’” he said. “I can’t understand why some people react badly to disclosure of issues in their system of choice. … That helps to improve its security."

However, Apple doesn't seem to mind the effort. An Apple spokesman simply replied "We always welcome feedback on how to improve security on the Mac."


[ Digg This (http://www.digg.com/apple/Month_Of_Apple_Bugs_January_2007) ]



longofest
Dec 19, 2006, 03:32 PM
Guess January isn't going to be all fun and games for Apple...

evilgEEk
Dec 19, 2006, 03:34 PM
Well, as long as it improves OS X security I'm all for it.

caveman_uk
Dec 19, 2006, 03:34 PM
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

cait-sith
Dec 19, 2006, 03:35 PM
Good. Better he do it now while Apple is focused on his bugs and ready to release patches as soon as possible.

Is it fair to focus only on Apple bugs? Not really.

miketcool
Dec 19, 2006, 03:39 PM
Hopefully the Jan release of Leopard will put a wrench in his gears. :cool:

Some_Big_Spoon
Dec 19, 2006, 03:41 PM
Gets more press. If he focused on Windows bugs, he'd be one of 10k guys pointing out tens of thousands of bugs. He'll find 30 bugs (maybe) and post them one day at a time. It's more media whoring than anything else unfotunately.

Is it fair to focus only on Apple bugs? Not really.

longofest
Dec 19, 2006, 03:41 PM
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

The problem about that is that as long as the issue isn't publically disclosed, companies like Apple take their good old time patching them. Earlier this year, a guy was complaining that some issues that he found hadn't been addressed 6 months after he had reported it to Apple, so he finally released it to the public. If I recall, he ended up retracting the information and then the next Apple security update fixed the issue :rolleyes:

Hopefully the Jan release of Leopard will put a wrench in his gears. :cool:

Keep dreaming.

mcarnes
Dec 19, 2006, 03:41 PM
Does this guy really think he's doing a service? He is not. Maybe a service to criminals.

nsbio
Dec 19, 2006, 03:44 PM
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

Perhaps one of the reasons why these guys/gals are doing it this way is to attract Apple's attention and get them to interact/become part of Apple team. Without good arguments, that is, only with idle threats, Apple will never pay attention to them. If, however, some of these "bugs" turn out to be serious, Apple will have to pay attention.
I agree that this is a blatant way of publicity seeking, but nowadays it is the only way to sell a product. And in this case it is a perfectly legal way!

apachie2k
Dec 19, 2006, 03:45 PM
like many said before, if he really cared he would just send it to apple...

840quadra
Dec 19, 2006, 03:49 PM
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.


Agreed.

I am still sticking by my comment (in the month of kernel bugs thread) that we need to get used to this kind of treatment from developers, crackers, hackers. I have a feeling that this kind of work will ramp up, and that more and more people will be joining this group with regards to seeking holes in OS X.

My question is, if holes are found, how much is that information worth to people who want to take advantage of it? And also, if it is a moderate to high value, will this company / person take offers to share that information with people who would like to do wrong doing ?

My guess is, the information has value, and I am worried that this person / group would actually sell it to a high enough bidder, regardless of why that person / group needs that info.

Alexander
Dec 19, 2006, 03:50 PM
The problem about that is that as long as the issue isn't publically disclosed, companies like Apple take their good old time patching them.

I agree, but it is irresponsible to give the developer NO time to prepare a patch. Make the window really short, maybe two weeks to a month, and then release them, if you want. Whatever. But ANY software developer should be given at least some time to prepare a patch for security vulnerabilities.

About the only positive I can think of is that it will cause Apple and others to be even more rigorous about security on their own. I'm not sure this is the best way to achieve the goal, though. I think it's more about publicity.

I expect the vast majority of these bugs to be yawners.

longofest
Dec 19, 2006, 03:54 PM
I agree, but it is irresponsible to give the developer NO time to prepare a patch. Make the window really short, maybe two weeks to a month, and then release them, if you want. Whatever. But ANY software developer should be given at least some time to prepare a patch for security vulnerabilities.

About the only positive I can think of is that it will cause Apple and others to be even more rigorous about security on their own. I'm not sure this is the best way to achieve the goal, though. I think it's more about publicity.

I expect the vast majority of these bugs to be yawners.

Good point. Probably a good compromise would be for the researcher to say "here's the vulnerability. You've got a month, and then it will be public." It sounds kind of threatening, but in the end it would be the best of both worlds.

However, I'm not so sure that the bugs will only be "yawners"... MoKB came out with a couple big ones...

iMeowbot
Dec 19, 2006, 03:54 PM
Publicity or advertising don't match up as motivations when the responsible party has been making some effort to remain anonymous.

motorazr
Dec 19, 2006, 03:55 PM
what purpose does it serve to finds bugs in software if you aren't going to give the programers a chance to fix them? I mean good intent and all...but it makes little sense if apple won't get advanced notice to fix errors...

patrick0brien
Dec 19, 2006, 03:56 PM
"Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way," - LMH



Question: Are there any Mac users out there that actually think OS X is 'bulletproof'?

Every now and then some pundit/user blurts out that OS X users think their OS is invulnerable.

Nowhere have I seen this.

Frankly, I feel it is spite. Compared to XP, OS X seems invulnerable. I just hope there aren't any OS X users boasting 'bulletproofness'.

This my $0.02 because I'm tired of the Enderles of the world putting words in my mouth.

CEAbiscuit
Dec 19, 2006, 03:56 PM
Mods:

If you would like, merge comments from this thread:

http://forums.macrumors.com/showthread.php?t=261925

Thanks!

840quadra
Dec 19, 2006, 03:57 PM
Publicity or advertising don't match up as motivations when the responsible party has been making some effort to remain anonymous.

Why not?

If he wants to anonymously capitalize on his findings by selling the information to wrong doers, he is less likely to be caught.

CmdrLaForge
Dec 19, 2006, 03:57 PM
In principal I think that it is ok to show Apple where the bugs are if any but I think the timing is more then bad. Vista is coming out end of January for the average consumer and Apple wants to beat M$ on security. A month long reporting on Apples bugs will only help selling Vista instead of Mac OS. :(

my 2 cents

840quadra
Dec 19, 2006, 04:02 PM
In principal I think that it is ok to show Apple where the bugs are if any but I think the timing is more then bad. Vista is coming out end of January for the average consumer and Apple wants to beat M$ on security. A month long reporting on Apples bugs will only help selling Vista instead of Mac OS. :(

my 2 cents

Good point!

In addition to my other comments made in this thread, part of me smells a disgruntled former Apple employee that is spreading information for possibly known holes in the OS and applications. I would almost think that holes in OS X are really not that big or easy to find (if they were many would have been discovered by others now), and that you would need intimate knowledge of the OS to be able to find any worth reporting. Especially 30 to 31 of them!

yellow
Dec 19, 2006, 04:07 PM
I feel it's a good thing, I just hope that it's not as sensationalized as the MoKB was. There was some definite FUD being pushed there. I look forward to what LMH brings to the table. UNFORTUNATELY for him, Leopard will likely be out sooner rather than later, and some of his MoABs will be moot at best.

mkrishnan
Dec 19, 2006, 04:07 PM
So the Month of Kernel Bugs was only 10 days long? :rolleyes:

Mmm, I don't approve of the methods, but I hope the long-term result is better Mac security. I find it kind of sketchy that the MoKB page lists all the exploits but doesn't have a "patched by" column like most security listings do...so I too have to say I feel like these people are more interested in showing off their skills than enhancing security.

But, go ahead... I want to see how many days are in the Month of Apple Bugs.....

aranhamo
Dec 19, 2006, 04:15 PM
However, I'm not so sure that the bugs will only be "yawners"... MoKB came out with a couple big ones...

I don't know about that. The "big one" that I remember hearing about was pretty thoroughly debunked on a couple of sites, in that it doesn't permit arbitrary code execution as "LMH" claimed.

Apple already has channels for working with them on these things. "LMH" is just like that guy at the BlackHat convention; he's just trying to get his 15 minutes of fame. He doesn't really care about OS X security. I've personally reported bugs to Apple, and I've received polite, timely responses from them, and everything I've ever reported was fixed in the next update, and none of mine were ever very critical.

50548
Dec 19, 2006, 04:19 PM
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

Ditto. He is no better than a bunch of anonymous "hackers" out there...many of his "bugs" were already debunked by more serious people...this is just food for Windows fanboys, nothing else.

marco114
Dec 19, 2006, 04:19 PM
I guess if they did Windows bugs, they'd need years. Apple is much easier. I wonder if they will actually have enough content to fill an entire month.

iMeowbot
Dec 19, 2006, 04:27 PM
If he wants to anonymously capitalize on his findings by selling the information to wrong doers, he is less likely to be caught.
It's kind of tough to sell information when you have already disclosed it for all to see.

dex22
Dec 19, 2006, 04:33 PM
I've got $10 that says they won't come up with a new, unknown and unreported bug for every day of the month.

Earendil
Dec 19, 2006, 04:43 PM
It's kind of tough to sell information when you have already disclosed it for all to see.

Not per say. You can point out a vulnerability in a paragraph. However the tools, code, and techniques needed to take advantage of that hole can not be contained in the paragraph.

Now that said, pointing out that a hole exists in a particular part of the OS, and what that hole allows, does get a hacker a long ways towards figuring it out himself... if he's smart enough.

I'm currently working in QA for a software team. This man's approach is completely backwards to the way things should be done :mad:

840quadra
Dec 19, 2006, 04:43 PM
It's kind of tough to sell information when you have already disclosed it for all to see.

Agreed, however who is to say they don't keep some information to themselves, and or important details that make that information useful.

I do doubt that this is his / her intent, however I wouldn't rule it out for someone doing this type of work.

I've got $10 that says they won't come up with a new, unknown and unreported bug for every day of the month.

I hope you are correct, however the wording seems to suggest (to me) that the holes have been found, they are just waiting to release them in January..

081440
Dec 19, 2006, 04:49 PM
What an A**hole not telling Apple before posting the holes! If anything comes out of that I would hold him liable for damage.

Earendil
Dec 19, 2006, 05:02 PM
Isn't this kind of like telling someone they'll be better at self defense, right before you the ***** out of them? Sure, it might be true, but there are far better ways to go about it :cool:

MacinDoc
Dec 19, 2006, 05:07 PM
The fact that the "month of OS X bugs" will coincide with the release of Vista certainly suggests that this is nothing more than an attempt to discredit Apple. In fact, it would not surprise me to find out that this hacker is funded by Microsoft. Why only target Mac OS X? Why not Windows? Clearly it is this hacker, not Apple, that has the hidden agenda.

And the methods are terrible. To report a security bug to the public instead of the manufacturer allows other hackers the opportunity to exploit the bug before it can be patched. Shame on him!

Of course, the fact that he made many false statments during his month of kernel bugs shows just how trustworthy he is.

Does OS X have bugs? Of course it does. Do responsible people exploit bugs in this way? Not on your life. Two big thumbs down for this jerk.

Hobofuzz
Dec 19, 2006, 05:11 PM
What an A**hole not telling Apple before posting the holes! If anything comes out of that I would hold him liable for damage.

Actually, what the guy is doing trying to find holes in the OS's security then posting them for all the world to see is technically illegal. It's simply cracking. It's legal as long as you keep your findings to yourself, but once you share them with the rest of the world without contacting the people who own the system you're cracking is pretty much illegal as far as I'm concerned. I really hope Apple shuts this guy up before he gets a chance to do something this stupid. Looking for holes is fine, but spreading them across the web without contacting Apple first makes it obvious this guy is jealous that Mac OS X has far better security than Windows. He sounds like the little brat every elementary school had who was constantly getting in trouble, so they eventually turned into a snitch. Just another nerd trying to inflate his ego.

What he really needs to do is submit any findings he makes to Apple. I'm pretty sure Apple could find a way to sue him if he reports bugs to the web instead of to Apple first. I mean, it IS Apple's intellectual property, right? They have every right to know what people have discovered about Apple's own OS. Apple has every right to know and every right to stay tight-lipped about it. I'd rather Apple release a security patch with vague descriptions like "Airport security patch" and "Quicktime Flaw patch" like they have been doing than have some nerd on the net explain exactly how to exploit flaws. Spreading this information around the net won't get anything done. It'll just make Mac OS users' a little shaky until Apple releases the next security patch. I see no point in that other than giving us Mac users a Nelson "HA HA!"

Self-rightous bastard....

my rant is over!

longofest
Dec 19, 2006, 05:17 PM
I don't know about that. The "big one" that I remember hearing about was pretty thoroughly debunked on a couple of sites, in that it doesn't permit arbitrary code execution as "LMH" claimed.

Apple already has channels for working with them on these things. "LMH" is just like that guy at the BlackHat convention; he's just trying to get his 15 minutes of fame. He doesn't really care about OS X security. I've personally reported bugs to Apple, and I've received polite, timely responses from them, and everything I've ever reported was fixed in the next update, and none of mine were ever very critical.

That was ONE of the MoKB vulnerabilities that ended up being a little less extreme than at first thought. However, there were 9 others, and a couple of them also had arbitrary code execution in their description.

I guess if they did Windows bugs, they'd need years. Apple is much easier. I wonder if they will actually have enough content to fill an entire month.

They will have PLENTY to fill a month

SiliconAddict
Dec 19, 2006, 05:24 PM
Hopefully the Jan release of Leopard will put a wrench in his gears. :cool:

Won't happen and if it does people would be stupid to touch 10.5 for a few months afterwards.

ppnkg
Dec 19, 2006, 05:39 PM
Well, think different about this. If apple do not make any spectacular announcements, or no interesting rumors come up in January, there will be something to keep us busy on a daily basis for a whole month. :eek:

ChrisA
Dec 19, 2006, 05:41 PM
like many said before, if he really cared he would just send it to apple...

If he didn't make them public Apple would just trash his emails. The only way to get Apple to move on the bug fix is to tell the public and there by create a demand for bug fixes. Apple will have a big incentive to fix well publicized bugs.

I could list a few problems but do you think Apple would jump through hoops to correct them? No, you have to make them into something the media wants to run with.

ChrisA
Dec 19, 2006, 05:50 PM
Actually, what the guy is doing trying to find holes in the OS's security then posting them for all the world to see is technically illegal. It's simply cracking.

What law is being broken? Specifically. Can you quote it?

Yes it would be illegal if he broke into some one else's system then said how it did it but I'll bet he is just using his own Mac to do all his research. I can't imagine a law that prohibits looking very carefuly at how your own computer is set up. Apple even publishes the source code to the Mac OS X kernel to make this kind of inspection easier.

I'll be curious to see if he kinds exploits that do not require acces to an accounton the machine. If you have a local account that even I can think of stuff

mozmac
Dec 19, 2006, 06:13 PM
I don't see why Apple would really be against this. It will hopefully find ways they can improve their already stellar OS. It's like when you are writing an English paper and give it to a peer to evaluate. They proof read, find mistakes, give suggestions, and your paper better because of it.

mrkramer
Dec 19, 2006, 06:28 PM
If he didn't make them public Apple would just trash his emails. The only way to get Apple to move on the bug fix is to tell the public and there by create a demand for bug fixes. Apple will have a big incentive to fix well publicized bugs.


If he really cared he could report them to Apple, and give them some time to fix them. and if they didn't then release them to the public to give more of an incentive to fix them. It doesn't seem to me that anyone here is mad that he is releasing, just that he won't report the bugs to Apple before releasing them to the public.

081440
Dec 19, 2006, 06:41 PM
What law is being broken? Specifically. Can you quote it?

Yes it would be illegal if he broke into some one else's system then said how it did it but I'll bet he is just using his own Mac to do all his research. I can't imagine a law that prohibits looking very carefuly at how your own computer is set up. Apple even publishes the source code to the Mac OS X kernel to make this kind of inspection easier.

I'll be curious to see if he kinds exploits that do not require acces to an accounton the machine. If you have a local account that even I can think of stuff

He would be at least liable for any problems such as malware, viruses and the like that others made with his information as he would technically be an accomplice to the crime, I'm all for him finding bugs and problems, but he should tell Apple with ample time to fix them and then post the problems on the web. This was not placing Mac users at risk and also just so he could be considered a helpful person instead of a total jerk.

I hate the fact he is doing this when Vista will be announced very soon/ during the time period, but what can be done about that....

SeaFox
Dec 19, 2006, 06:57 PM
I expect the vast majority of these bugs to be yawners.

I expect them all to require some sort of insecure feature or service setup. Like for this exploit to work you have to have files set to open automatically in Safari, or you have to have Apache active, or you have to have physical access to the machine.

Hey, let me add to that statement, I expect at least a quarter of these bugs to be BSD bugs, and not ones that are specific to OSX.

SeaFox
Dec 19, 2006, 07:03 PM
I hate the fact he is doing this when Vista will be announced very soon/ during the time period, but what can be done about that....

You think that's just a freak coincidence? <grin>

TheBobcat
Dec 19, 2006, 07:07 PM
If he really cared he could report them to Apple, and give them some time to fix them.

Yeah, but this whole thing has nothing to do with security or the continued support of the OSX platform. This is fodder for all the Zune-toting MS Fanboys who are chafing every time Apple and the Mac Community in general are smug about OSX's security.

Apple and the Mac Community at large are basically painting a bullseye on their chest every time they pretend like OSX is completely impervious to viruses. Yes, its better than Windows, but is that really a huge accomplishment? Apple needs to continue to do what they have been doing, which has seemingly been very timely updates, and continue to remember that they can and should (hopefully with 10.5) continue to make further advances in security (which to its credit, Windows has done) and not rest on their laurels.

However, this "Month of Apple Bugs" is about being on the the front page of C|net, not security. And C|net will be thrilled to have it on there, and maybe accompanied by a blog or two talking about how the iPod is crap.

jbernie
Dec 19, 2006, 07:14 PM
Does this guy really think he's doing a service? He is not. Maybe a service to criminals.

So if it happens to Microsoft its all fine and dandy. But oh no, someone wants to do it to Apple. The end is near!

If the guy is just out to get attention with false reports then shoot him down. If he is documenting legitimate issues and Apple has been ignoring them then Apple has been failing you the customer by ignoring these issues.

If Apple wants to play with the big boys then it should expect to get the same treatment, Apple was doing so good for so long partly because it was more fun to attack 95% of the market. Now Apple is some what of a media darling, getting good publicity and is riding a wave of good profits.

As a result, it is now cool/fun/desirable to find bugs and try and release viruses for its platforms. Even though some of the "bugs" are very obscure and nigh on impossible to really work out in the wild.

I'm not saying that I think the guy is a god for doing this, and anyone who does this I will always doubt their real motivation, but sometimes people need to do this to get companies to take action and fix real problems. Best thing for Apple is to suck it up, patch what is legit, debunk the rest and hope the security experts side with them.

patrick0brien
Dec 19, 2006, 07:15 PM
...Apple and the Mac Community at large are basically painting a bullseye on their chest every time they pretend like OSX is completely impervious to viruses.

-TheBobcat

Who has said OSX is completely impervious?

AppliedVisual
Dec 19, 2006, 07:50 PM
Agreed.

I am still sticking by my comment (in the month of kernel bugs thread) that we need to get used to this kind of treatment from developers, crackers, hackers. I have a feeling that this kind of work will ramp up, and that more and more people will be joining this group with regards to seeking holes in OS X.

I agree.

This is how most security companies treat Windows. It's disgusting in a way... The vast majority of virii and hacks wouldn't exist if it weren't for "security" companies publishing their findings publicly. Often, they never even directly inform Microsoft of what they have discovered, or if they do it's after they have gone public.

I think that someone with honorable intentions would announce they will be conducting such a month-long testing regiment and then will disclose their findings privately to Apple, giving them a chance to address the issues, before going public. The public does deserve to know and all should be disclosed publicly, but give Apple a chance to acknowledge, duplicate and even try to patch some of the security issues before telling everyone about them. By releasing publicly, this guy is doing to Apple what countless "security experts" do to Windows and that's identifty and publish tons of security holes, leaving Microsoft playing catch-up and "security" companies begin adapting the information to their virus scanner profiles for which they can charge more money...

As OSX increases in popularity - and it is, Apple is selling more systems now than ever before, we're going to see a lot more of this. And while I do believe that OSX does have an advantage over Windows in terms of general security, I'm also sure that in the hands of capable hackers, it will become yet another lump of digital swiss cheese. :( All we can hope for is that Apple's developers are ready for the upcoming onslaught of rogue hackers performing their "services".

AppliedVisual
Dec 19, 2006, 08:01 PM
I expect them all to require some sort of insecure feature or service setup. Like for this exploit to work you have to have files set to open automatically in Safari, or you have to have Apache active, or you have to have physical access to the machine.

...That's how 90% of the exploits in Windows work too, you know. Most are "yawners" as Alexander stated, when talking of his expectations of OSX bugs, but the little minor things do matter. And in corporate environments with lazy IT people who relax security features to help work-around network management issues or user data problems, this can wreak havoc. Same goes for careless home users who don't think of themselves at risk or don't understand how they may be at risk.

Hey, let me add to that statement, I expect at least a quarter of these bugs to be BSD bugs, and not ones that are specific to OSX.

Good chance of that... And that would be a good place for a hacker to start with OSX - with the BSD kernel and what has been released of the Darwin project. Lots of info out there and already some known exploits to investigate.

At any rate, I think this is just a sign of things to come. OSX's time is finally here to face the music, er... hackers. I think this guy is a complete ass, but he's just the first of many that will come. And as I think it's already been mentioned or alluded to, given "LMH"'s track record and ignoring of Windows, there's a good bet that he's out to expose whatever flaws in OSX that he can so they have no claims of security over Vista. He may not be a Microsoft employee or agent directly, but I think it's showing where his interests lie and he's definitely a detractor of sorts.

MacinDoc
Dec 19, 2006, 08:09 PM
So if it happens to Microsoft its all fine and dandy. But oh no, someone wants to do it to Apple. The end is near!
Wrong. If he did this to Microsoft, it would be equally evil (mind you, Microsoft would likely find a way to shut him down, so the point is moot; and anyway, he certainly appears to be a Microsoft fanboy, since he has made no effort to document bugs in Windows Vista, which if you hadn't noticed, just had its commercial version released, and with such a new release, likely has more bugs than the current version of OS X).
If the guy is just out to get attention with false reports then shoot him down. If he is documenting legitimate issues and Apple has been ignoring them then Apple has been failing you the customer by ignoring these issues.
He already has made false reports regarding the potential vulnerabilities caused by some of the kernel bugs he found. And he's not publicizing bugs that Apple has refused to fix, since he has not yet reported them to Apple.

TheBobcat
Dec 19, 2006, 08:26 PM
-TheBobcat

Who has said OSX is completely impervious?

I never said anyone said such things in such terms, but you have to admit that through Apple's advertising slogans such as "114,000 Viruses? Not on a Mac." while true, are basically suggesting that the reason for this is solely OSX's superior security systems ie. the graphic they show with it of the Finder Icon as a padlock. The slogan isn't "Compute the way relativly few others do, and stay out of the sights of hackers."

This leads to the conundrum of, how do you push these valid selling points, while not acting smug. I do not know how to solve this, but I think that directly attacking PC's such as the Get a Mac campaign is the wrong direction to go in as far as viruses go.

I believe its the smugness of the Mac Fan's and even Apple itself that have really inspired many to find as many bugs and hacks as they can and reveal them to the public.

Does OSX have superior security and is inherently more secure than Windows? Yeah, definitely.

Is Apple and many of its Mac Users smug about the lack of viruses? Yes.

Is that the reason for the recent myriad of people trying to expose all different kinds of hacks on OSX and the Mac hardware? I think so.

SeaFox
Dec 19, 2006, 08:27 PM
So if it happens to Microsoft its all fine and dandy. But oh no, someone wants to do it to Apple. The end is near!

That's right. It's sort of like having a stiff limb or back. It bothers you at first, but after awhile you get used to it and soon you don't even feel the pain anymore. It's considered normal. So is the pain of Windows "security".

If the guy is just out to get attention with false reports then shoot him down. If he is documenting legitimate issues and Apple has been ignoring them then Apple has been failing you the customer by ignoring these issues.

In case you missed the point of this "Month of Apple Bugs" they are supposed to include all previously unknown exploits in the MacOS. Maybe Apple has knowledge about them from their own research, but this guy has certainly not submitted the info to Apple previous to this. They haven't had an opportunity to ignore them after his timely notification.

This is going to be an exercise in PR, and how fast Apple can patch the bugs once they're made public. The "researcher's" goal is to illustrate that Apple is no more secure than any other OS by showing a bunch of bugs in it. It's somewhat of a false dichotomy, the question isn't "is this OS secure or not?" where the common knowledge is "Windows is not because of all these bugs and OSX is because it is free of venerabilities." The question is really "Is this OS more secure than Windows". The answer will depend on the severity of the bugs shown and how many Apple is able to patch.

Apple has already won part of the battle because even if a new venerability is shown every day that will still be a better track record than Windows has.

If Apple wants to play with the big boys then it should expect to get the same treatment...

So when is the "Month of Windows Bugs"? Oh, wait. There wont be one! Because that's not newsworthy.

Apple was doing so good for so long partly because it was more fun to attack 95% of the market. Now Apple is some what of a media darling, getting good publicity and is riding a wave of good profits.

As a result, it is now cool/fun/desirable to find bugs and try and release viruses for its platforms. Even though some of the "bugs" are very obscure and nigh on impossible to really work out in the wild.

I would argue that it is not significantly more desirable to "get" an OSX machine now than it was one year ago. The hot commodity right now is Vista venerabilities. Remember that the hackers are in it for profits, and since over 90% of computers are Wintels that means the most bang for the buck is still starting bot-nets of Redmond's best.

I'm not saying that I think the guy is a god for doing this, and anyone who does this I will always doubt their real motivation, but sometimes people need to do this to get companies to take action and fix real problems. Best thing for Apple is to suck it up, patch what is legit, debunk the rest and hope the security experts side with them.

Part of me is actually looking forward to this, because I think Apple does sit on security issues. I want to see Apple bust out the midnight oil and patch these as soon as they come out every day. I want this month to blow by and this guy to be left with nothing to show for it but making OSX more secure. I know that's what he claims he's doing but this task seems pretty daunting and looks to be more likely a Microsoft-thought up FUD campaign.

-TheBobcat
Who has said OSX is completely impervious?

Artie McStrawman, of course.

gerardrj
Dec 19, 2006, 08:44 PM
BUGS != VULNERABILITIES

A bug means the code does not operate in manner that you'd expect and is perhaps documented.

When you click on a button in the GUI and the expected action does not occur, that is a bug. There is no associated security risk with that bug.
Mac OS X and the associated Apps have lots of bugs. I could name 30 right now but it doesn't get me, Apple or you anywhere. Apple knows about them and they'll be fixed in due time.

Just in the way of example:
In the Mac OS X Server Admin application, when looking at a server's log files, there is a "filter" window that acts much like the search function in iTunes or Mail. However, when you enter text in the search field all log entries disappear. This is a bug. It has zero security risk. I've informed Apple of it. I'm slightly annoyed they didn't fix it in the last patch of that App, but I'll live.

AidenShaw
Dec 19, 2006, 08:56 PM
BUGS != VULNERABILITIES

Please reread the main post, where it says:

...the Month of Apple Bugs will be January 2007, where each day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it

So, apparently they'll be ignoring crappy coding - and concentrating on the issues that are in fact VULNERABILITIES.

SeaFox
Dec 19, 2006, 08:58 PM
BUGS != VULNERABILITIES

A bug means the code does not operate in manner that you'd expect and is perhaps documented.
:rolleyes:
I think we all know that when there is discussion of a "Month of Apple Bugs" the idea is to trot out venerabilities, or do you seriously think this guy is going to reveal that a certain setting in System Preferences does not retain its value between restarts?

"Bugs" is the term used for venerabilities in the media all the time. Kinda like how people in this thread keep calling the Black Hats "hackers". A hacker does not break into computer systems or do malicious stuff. They are more academically curious and rig devices to perform functions they were not normally designed to do. The term that should be used is "cracker" as any Slashdotter would tell you.

SeaFox
Dec 19, 2006, 09:18 PM
Please reread the main post, where it says:

...the Month of Apple Bugs will be January 2007, where each day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it

I missed the "or in Apple applications" part. I guess we'll be seeing a lot of Safari and iTunes-based exploits. This just in: Connecting your computer to a global unregulated network might be hazardous to your privacy and computer's health! :cool:

I wonder what this says about our security researcher? I'm sure he came up with his month's worth of bugs before announcing it, could he not find enough exploits in just the Mac OS to cover his little reign of terror? :p

ifjake
Dec 19, 2006, 10:06 PM
bring it.



I'm actually curious to know if Apple isn't preemptively turning up the security with Leopard or not. Let's head this thing off at the pass.

patrick0brien
Dec 19, 2006, 10:57 PM
I never said anyone said such things in such terms,

-TheBobcat

Well sure you did, look at the quote. Please be cautious of blanket statements, I'm hopeful you don't want to be guilty of a similar thing you are railing against.

Look, I'm not trying to be confrontational, but as you say, the facts are facts. I see nothing in Apple's advertising that is actually smug - it's people's interpretation of it. Also, I'm beginning to see that there is a misunderstanding of the definition of 'smug' itself.

Now, we could argue the conclusion Apple is attempting to draw, but then, we'd be arguing opinion wouldn't we.

If Apple's fans are smug, well then, we can't help that. But then, Apple fans don't have a monopoly on smugness.

Additionally, there is indeed a grain of truth to the 'Security through Obscurity" term, but a small one.

It is stated fact that OS X is designed from the ground up with strong security in mind - it is based on a foundation of intent to be attached to a network with long uptimes.

Windows grew into the network - ergo the security issues it has today.

This attempt by 'hackers' is a sign that Apple is getting their attention. It will be telling to see Apple's behavior as a result.

e12a
Dec 20, 2006, 12:56 AM
Although I like Apple,

IMO, if you're going to advertise that Macs are virtually virus free (some people associate this with security), go ahead and let him do it. See how many he finds.

If he finds 30, that's OK. Apple will patch them up.
What about Window's gazillion that are being fixed on a weekly basis.

karlfranz
Dec 20, 2006, 01:01 AM
I am so sick of f@#ktards like this guy and all his ilk. I guess I dream of a utopian society where these imbecils, whether they claim their activities are for "good" or "evil", would redirect their focus toward more beneficial purposes.

It's idiots like these that ruin it for everybody and also the reason why (after almost 20 years) I'm no longer interested in developing software applications for a living.

I remember a day when one could write program to serve a particular goal and that was it. Nowadays 95% of the effort spent in writing an application is devoted to plugging up security holes to prevent these cretins from taking advantage of technology for their nefarious goals. They've taken all the fun out of it for me and countless others who simply refuse to develop software anymore because of the liabilities involved. I didn't spend 5 years studying computer engineering to learn the intricacies of computer security (for which I have absolutely no interest).

Sometimes I wish they would enact laws that would criminalize those involved in hacking, spyware, spamming, phishing, and writing viruses.

BTW: All this crap is the main reason that I abandoned the Windows platform and went back to the Mac OS (after a 15 year absence). Now these idiots are starting to play more on our hallowed turf. Can't we just throw them all in a pit and set them ablaze?

-

gnasher729
Dec 20, 2006, 04:33 AM
That was ONE of the MoKB vulnerabilities that ended up being a little less extreme than at first thought. However, there were 9 others, and a couple of them also had arbitrary code execution in their description.

"Arbitrary code execution in their description" doesn't mean arbitrary code execution is actually possible.

What happens usually is that first someone finds out how to crash a program or some component of an operating system. That alone is obviously a reason to fix the problem; programs are not supposed to crash. At that point, the developer fixing the problem will in some cases see that arbitrary code execution is obviously impossible. In other cases he can either write that arbitrary code execution _may_ be possible, or he will have to investigate further. But nobody pays him to investigate further, and it would be better for everyone concerned if he goes on to the next problem!

So "possible execution of arbitrary code" usually just means that the developer did not waste his time to check how severe a problem was that he just fixed.

Hak
Dec 20, 2006, 06:40 AM
I don't really thing that such action is anything else than attracting the media attention to some bunch of incompetent security researchers!!

Why do i say that? Well i am sorry but this 'LMH' is just a big lier, who only knows spreading fuds around mac security for his own benefit.

I mean saying that you found a security bug in a software is rather easy to do, prove that your claim is correct is another story. And this is where 'LMH' is incompetent, or maybe i could also say a lier.

Remember the 'Months of kernel bug'. 'LMH' came very exited (to the point where he was near to make a hole in his pan) to the media to say them he found a security bug in OS X that could trigger a remote attack. This security bug was related to disk images, and 'LMH' made the statement that a corrupted disk image could trigger a remote attack , a memory corruption, or whatever else an attacker could do remotely.

The point is that the only thing that 'LMH' discovered was that a disk image corrupted in a certain way could kernel panic OS X and from this, he conluded that triggering a kernel panic equals to a security bug. However he did not bother to verify wether indeed such bug could really trigger a remote attack.

Being so incompetent or just a lier, someone else bothered to check wether or not this bug was really a security bug or just a bug that the only thing that it can do to the user is crashing his/her computer.

Alastair did go through a detailed analysis of the bug described by 'LMH' and concluded this:

"

So, what have we learned:

- It is not a memory overwrite bug.

- It is not exploitable, except in that you can kernel panic a machine if you can persuade a user to double-click a damaged dmg file.

- It is not, therefore, possible to use this bug for privilege elevation or to execute arbitrary code in the kernel.

"

I would really advise all of you to read the analysis of the bug:

http://alastairs-place.net/2006/11/dmg-vulnerability/#more

The other disk image bug described by 'LMH' is also explained

http://alastairs-place.net/

So now why should i/we believe anything coming fron this guy? Because this is the problem, how can we believe so-called security researchers when they lie to us for their own benefit?

And the other problem is that a lot of them get so exited because they found a bug in OS X (media love such guys) to the point where they do not bother any more to check if what they discovered is really what they think it is.

In the case of 'LMH', its a lie, that's how i call it. Saying that he discovered a security bug when he did not even check wether it was really the case or not, is a lie.

In conclusion, what is the credibility of this guy for this 'Months of Apple bugs'? I would be glad that some people wish to improve the security of a given software. But it is really the aim here, or is it just fud, .......plain fud? This guy already lied, why won't he do it again?

So for me what he says now is just a plain media attraction procedure (manipulated by a third party or not), in other words ....... ********!!!!

When Alastair wrote his article to explian the disk image bug and to prove that what 'LMH' said was wrong, i submitted the news related to the Alastair4 article to macrumors but it did not get publised. What i want to say is that people believe easily wrong information but which sounds exiting. When it comes to say the truth, well that's another story, its a much more difficult task to spread it.

How many web sites covered the disk image bug described by 'LMH'? Plenty of them!!!!

How many of them did cover the Alastair' article which says the TRUTH?
Well, you could count them in your fingers!!!!!

USMaC
Dec 20, 2006, 06:41 AM
I don't see why Apple would really be against this. It will hopefully find ways they can improve their already stellar OS. It's like when you are writing an English paper and give it to a peer to evaluate. They proof read, find mistakes, give suggestions, and your paper better because of it.

But normally your peer would give the paper back to you with the suggestions before pointing out the flaws to your professor.

puuukeey
Dec 20, 2006, 07:21 AM
maybe if you don't want this, you shouldn't get some emo kid to spit at pc users. or maybe its the current political strategy: alienate your foes, solidify your base

Trust a mac (http://movies.apple.com/movies/us/apple/getamac/trustmac_480x376.mov)
Viruses (http://movies.apple.com/movies/us/apple/getamac_ads1/viruses_480x376.mov)
http://www.apple.com/getamac/viruses.html

longofest
Dec 20, 2006, 07:47 AM
Update: IDG/MacWorld provides additional information (http://www.macworld.com/news/2006/12/20/securitybugs/index.php).

Apple enthusiasts and security researchers have been at odds since last August, when David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple’s wireless device drivers. They played a video at the Black Hat conference demonstrating how this flaw could be used to run unauthorized code on a MacBook. However, their claims have been slammed because the demonstration used a third-party wireless card rather than the one that ships with the MacBook, and because the two hackers still have not published the code used in their attack.

LMH said the Apple community’s negative response to Maynor and Ellch’s claims played a role in the decision to launch the Month of Apple bugs.

“I was shocked with the reaction of some so-called ‘Apple fans,’” he said. “I can’t understand why some people react badly to disclosure of issues in their system of choice. … That helps to improve its security."

However, Apple doesn't seem to mind the effort. An Apple spokesman simply replied "We always welcome feedback on how to improve security on the Mac."

CrazyWingman
Dec 20, 2006, 08:06 AM
I hope I can get this posted before everyone writes off this thread as a useless flamewar. :P

I have a question for everyone, though: How many viruses have you had on your personal machine?

I ask because since I first connected to the internet many years ago (mid-late 90's), I have *never* had a virus installed on my machine. I once downloaded a Doom WAD that my virus scan caught when I unzipped. The only ad/spyware I've ever had installed on my machine was Kazaa, but since that was only on my Windows partition, my normally-booted Debian was still fine.

I spent four years at college with my machine always on, always connected, always with some open services (ssh, apache, samba, occasional ftp), at a static IP on a class A network. Never once did that machine get infected.

Sure, I had a friend (didn't we all?) who left an insecure service open, and had it hacked by some script kiddie. I've even seen the awful reboot-Windows-NT-30-seconds-after-it-boots bug swarm a network. But none of this has ever happened to my machine.

So, the point of my question is to find the cause of all the hand-wringing here. Have all of your machines really had viruses on them? Are you just worried that there will be a virus so nasty one day that you won't be able to avoid it? Are you just worried for the n00bs who will wrongly accuse their computer of being vulnerable, rather than their security practices?

Don't get me wrong. I'm not saying my machine is invulnerable. And, I'm not saying that there aren't other people who are at a much higher risk of being attacked. I'm just suggesting that for the common, reasonably well-informed user most of these bugs won't matter at all.

mkrishnan
Dec 20, 2006, 08:17 AM
No, CW, I agree with you... I haven't really negatively been impacted by a virus on a personal computer since I had my Amiga. I did run across a couple of Windows viruses in the Win95 era that were caught by virus checker. And I've been affected at the corporate level (e.g. Outlook blackouts). And I've had to use adware infested shared Windows PCs before. But that's about it. Viruses are more of a non-issue for me on my Mac than elsewhere, but still a non-issue....

matti503
Dec 20, 2006, 08:20 AM
I hope there will be a Month of Vista Bugs too. If not, this seems a little biased.

In my opinion, Apple should fix bugs faster, or they'll end up like MS in 2002. MS is still healing from the bad publicity they got, 'cause their OS was like a fishnet.

At least nobody gets junkmail 'cause of OS X. I get 30 viagra ads in week and they all seem to come from people that exist.

bilbo--baggins
Dec 20, 2006, 08:34 AM
Anyone willing to make Apple aware of genuine security risks is very welcome as far as I'm concerned. If it's just anti-Apple propoganda then I think they would need to do a lot more than highlight the odd obscure security risk to even begin to scratch at OS X's gleaming record.

puuukeey
Dec 20, 2006, 08:35 AM
CW: Are you just worried that there will be a virus so nasty one day that you won't be able to avoid it?

exactly. I back up. but my one laptop is my work, play, hobby, social life, teacher, entertainer, library, stereo, and a musical instrument

I spend an awful lot of time *creating* (not just surfing) on my laptop. upwards of 12 hrs a day. so losing just one week can set me back eons. losing my art would be like losing a child. (ok maybe a step child)

Hak
Dec 20, 2006, 10:03 AM
“I was shocked with the reaction of some so-called ‘Apple fans,’” he said. “I can’t understand why some people react badly to disclosure of issues in their system of choice. … That helps to improve its security."

What a hypocrite!!!!

He is himself not professional by spreading fud about mac security. David Maynor and Jon Ellch NEVER NERVER proved that the security issue that they showed could work on a mac system with a built-in wifi card. Like them, 'LMH' NEVER NEVER proved that the disk image bug could trigger a remote attack. And so now he has some pity for Maynor and Jon Ellch NEVER and he feels that he needs to spread more fuds or what?

Why people should believe someting which is not proved or verified? This is the question, why people should believe unverified statements? Neither him nor Maynor and Jon Ellch NEVER provided any evidence that the security issues they were talking about were true or not. And now he comes to say us that somehow that's fine just believe the fud that we say. In which planet does this make any sense?

So i should believe now from this guy who does not even have the courage to give his real name that anyone saying something against a bunch of unprofessional security "researchers" are mac fans, right? So someone comes up with a security issue related to the mac, people ask him/her to prove it, and the only thing that he/she says is that no!!!!! guys you are just mac fans!!!! Why bother to make properly my job, you are just mac fans? Right?

Miserable

macnews
Dec 20, 2006, 10:29 AM
CW - people buy macs because of the lack of virus and spyware. Notice I said lack, not abscense. And yes, I have been affected at work by virus and spyware systems. I run a lab of computers and in the late 90's early 2000's it was difficult to keep the system's patched and free of all the crap that slowed them down.

As to the month of bugs guys - I seriously question there "reporting" abilities. There are some VERY serious security bugs for OSX BUT most require physical access to the machine. The majority of the time, this isn't mentioned or is about as noticable as small legal print in an advertisment.

Do I have a problem with these guys finding security issues? No.

Do I have a problem just releasing it to the public? Yes, but there is an interesting point about how companies react to this type of stuff. MS used to be much worse about responding to security issues and some accuse Apple of the same now. So I can somewhat see the point but...

Do I trust these guys? No, they are not a professional security research firm, nor have they acted in a professional manner in the past. To not release what they did/how they did it goes completely against the "we are just trying to help" mantra they keep repeating. Plus, they also don't fully disclose until pressured - i.e. using a 3rd party wireless card. Yes, some may use it but truly not an issue for 99.99% of mac users thus mitigating the seriousness of their claim but the failure to mention hurts their credibility.

Do I think they will find a bug a day? Possible. But I think it will be a case of mixed half truths. I'm betting over 90% will require local access to the machine and/or use third party apps be they software or hardware.

Either way, you can bet the media and CNet will have a field day announcing how Mac OSX isn't "quite secure as some people might think" (watch for that direct quote). I know I will have to spend at least an hour on the phone with my Dad who just bought a new 20" Imac because he was sick of virus and spyware on his 2 year old windows machine, which had replaced a 1 year old windows machine - now that is longevity ;)

eightball0
Dec 20, 2006, 03:18 PM
A lot of the responses here make me embarrassed to be a Mac user. The fact is that publishing security bugs makes us all safer and keeping them secret puts us all at risk.

Recently, hacking has become a for-profit sport. For-profit hackers dig around for security bugs and keep them to themselves so they can exploit them for profit. (How can they profit? Let's say a CEO uses a particular application on his laptop. Knowledge of security bugs in that application provides a for-profit hacker with a vector for corporate espionage).

Publicising hacks puts for-profit hackers on notice: they can't use those security bugs secretly. It also puts corporate IT shops on notice: if an application has security bugs, they can remove it from vulnerable places (such as the CEO's laptop). It lets us decide if we want to put ourselves at risk.

Don't be naive: whether or not security bugs are publicised, they still exist, and for-profit hackers still know about them.

Apple has been inadequately responsive to security bugs. Here's a report from Secunia (http://secunia.com/product/96/?task=statistics_2006) showing that Apple has 10% unpatched security advisories. Many of these bugs are in the Mach kernel--and the source code is available, so for-profit hackers certainly have the opportunity to skim through the code and find these bugs.

Remember that there are fewer hackers looking at OS X than at other operating systems. The true number of security bugs is likely far higher--especially since Apple does not have as large a security team as Microsoft and other vendors. Worse, they have not developed a secure code checkin process as Microsoft has developed for its operating system.

Publicising these bugs will only help Apple improve their products. They need to show the same commitment to security that Microsoft has shown (often unsuccessfully, but they are moving in the right direction).

It's only a matter of time before the viruses on Windows make their way to OS X. Apple has been coasting on luck. Hopefully, Leopard is a step in the right direction, but I'm not hopeful. Microsoft finally fixed Windows security in Vista, adding many UNIX-style security features that will dramatically reduce the problems users face. It would be a shame if a drop in Windows security bugs coincided with an increase in bugs by Apple.

eightball0
Dec 20, 2006, 03:25 PM
I can't find any links to this right now, but I do recall reading security researchers on the Internet complaining that Apple is very slow to patch bugs that they submit to Apple. (You could argue that since I'm not providing a link that I'm making this up, but hopefully you trust me.)

Releasing bugs publicly may be the best way to light a fire under Apple's derriere. This worked for Microsoft--after complaining for years that it was unfair and dangerous for security researchers to disclose bugs before Microsoft fixed them, they finally increased the number of people working on Windows security.

I hope Apple responds in the same way.

MacinDoc
Dec 20, 2006, 06:15 PM
A lot of the responses here make me embarrassed to be a Mac user. The fact is that publishing security bugs makes us all safer and keeping them secret puts us all at risk.
Reporting them to Apple immediately on discovery would make us all safer. Waiting weeks or months to release them, and then releasing them to the public before releasing them to Apple (and in a month-long publicity stunt to boot) puts us all at increased risk. How long has this hacker been sitting on this information? Months? That's given potential crackers months to work on exploits, and Apple can't start working on fixes until the bugs are reported. Make no mistake, the way this is being done, it's not for the benefit of Apple or Mac users.
Publicising these bugs will only help Apple improve their products. They need to show the same commitment to security that Microsoft has shown (often unsuccessfully, but they are moving in the right direction).
If Apple shows the same commitment to security as Microsoft, then we are all in trouble. I hope that Apple's commitment to security will be much better than Microsoft's has been to date.
Microsoft finally fixed Windows security in Vista, adding many UNIX-style security features that will dramatically reduce the problems users face.
That remains to be seen. Why do you think Microsoft released Vista to corporate clients first, with everyone else waiting for 2 months to get it? Corporate clients can be trusted to report bugs to Microsoft, instead of publishing them for all to see. This gives Microsoft an opportunity to fix the bugs before they can be exploited, and avoids the media circus created by sensationalization of the bugs. But until the public release of Vista, its supposed increase in security remains unproven.
Remember that there are fewer hackers looking at OS X than at other operating systems.
Based on what evidence? It seems that hackers looking for bugs in OS X have been media darlings of late. Finding a vulnerability of OS X seems to be the best way to get publicity and make a name for yourself.

Anyway, even if OS X only had 3% of all crackers trying to exploit its vulnerabilities, shouldn't it have 3% of all viruses? On last count, how many OS X viruses were there in the wild? And how many Windows viruses?

MacinDoc
Dec 20, 2006, 06:21 PM
Apple has been inadequately responsive to security bugs. Here's a report from Secunia (http://secunia.com/product/96/?task=statistics_2006) showing that Apple has 10% unpatched security advisories. Many of these bugs are in the Mach kernel--and the source code is available, so for-profit hackers certainly have the opportunity to skim through the code and find these bugs.
Secunia also states that 17% of reported Windows vulnerabilities are unpatched, including one reported in March 2005 that is listed as "highly critical" and allows complete system access from a remote site. Compare this to the 9 listed unpatched OS X vulnerabilities, most of which are moderately critical or uncritical, and allow for the most part Denial of Services at worst.

FrankBlack
Dec 20, 2006, 06:30 PM
I just read this (http://www.macworld.com/news/2006/12/20/securitybugs/index.php) over at Maccentral.

"This latest Apple project is being launched to raise awareness of security vulnerabilities in Apple’s products and to “stomp smugness,” Finisterre said via e-mail."

That comment is one of the things that makes me feel that this is not really about finding security problems, but that it is about something else. I suspect an ego-political problem.

I feel that Apple has done an excellent job with security, certainly better than the "second tuesday of every month is patch tuesday" routine in the windows world.

I think everyone agrees and understands that no operating system is perfect or totally secure. With that in mind, what point are these individuals trying to make?:confused:

AppliedVisual
Dec 20, 2006, 06:33 PM
Reporting them to Apple immediately on discovery would make us all safer. Waiting weeks or months to release them, and then releasing them to the public before releasing them to Apple (and in a month-long publicity stunt to boot) puts us all at increased risk. How long has this hacker been sitting on this information? Months? That's given potential crackers months to work on exploits, and Apple can't start working on fixes until the bugs are reported. Make no mistake, the way this is being done, it's not for the benefit of Apple or Mac users.

I think that's what bothers me most... This is a publicity stunt more than anything and there's a good bet that this guy (and his cronies) has been working on identifying these security holes for several months, if not a year or more. They claim they're going to have a new bug to report each day... How do they know that? ...Unless they already have 30+ things to report, which is very likely. Simply holding the information to release publicly with a bunch of "d00d, L00k @ m3!" hacker fan-fare rather than disclosing it to Apple upon discovery says a lot about this guy.

I'm all for releasing the findings publicly, but it should be done with responsibility. To better increase everyones' security, it should be done after Apple has a chance to review the findings and start working on any necessary fixes. ...I know this isn't going to happen, just as with Windows. Too many ******* "security experts" out there doing more harm than good. Mostly their purpose is self-serving, even though they claim they're helping the community.

eightball0
Dec 20, 2006, 07:19 PM
I'm not sure why people think that OS X has fewer security problems per line of code than Windows does.

First, let's be clear: OS X is likely to be more secure for the end-user than Windows XP. OS X does not typically run as a 'root' user so users are typically protected.

However, that merely makes the task more difficult for a hacker. There are a number of privilege escalation bugs that, once on a local machine, makes OS X as insecure as Windows.

OS X is less-exploited because it's not as profitable to exploit, nor as effective to write worms for. The low installed base of OS X machines means that hackers won't be able to make as much money off popup ads or spambots as they would if they hacked Windows. Furthermore, worms that spread themselves through randomly scanning IP addresses will not reach a critical mass because there aren't enough OS X machines to reach. Finally, many hackers work from Eastern European and East Asian countries where Macs are priced far more highly than PCs. Thus, they do not have access to those machines.

Finally, there certainly are fewer people looking for hacks in OS X than in Windows. 97% of computers do not use OS X. Thus, in order for there to be an equal number, the 3% of OS X users would have to have a 30 times greater percentage of hackers than those working on other operating systems.

All of these factors together are what protect Mac users from viruses. Aside from privilege separation, there's nothing inherently secure about OS X or Apple's development methods.

The security bugs in OS X are patched frequently. Us OS X users patch our systems as often as Windows users patch theirs. While Microsoft has 'patch Tuesday,' Apple has 'patch randomly' which seems to be as often as Microsoft. This security update was '2006-008,' meaning that it's the 8th security update of the year. Combined with 5 point releases of OS X this year (10.4.4 - 10.4.8), that's 13 updates--or, one more than the number of 'Patch Tuesdays' this year.

That's just OS X security updates, too. An Apple list of security updates (http://docs.info.apple.com/article.html?artnum=61798) shows over 20 updates this year.

Yet despite the number of updates Apple does, they're still finding relatively disturbing bugs in OS X. Safari in particular is a scary program--it has several times contained bugs that are triggered by nothing more than visiting an image or disk image file that has been designed to crash and execute code. (Early versions of Safari had bugs that could run shell scripts right from specially-designed URLs, too). These bugs are ones that Microsoft and Mozilla fixed in their browsers years ago, yet Apple does not seem to have learned their lesson.

Compare Secunia's 2006 statistics for Windows XP (http://secunia.com/product/22/?task=statistics_2006) and OS X (http://secunia.com/product/96/?task=statistics_2006). Apple has 38% unpatched advisories, and 13% of all bugs are extremely critical. On the other hand, Microsoft has 10% unpatched, and only 7% of all bugs are extremely critical.

We should not be defending Apple here. We should be pushing them to do better. I'm constantly amazed at how people defend Apple when they're making mistakes. If I wanted second-best, I'd be using Windows. Sadly, I think security is one area where Microsoft will ultimately put Apple to shame.

IE 7 in Vista is by far a more secure browser than any other. Its privilege separation should more-or-less eliminate serious spyware. OS X has nothing like this right now, and unless Apple steps up and adds it to Leopard (and thus far no one has seen evidence of this in the beta), Microsoft will be ahead in a critical area.

MacinDoc
Dec 20, 2006, 07:46 PM
Finally, there certainly are fewer people looking for hacks in OS X than in Windows. 97% of computers do not use OS X. Thus, in order for there to be an equal number, the 3% of OS X users would have to have a 30 times greater percentage of hackers than those working on other operating systems.
The fact is, OS X does not even have 0.001% of the viruses in the wild. The one published "virus" was not self-replicating and required users to take specific actions to have its effect (even I can write a script that will erase your HD if you enter your admin password and run the script).
Compare Secunia's 2006 statistics for Windows XP (http://secunia.com/product/22/?task=statistics_2006) and OS X (http://secunia.com/product/96/?task=statistics_2006). Apple has 38% unpatched advisories, and 13% of all bugs are extremely critical. On the other hand, Microsoft has 10% unpatched, and only 7% of all bugs are extremely critical.
Sorry, but I call FUD here. Your own links contradict you. They show that 17% of reported Windows vulnerabilities are unpatched, compared to 10% of reported OS X vulnerabilities. And they show that the highest severity of OS X bug that was unpatched was "moderately critical", compared with a maximim severity of "severely critical" for Windows.

pimentoLoaf
Dec 20, 2006, 09:22 PM
It's not surprising the researchers "abruptly" stopped planning an Oracle disclosure, as Oracle's bizarre EULA's expressly forbid benchmark tests results (http://www.byte.com/documents/s=6973/byt1013211368617/0211_editorial.html) without prior permission.

Have they actually terrorized anyone in court? Why did the researchers back down without explanation?

patrick0brien
Dec 20, 2006, 09:42 PM
I agree that releasing information - even the existence of bugs and security concerns, without giving the vendor a chance to address them is irresponsible at best, and aiding and abetting at worst.

JeffDM
Dec 20, 2006, 09:44 PM
Based on what evidence? It seems that hackers looking for bugs in OS X have been media darlings of late. Finding a vulnerability of OS X seems to be the best way to get publicity and make a name for yourself.

Being a media darling doesn't necessarily bring much money if any at all. Having an unpatched exploitable security hole can fetch a lot of money. There is not much money in hacking OS X, but there is plenty of money hacking Windows.

eightball0
Dec 20, 2006, 11:21 PM
The fact is, OS X does not even have 0.001% of the viruses in the wild. The one published "virus" was not self-replicating and required users to take specific actions to have its effect (even I can write a script that will erase your HD if you enter your admin password and run the script).


I've never argued that OS X has more "in the wild" bugs--in fact, I've argued that it has fewer because people aren't interested in writing them for OSX. I'm pointing out that if people were interested, there are plenty of bugs in the OS to exploit.

Sorry, but I call FUD here. Your own links contradict you. They show that 17% of reported Windows vulnerabilities are unpatched, compared to 10% of reported OS X vulnerabilities. And they show that the highest severity of OS X bug that was unpatched was "moderately critical", compared with a maximim severity of "severely critical" for Windows.
I call didn't read my links. Your numbers are for all time. Mine are for 2006. Scroll down the links and look at the graphs. You'll find the numbers I cited. If you're still not convinced, I'll paste the images in tomorrow.

The fact is the quality of Apple's coding is at least as bad as Microsoft. OS X's security advantage is due to privilege separation and low market share. Apple needs to improve the quality of their code before a hacker with a grudge against them writes a super-bug that exploits these unpatched bugs. (I admit that the chances of this are low since hackers couldn't make money from OSX users.)

MacinDoc
Dec 21, 2006, 12:09 AM
I've never argued that OS X has more "in the wild" bugs--in fact, I've argued that it has fewer because people aren't interested in writing them for OSX. I'm pointing out that if people were interested, there are plenty of bugs in the OS to exploit.


I call didn't read my links. Your numbers are for all time. Mine are for 2006. Scroll down the links and look at the graphs. You'll find the numbers I cited. If you're still not convinced, I'll paste the images in tomorrow.

The fact is the quality of Apple's coding is at least as bad as Microsoft. OS X's security advantage is due to privilege separation and low market share. Apple needs to improve the quality of their code before a hacker with a grudge against them writes a super-bug that exploits these unpatched bugs. (I admit that the chances of this are low since hackers couldn't make money from OSX users.)
I'm quoting the number of current unpatched bugs in Mac OS X (9 out of a total of 87 reported, or 10%), versus the number of current unpatched bugs in Windows (17%). What percentage of those were reported in 2006 is largely irrelevant, except to say that a larger number of the unpatched Windows bugs were reported before 2006, meaning that MS has taken even longer than Apple to patch them. And none of the currently unpatched Mas OS X bugs exceed moderate severity, by Secunia's rating system. The pie charts you are referring to report data from 2006, including data on bugs that have already been patched.

Anyway, it's not surprising that fewer new Windows bugs were reported in 2006, because prior to Vista, it has not been significantly updated in years, so most of the existing bugs had already been found. That doesn't change the fact that there are more unpatched bugs in Windows than in OS X, or the fact that there remains a higher percentage of unpatched bugs in Windows than in OS X, or the fact that some of the unpatched bugs in Windows are more critical than any of the unpatched bugs in OS X, regardless of whether the bugs were reported in 2006 or in prior years. Just because an unpatched bug was reported in 2004 and not 2006 does not mean that it is unpatched.

BTW, the main reason why such a high percentage of OS X bugs reported in 2006 remain unpatched is that this same nameless hacker just reported a large number of them several weeks ago in the "Month of Kernel Bugs". If he were to get a copy of Vista and find 10 bugs in it, then publish the info before reporting it to Microsoft, then 100% of the bugs reported for Vista would be unpatched. So that statistic is really meaningless, and the one you should use is the current total number of reported and patched bugs, not the percentage of those that occurred in 2006.

Finally, by his MO alone, and statements he has made, the person behind this month of bugs is a hacker with a grudge.

mattham
Dec 21, 2006, 03:55 PM
CARS Announces “Month of Security Dicks”


http://www.crazyapplerumors.com/

Matt :-)

Analog Kid
Dec 21, 2006, 05:08 PM
However, Apple doesn't seem to mind the effort. An Apple spokesman simply replied "We always welcome feedback on how to improve security on the Mac."

Good form, Apple.

patrick0brien
Dec 21, 2006, 05:33 PM
Good form, Apple.

-Analog Kid

As I read between the lines on that quote, it occurs to me that Apple's saying something else as well to the hackers.

Something like: "Go ahead and test us - as long as you do it constructively. Let us know that you find in good faith."

I get that from the words "welcome Feedback". If these Hackers aren't giving feedback to Apple they can use - or it appears to be just a gloating, Apple will likely act against it - and IMHO, they should.

phillipjfry
Dec 21, 2006, 05:35 PM
Agreed.

I am still sticking by my comment (in the month of kernel bugs thread) that we need to get used to this kind of treatment from developers, crackers, hackers. I have a feeling that this kind of work will ramp up, and that more and more people will be joining this group with regards to seeking holes in OS X.

My question is, if holes are found, how much is that information worth to people who want to take advantage of it? And also, if it is a moderate to high value, will this company / person take offers to share that information with people who would like to do wrong doing ?

My guess is, the information has value, and I am worried that this person / group would actually sell it to a high enough bidder, regardless of why that person / group needs that info.

If these issues are disclosed publicly, then everyone knows about the security flaw, there would be no "highest bidder". Having been around bugtraq and the like for a long while, I understand the problem with vendors not getting back with the discloser after they took the time to inform them of the bug/hole (in some cases, people told vendors repeatedly about bugs and still had not heard from them for months on end).
If two people find the same bug/exploit, and one discloses it to the public, then the information does not become as profitable to the second. It also allows Apple or whoever to take steps to squashing that bug. To think that XP has more/worse bugs than OSX is just crazy. Every OS has bugs/exploits/holes/whatever. But Windows is more often used and most likely to have its exploits found. I will be very interested to see what is found in OSX throughout January; even more interested in seeing how fast Apple reacts to them.

patrick0brien
Dec 21, 2006, 06:11 PM
To think that XP has more/worse bugs than OSX is just crazy.

-phillipjfry

According to the current facts, OS X does indeed have fewer bugs, and is far more inherently secure that Windows. This is regardless of attacks attempted.

This "Month Of Apple Bugs" is another opportunity to test/change those facts, and I for one am very interested in the results. So far every test of this ilk has only let to our current set of facts - that OS X (10.4) has fewer bugs that Windows XP. So it's not crazy to think that XP has more/worse bugs and vulnerbilities than OSX. Thinking that, is supported by the current facts.

What would be crazy would be to think that OS X is invulnerable.

MikeTheC
Dec 21, 2006, 09:45 PM
The only way for there to be "peer review" of Mac OS X is within Apple itself, amongst it's programmers -- both staff programmers and independent contractor coders -- as Mac OS X is NOT an open-source project.

Not being a software developer myself, I can't really vouch for how bugs and security flaws are dealt with in the GNU/Linux community, but that's the only context I can think of wherein "public" (in any sense of the word) disclosure could possibly be part of true peer review, since it basically is the "public at large" who code for GNU/Linux.

I, too, would prefer to see someone who's intent is to aggressively seek bugs and security holes report them at the earliest opportunity to those responsible parties. I wouldn't really have an issue with someone spearheading a project which included a fairly large number of other people who's sole intent was to uncover bugs and holes, provided their intended and actualized practice was then to privately disclose after verification.

The more eyeballs in front of screens that you have, the better; but just releasing info for the sake of releasing it, as others here have said, productively helps nobody.

phillipjfry
Dec 21, 2006, 09:59 PM
-phillipjfry

According to the current facts, OS X does indeed have fewer bugs, and is far more inherently secure that Windows. This is regardless of attacks attempted.

This "Month Of Apple Bugs" is another opportunity to test/change those facts, and I for one am very interested in the results. So far every test of this ilk has only let to our current set of facts - that OS X (10.4) has fewer bugs that Windows XP. So it's not crazy to think that XP has more/worse bugs and vulnerbilities than OSX. Thinking that, is supported by the current facts.

What would be crazy would be to think that OS X is invulnerable.

I think this only because OSX+kernel have not had the extensive research and "tinkering" that xp kernel+apps have had (eg. tinkering done by millions of people world round, constantly trying to find holes to exploit for good/bad reasons). Although I have no OSX experience (will change after january :D ), I know that any sort of programming on this level is bound to have bugs/holes/exploits/whatever that are not found for months, even years, on end. Windows has been out for how long? With how many dev's/crackers/etc looking for holes? And it seems like almost everyday something new is found. I am not at all bashing OSX, but I'm also not referring to it as "invulnerable". All in all, I would love to see what kind of "under the radar" bugs are found, in a hybrid kernel like this, as the years go on.

p.s. Maybe "crazy" isn't the word I should have used, but at least let OSX have a few more million eyes on it before we bring up anything that can be considered "rock hard" statistics. ;)

patrick0brien
Dec 22, 2006, 12:09 AM
I think this only because OSX+kernel have not had the extensive research and "tinkering" that xp kernel+apps have had (eg. tinkering done by millions of people world round, constantly trying to find holes to exploit for good/bad reasons). Although I have no OSX experience (will change after january :D ), I know that any sort of programming on this level is bound to have bugs/holes/exploits/whatever that are not found for months, even years, on end. Windows has been out for how long? With how many dev's/crackers/etc looking for holes? And it seems like almost everyday something new is found. I am not at all bashing OSX, but I'm also not referring to it as "invulnerable". All in all, I would love to see what kind of "under the radar" bugs are found, in a hybrid kernel like this, as the years go on.

p.s. Maybe "crazy" isn't the word I should have used, but at least let OSX have a few more million eyes on it before we bring up anything that can be considered "rock hard" statistics. ;)

-phillipjfry

:o Are you sitting down? Actually, the BSD and kernel have had far longer, and millions of more eyes and fingers on it than Windows.

UNIX has its roots in the 1960's, and the BSD (Berkely Standard Distribution) is an evolution of it.

It is easily arguable that Windows XP is a kludge upon a kludge upon a kludge upon a kludge upon a kludge upon a kludge upon an OS slammed together from three sources bought for presentation to IBM. One, two, three... yeah, I think I counted that right.

The primary reason Apple threw out Classic in favor of BSD in 2000 is for the overexamined nature of the Mach Microkernal and BSD subsystems. Granted, Linus has his misgivings about Mach, but Windows is nowhere near the level - and breadth - of examination.

phillipjfry
Dec 22, 2006, 10:59 AM
-phillipjfry

:o Are you sitting down? Actually, the BSD and kernel have had far longer, and millions of more eyes and fingers on it than Windows.

UNIX has its roots in the 1960's, and the BSD (Berkely Standard Distribution) is an evolution of it.

It is easily arguable that Windows XP is a kludge upon a kludge upon a kludge upon a kludge upon a kludge upon a kludge upon an OS slammed together from three sources bought for presentation to IBM. One, two, three... yeah, I think I counted that right.

The primary reason Apple threw out Classic in favor of BSD in 2000 is for the overexamined nature of the Mach Microkernal and BSD subsystems. Granted, Linus has his misgivings about Mach, but Windows is nowhere near the level - and breadth - of examination.

Understandable, completely. I misread/interpeted when I saw "hybrid kernel" figuring that in the sense, it was some part BSD, some part "other" kind of kernel. I retract my preview posts and still anticipate what will be found next month.:) Thx for putting me in my place as I am still used to the Windows/Winkernel standards of "if you thought you found it all, just wait for the next worm to flood the gates". :p (god i cant wait till i get my imac next month *cross fingers*)

patrick0brien
Dec 22, 2006, 11:37 AM
Understandable, completely. I misread/interpeted when I saw "hybrid kernel" figuring that in the sense, it was some part BSD, some part "other" kind of kernel. I retract my preview posts and still anticipate what will be found next month.:) Thx for putting me in my place as I am still used to the Windows/Winkernel standards of "if you thought you found it all, just wait for the next worm to flood the gates". :p (god i cant wait till i get my imac next month *cross fingers*)

-phillipjfry

You're a good man. We're all still learning every day.
A friend of mine once said - testing me "What is 'Real UNIX'?"
They're all just variations and evolutions of the Unix Time Sharing System - which is no longer used. This is a handy little thing for the wetware:UNIX Timeline (http://en.wikipedia.org/wiki/Image:Unix.svg). Of course, it doesn't go into Kernel development or crossbreeding - but then, that graphic would be a bit big.

shawnce
Dec 23, 2006, 06:20 PM
-phillipjfryThis is a handy little thing for the wetware:UNIX Timeline (http://en.wikipedia.org/wiki/Image:Unix.svg). Bah... Unix History (http://www.levenez.com/unix/history.html#01)

Diatribe
Jan 2, 2007, 02:23 PM
Wasn't this supposed to start now? :confused:

Edit (here it is): http://projects.info-pull.com/moab/

MacsAttack
Jan 2, 2007, 04:18 PM
I will be very interested to see what is found in OSX throughout January

As will I.

However, this bug appears to be in Quicktime....

No OS X bugs yet. Will the "Month of Apple Bugs" be a list of issues in iTunes, iPhoto, Pages, iWeb, iMove, iDVD, iCal, Safari, Calculator, Mail etc. etc.?????

Diatribe
Jan 2, 2007, 07:06 PM
As will I.

However, this bug appears to be in Quicktime....

No OS X bugs yet. Will the "Month of Apple Bugs" be a list of issues in iTunes, iPhoto, Pages, iWeb, iMove, iDVD, iCal, Safari, Calculator, Mail etc. etc.?????

Since Quicktime is one of the OS X frameworks, this is a OS X bug.

Even if it were not, since it is shipped with it and everyone uses it, it is just as bad.

beg_ne
Jan 2, 2007, 11:18 PM
So is it also pretty funny that so far in the Month of APPLE Bugs both bugs affect Windows as well? :)

1/01 - "Both Microsoft Windows and Mac OS X versions are affected."
1/02 - "thanks to David Maynor for confirming the issue in the Microsoft Windows version)."

tmartino
Jan 3, 2007, 09:47 AM
Am I reading this wrong, or is the second exploit just a VLC exploit, and not even an Apple problem?

Diatribe
Jan 3, 2007, 09:58 AM
Am I reading this wrong, or is the second exploit just a VLC exploit, and not even an Apple problem?

No, you're reading this correctly and it has already been patched by the nice VLC people:

Read. (http://landonf.bikemonkey.org/code/macosx/)

phillipjfry
Jan 3, 2007, 10:22 AM
Am I reading this wrong, or is the second exploit just a VLC exploit, and not even an Apple problem?

Yea, it is just a VLC exploit in a OSX environment. Without the program, OSX is not affected.

Hobofuzz
Jan 3, 2007, 10:29 AM
Yea, it is just a VLC exploit in a OSX environment. Without the program, OSX is not affected.

I love how these guys have already failed to meet their goal on day 2.

840quadra
Jan 3, 2007, 11:03 AM
If these issues are disclosed publicly, then everyone knows about the security flaw, there would be no "highest bidder". Having been around bugtraq and the like for a long while, I understand the problem with vendors not getting back with the discloser after they took the time to inform them of the bug/hole (in some cases, people told vendors repeatedly about bugs and still had not heard from them for months on end).
If two people find the same bug/exploit, and one discloses it to the public, then the information does not become as profitable to the second. It also allows Apple or whoever to take steps to squashing that bug. To think that XP has more/worse bugs than OSX is just crazy. Every OS has bugs/exploits/holes/whatever. But Windows is more often used and most likely to have its exploits found. I will be very interested to see what is found in OSX throughout January; even more interested in seeing how fast Apple reacts to them.

I will reply with the exact same thing I did to someone else's statement later in this thread.

Agreed, however who is to say they don't keep some information to themselves, and or important details that make that information useful.

I do doubt that this is his / her intent, however I wouldn't rule it out for someone doing this type of work.

yellow
Jan 3, 2007, 11:30 AM
#2 is a VLC exploit? How is this an Apple bug? :confused:

MacsAttack
Jan 3, 2007, 12:27 PM
Guess they should have waited until next month. That way they may have been able to hit thier one-a-day Apple bug target.

Now i just feel embarased for them...

After G
Jan 3, 2007, 12:34 PM
No, you're reading this correctly and it has already been patched by the nice VLC people:

Read. (http://landonf.bikemonkey.org/code/macosx/)Nice to know this guy is providing a "fix" for every bug posted on MOAB. I'll just do this until I can get official updates for everything.

#2 is a VLC exploit? How is this an Apple bug? :confused:Especially when:
- it's not an Apple-made application
- you have to download VLC voluntarily
- you have to view a udp:// stream
- the stream has to be malicious
- the hacker has to find some way to get people to view the bad stream for his exploit to take effect

I use VLC mostly for offline viewing of files QuickTime cannot handle. I think most people do not use VLC for random streaming media; more likely they would use their own LAN, or a trusted internet source. I understand that MOAB also involves Apple applications, but I have a feeling we'll see a few Apple bugs and a lot more bugs in non-Apple applications (probably open-source), that will be fixed almost immediately upon announcement.

phillipjfry
Jan 3, 2007, 12:51 PM
I will reply with the exact same thing I did to someone else's statement later in this thread.

There is some sort of a "trade off" when disclosing bugs in either case.
You could tell the vendor, then release the bug, with all the details included, making some script kiddie very happy.
Same scenario, but without the details you might keep to yourself, script kiddies will be deterred, only temporarily. (they have information to point them in the right direction).
Or, in what you stated, they keep the important information to themselves, and leave the community with an idea of where to look for said exploit.
God Bless the honor system. :)

Also, if I misinterpeted your post in any way, sorry in advance. :)

Diatribe
Jan 4, 2007, 03:25 PM
Actually I don't think it is too bad they do this.

They raise awareness and will hopefully make Apple and its users think.

They should be given a copy of Leopard early ;)

phillipjfry
Jan 4, 2007, 04:22 PM
http://projects.info-pull.com/moab/MOAB-04-01-2007.html

Seems to be more Mac oriented this time...

bousozoku
Jan 4, 2007, 05:08 PM
#2 is a VLC exploit? How is this an Apple bug? :confused:

It isn't and it was confirmed on Windows. It's also been fixed already. :)

FDX
Jan 7, 2007, 06:21 PM
It is day 7 what other bugs have there been? I thought this was supposed to raise awareness.

EricNau
Jan 7, 2007, 06:29 PM
It is day 7 what other bugs have there been? I thought this was supposed to raise awareness.
http://projects.info-pull.com/moab/index.html

bousozoku
Jan 7, 2007, 06:33 PM
It is day 7 what other bugs have there been? I thought this was supposed to raise awareness.

I suppose you have to look at their website. (http://projects.info-pull.com/moab/index.html)

It looks as though they're still finding things, but they're not really being fixed.

Number 3 is the MySpace-reported bug.

As far as I know, numbers 4 and 5 were previously reported.

Number 6 was fixed by upgrading to Acrobat Reader version 8, but Preview still has the problem.

Number 7 affects OmniWeb, but apparently not Shiira or Safari, which seems odd since they're using the same JavaScript engine.

mkrishnan
Jan 7, 2007, 06:35 PM
It is day 7 what other bugs have there been? I thought this was supposed to raise awareness.

They're pretty clearly listed on the website (http://projects.info-pull.com/moab/)....

SeaFox
Jan 8, 2007, 03:40 PM
Number 7 affects OmniWeb, but apparently not Shiira or Safari, which seems odd since they're using the same JavaScript engine.

Wouldn't that make it an OmniWeb problem?

I love this. The Month of Apple bugs has pretty much fallen off the radar of all the media. Two of these "Apple Bugs" have nothing to do with Apple itself. Didn't the VLC exploit work on Windows too? The author is using the loosest definition of "Apple" bugs in existence, any bug that works on the MacOS counts.

Earendil
Jan 8, 2007, 03:55 PM
Wouldn't that make it an OmniWeb problem?

I love this. The Month of Apple bugs has pretty much fallen off the radar of all the media. Two of these "Apple Bugs" have nothing to do with Apple itself. Didn't the VLC exploit work on Windows too? The author is using the loosest definition of "Apple" bugs in existence, any bug that works on the MacOS counts.

I was on the verge of disagreeing with you, and pointing out that on the surface it doesn't matter where the bug is, as long as it can effect an OSX machine.

However I remembered the "spirit" of the original idea, to help improve OSX security. And the only reason anyone could use to defend the blatant public nature of letting Apple know about the bugs at the same time as anyone wanting to exploit them was just that, that it was Apple.

However if we are now publicly pointing out exploitable flaws in FREEWARE programs, that is just wrong. The fact that the freeware is a widely used program doesn't make it any morally better, it makes it worse. I'm sitting here working on a BS in Computer Science, and the idea that one of my freeware programs, no matter how popular, could one day have it's exploits publicly displayed for the world to see WITHOUT informing me first, boils my blood. To make matters worse there is a chance that I may never hear about such exploits and thus get around to fixing them either quite late, or never.

I like this guy less and less...

bousozoku
Jan 8, 2007, 03:56 PM
Wouldn't that make it an OmniWeb problem?

I love this. The Month of Apple bugs has pretty much fallen off the radar of all the media. Two of these "Apple Bugs" have nothing to do with Apple itself. Didn't the VLC exploit work on Windows too? The author is using the loosest definition of "Apple" bugs in existence, any bug that works on the MacOS counts.

It was corrected by OmniGroup with version 5.5.2 of OmniWeb.

Also, the PDF bug apparently has a fix, but I'm waiting for Apple to officially patch it.

dqm
Jan 14, 2007, 09:16 AM
Either way, you can bet the media and CNet will have a field day announcing how Mac OSX isn't "quite secure as some people might think" (watch for that direct quote). I know I will have to spend at least an hour on the phone with my Dad who just bought a new 20" Imac because he was sick of virus and spyware on his 2 year old windows machine, which had replaced a 1 year old windows machine - now that is longevity ;)

Perhaps your first order of action should be to educate your dad how to use a computer?? My dad has had a WinXP machine for several years without major problems. I remind him to have uptodate virus and firewall software, and that's about it.

JeffDM
Jan 14, 2007, 09:30 AM
Perhaps your first order of action should be to educate your dad how to use a computer?? My dad has had a WinXP machine for several years without major problems. I remind him to have uptodate virus and firewall software, and that's about it.

I agree. I don't think it takes much effort to make any computer last. My dad is using an eight year old Windows 2000 computer, albiet a workstation. He wants a new one but the current one does do the job.

I was on the verge of disagreeing with you, and pointing out that on the surface it doesn't matter where the bug is, as long as it can effect an OSX machine.

However I remembered the "spirit" of the original idea, to help improve OSX security. And the only reason anyone could use to defend the blatant public nature of letting Apple know about the bugs at the same time as anyone wanting to exploit them was just that, that it was Apple.

I think the dropping the ball on the unspoken agreement is partly Apple's fault. Apple is known to have ignored a notification of a problem for months until a whistleblower threatens to release the exploit, then they finally get their act together. It is even worse than that at the moment, it's been a month since the Myspace HREF/javascript worm was publicized and I still haven't seen any mention that Apple has fixed it in any manner.

The last seven days appear to be Apple specific problems.

bousozoku
Jan 14, 2007, 12:53 PM
Adobe patched Acrobat Reader 7 to version 7.0.9 so now, it's just Preview with the problem.

Have you ever seen Adobe work that fast? I haven't, and they're making Apple look sloppy.

Diatribe
Jan 14, 2007, 03:01 PM
Adobe patched Acrobat Reader 7 to version 7.0.9 so now, it's just Preview with the problem.

Have you ever seen Adobe work that fast? I haven't, and they're making Apple look sloppy.

Apple has never been really fast fixing stuff.

Considering the bugs that are already on that page I sure hope that Apple gives us a fix soon.

patrick0brien
Jan 14, 2007, 03:15 PM
-Diatribe

This is the one problem I have with MoAB. They aren't giving Apple the opportunity to fix stuff.

IMHO it is disingenuousness at its most blatant, childish at least, irresponsible at best, and criminal at its worst.

bousozoku
Jan 14, 2007, 03:29 PM
Apple has never been really fast fixing stuff.

Considering the bugs that are already on that page I sure hope that Apple gives us a fix soon.

They're so concerned about not looking vulnerable and putting everything into one batch that they're leaving us somewhat vulnerable.

Remember the huge number of changes they sent back to the KHTML people? That really messed with them. It's one thing to have policies and procedures but when it doesn't help the people using your products, something needs to change.

-Diatribe

This is the one problem I have with MoAB. They aren't giving Apple the opportunity to fix stuff.

IMHO it is disingenuousness at its most blatant, childish at least, irresponsible at best, and criminal at its worst.

It's a smack at the smugness of Apple's fanatics and that's not a bad thing. Too many times we've had people here go on about how their machines are impervious to attack.

Here's to bringing reality to the Macintosh platform again.

patrick0brien
Jan 14, 2007, 03:45 PM
It's a smack at the smugness of Apple's fanatics and that's not a bad thing. Too many times we've had people here go on about how their machines are impervious to attack.

Here's to bringing reality to the Macintosh platform again.

-bousozoku

I agree with that sliver of principle, but it's the method I disagree with. I'd be less twisted about this if the hackers would just state their motivations honestly, and proceed responsibly.

Then, I'd be more apt to think of this as a service, than an effort motivated purely by spite.

bousozoku
Jan 14, 2007, 04:37 PM
-bousozoku

I agree with that sliver of principle, but it's the method I disagree with. I'd be less twisted about this if the hackers would just state their motivations honestly, and proceed responsibly.

Then, I'd be more apt to think of this as a service, than an effort motivated purely by spite.

Right. It's not a service and it's vicious but sometimes, a splash of cold water is indeed the only way to wake someone from their dream.

People live in complacency because it's easier than living in reality. Reality takes work.

SC68Cal
Jan 17, 2007, 11:17 AM
Does anyone subscribe to XNews or read Rixstep regularly here? They have been keeping an eye on most of this stuff.

TheBobcat
Jan 17, 2007, 11:51 AM
I actually forgot this was the month of Apple bugs. Apparently they haven't found anything even remotely significant so far because if they found even an iota of anything, the Windows Fanboys and CNet would be going crazy. :rolleyes:

Diatribe
Jan 17, 2007, 03:30 PM
I actually forgot this was the month of Apple bugs. Apparently they haven't found anything even remotely significant so far because if they found even an iota of anything, the Windows Fanboys and CNet would be going crazy. :rolleyes:

That's a pretty ignorant thing to say. If you had looked at what they found you would see that they have in fact found exploitable bugs that can lead to arbitrary code execution.

Short, one can access your machine using these bugs. If that isn't significant then I don't know.

Diatribe
Jan 25, 2007, 02:10 AM
Woohoo. Apple fixed one of the 19 bugs they found... can only take a year at this rate. :rolleyes:

bousozoku
Jan 25, 2007, 02:17 AM
Woohoo. Apple fixed one of the 19 bugs they found... can only take a year at this rate. :rolleyes:

Well, not all of the bugs were things that Apple could fix but some of the others have been fixed by the vendors.

Apple still has a list of bugs from November that need to be fixed, too.

Diatribe
Jan 25, 2007, 02:28 AM
Well, not all of the bugs were things that Apple could fix but some of the others have been fixed by the vendors.

Apple still has a list of bugs from November that need to be fixed, too.

What do you mean that Apple can't fix? 19 of the 24 bugs are bugs within Apple software or OS X itself. If they can't fix bugs that lead to arbitrary code execution that'd be pretty sad.
Apple is really sloooooooooow when it comes to fixing their bugs. If they don't speed it up they'll have the same problems Windows had when their userbase grows.

SeaFox
Jan 25, 2007, 03:56 AM
The MOAB site appears to be down now. Someone must have found an exploit on their server. :D

That would explain this Digg story (http://digg.com/apple/Month_of_Apple_Bugs_MoAB_website_redirects_users_to_porn_sites).

Diatribe
Jan 25, 2007, 04:04 AM
The MOAB site appears to be down now. Someone must have found an exploit on their server. :D

That would explain this Digg story (http://digg.com/apple/Month_of_Apple_Bugs_MoAB_website_redirects_users_to_porn_sites).

Working fine for me. :confused:

Earendil
Jan 25, 2007, 11:19 AM
What do you mean that Apple can't fix? 19 of the 24 bugs are bugs within Apple software or OS X itself. If they can't fix bugs that lead to arbitrary code execution that'd be pretty sad.
Apple is really sloooooooooow when it comes to fixing their bugs. If they don't speed it up they'll have the same problems Windows had when their userbase grows.

After spending some time fixing bugs that don't have anything to do with something as extremely vague and obscure as arbitrary code execution, on a small 200,000 line program, I can tell you that I'd be scared if Apple did fix it within a couple days :cool:

Finding code that causes a behavior is not always obvious, not only how to fix it, but where the code is that's causing it. Obften times it's the interaction between different pieces of code across different parts of the program.

I don't care how long it takes APple to fix bugs, as long as they are always one step ahead of any hacker trying to find the same code and use it. The day a hacker beats them to it is the day they don't have an excuse for fixing it in time.

bousozoku
Jan 25, 2007, 11:49 AM
After spending some time fixing bugs that don't have anything to do with something as extremely vague and obscure as arbitrary code execution, on a small 200,000 line program, I can tell you that I'd be scared if Apple did fix it within a couple days :cool:

Finding code that causes a behavior is not always obvious, not only how to fix it, but where the code is that's causing it. Obften times it's the interaction between different pieces of code across different parts of the program.

I don't care how long it takes APple to fix bugs, as long as they are always one step ahead of any hacker trying to find the same code and use it. The day a hacker beats them to it is the day they don't have an excuse for fixing it in time.

Well, at least, you're happy.

Apple are obviously not one step ahead. It's just a good thing that no one has decided to do more than make a wake up call.

It would seem that they've got no group for security problems and apparently consider security a very low priority compared to showmanship.

It would seem that they're not using the proper tools on the source code since these things continue to rear their ugly heads. I can understand how a single person writing a small application can't afford a tool to check properly for memory abuses but Apple aren't a small company.

Can they fix everything before they release it? No, but they can check to make certain memory abuses don't happen. At least, one of the problems sounds like something a second year programmer would make without supervision. What happened to code review in their policies and procedures?

Earendil
Jan 25, 2007, 11:56 AM
Well, at least, you're happy.

Apple are obviously not one step ahead. It's just a good thing that no one has decided to do more than make a wake up call.

It would seem that they've got no group for security problems and apparently consider security a very low priority compared to showmanship.

It would seem that they're not using the proper tools on the source code since these things continue to rear their ugly heads. I can understand how a single person writing a small application can't afford a tool to check properly for memory abuses but Apple aren't a small company.

Can they fix everything before they release it? No, but they can check to make certain memory abuses don't happen. At least, one of the problems sounds like something a second year programmer would make without supervision. What happened to code review in their policies and procedures?


You make it sound so easy :rolleyes:

It would actually be far easier for a single programmer to make a small app without security holes, memory leaks, and the like, than it is for a large company to produce a million line program that hits ever aspect of a computer (it's an OS after all), and by definition has to be open in some ways.
I'm not aware of any tools that help you find code execution issues with your code. Also, code review is likely to not solve these problems due to the nature of these things.

I'm curious why you think Apple doesn't care? Anything beyond your gut feeling?

Diatribe
Jan 26, 2007, 03:33 AM
I'm curious why you think Apple doesn't care? Anything beyond your gut feeling?

Well, for one that some random hacker on the net can find 19 issues in a month, while never having used OS X that much. And second, that Apple is taking a lot of time to fix these things while independant devs have already found the cause of the problem and have already fixed it in a temp fix.

Diatribe
Jan 26, 2007, 03:44 AM
Well they just fixed some holes from the MOKB (Month of kernel bugs) from November.

http://news.com.com/Apple+closes+another+Wi-Fi+hole/2100-1002_3-6153631.html

If they always take this long it will only be a matter of time till the first exploit.

bousozoku
Jan 26, 2007, 08:37 AM
You make it sound so easy :rolleyes:

It would actually be far easier for a single programmer to make a small app without security holes, memory leaks, and the like, than it is for a large company to produce a million line program that hits ever aspect of a computer (it's an OS after all), and by definition has to be open in some ways.
I'm not aware of any tools that help you find code execution issues with your code. Also, code review is likely to not solve these problems due to the nature of these things.

I'm curious why you think Apple doesn't care? Anything beyond your gut feeling?

It's not tremendously easy or difficult but you have to actually do something.

Let's see. In the early 1990s, I was writing code for the hospital where I worked. Borland was selling a product called CodeGuard which integrated with your code to expose memory errors. Since then, even source code analysers have become a lot more useful.

There has been a product called QC on Mac OS for over 10 years now and I believe OmniGroup is selling ObjectMeter for Objective-C. Apple have people with brains. They could be doing a lot more. If they can't solve the problem, they can hire Borland to modify their tools so that Apple can use them.

There is always an answer but you have to want to do something about it. Obviously, since November, a lot of bugs have been brought to the forefront. If Apple really cared, there wouldn't be quite so many. They should have been caught.

frozencarbonite
Jan 26, 2007, 08:45 AM
Well they just fixed some holes from the MOKB (Month of kernel bugs) from November.

http://news.com.com/Apple+closes+another+Wi-Fi+hole/2100-1002_3-6153631.html

If they always take this long it will only be a matter of time till the first exploit.

Wow, it took them this long to fix that hole! I remember hearing about it back in November and I didn't use my Airport for weeks. Finally I just gave up on Apple releasing a patch and started using my Airport again. Since I don't live in the city, I don't have many houses around us, so I just took the risk.

SeaFox
Jan 27, 2007, 02:55 AM
Well, for one that some random hacker on the net can find 19 issues in a month, while never having used OS X that much. And second, that Apple is taking a lot of time to fix these things while independent devs have already found the cause of the problem and have already fixed it in a temp fix.
You actually believe this guy found all these issues in a month? For all you know he spent the last three years building this list. The fact he's released them all this month says nothing about when he actually discovered them. Also, I'm sure he's used OSX more than a little, he also could have been given some of the issues by other hackers.

Don't give the guy any credit just because he's the one with the website.

Diatribe
Jan 29, 2007, 01:44 AM
You actually believe this guy found all these issues in a month? For all you know he spent the last three years building this list. The fact he's released them all this month says nothing about when he actually discovered them. Also, I'm sure he's used OSX more than a little, he also could have been given some of the issues by other hackers.

Don't give the guy any credit just because he's the one with the website.

You're right, that doesn't change the fact that Apple is taking an aweful lo tof time to fix these things though.

yellow
Jan 29, 2007, 11:43 AM
You're right, that doesn't change the fact that Apple is taking an aweful lo tof time to fix these things though.

Well, look at it from their perspective. Right now they're trying to roll out a brand new product, 10.5, Leopard. Some of these bug may already be moot in that OS. Some of them may be getting fixed right now for the first patch cycle. I suspect they're spending their time and energy on getting 10.5 out the door and then they will work on patching past OS releases at their leisure.

Diatribe
Jan 30, 2007, 01:58 AM
Well, look at it from their perspective. Right now they're trying to roll out a brand new product, 10.5, Leopard. Some of these bug may already be moot in that OS. Some of them may be getting fixed right now for the first patch cycle. I suspect they're spending their time and energy on getting 10.5 out the door and then they will work on patching past OS releases at their leisure.

Sorry, but you've got to be kidding me. Since when is 10.4 their PAST OS? Did I miss something and Leopard has been released already?

Until 10.5 is out the door, priority should go to fixing their CURRENT OS and that is still 10.4 nothing else. What they do is cocky and ignorant.

So you think that just because the airbag works already in the new unreleased model, car manufacturers should be allowed more time to fix the broken airbags in their current, on the street line-up?

patrick0brien
Jan 30, 2007, 02:43 AM
So you think that just because the airbag works already in the new unreleased model, car manufacturers should be allowed more time to fix the broken airbags in their current, on the street line-up?

-Diatribe

If the new yet-to-be-released-model-that-will-work-in-my-current-car-does, then yes.

They may well be folding the fixes into 10.5 while they still have uncompiled builds about.

Diatribe
Jan 30, 2007, 03:15 AM
-Diatribe

If the new yet-to-be-released-model-that-will-work-in-my-current-car-does, then yes.

They may well be folding the fixes into 10.5 while they still have uncompiled builds about.

Wow, so you'd accept a broken airbag that will be replaced by a new one "maybe" in a couple of months but you don't know when or if at all but you give the manufacturer the benefit of the doubt? Yeah, right.

Sorry, but I find that hard to believe.

patrick0brien
Jan 30, 2007, 03:20 AM
-Diatribe

I'm sorry you feel that way.

Diatribe
Jan 30, 2007, 03:44 AM
-Diatribe

I'm sorry you feel that way.

Feel what way?

yellow
Jan 30, 2007, 10:34 AM
I don't think a broken/fixed "life saving" additions to a car is an apt parallel to a bunch of bugs in an operating system.

It is my feeling that this is what Apple is doing, working to get 10.5 out the door and then worry about bugs in the OS that have been there all along. Right or wrong, it is no different than what hundreds of companies do every day.

bousozoku
Jan 30, 2007, 10:38 AM
-Diatribe

If the new yet-to-be-released-model-that-will-work-in-my-current-car-does, then yes.

They may well be folding the fixes into 10.5 while they still have uncompiled builds about.

It's ironic that you would say that when you have "never settle" in your signature.

I think the thing is that there is a degree of danger here. Thankfully, the chance of remote exploitation is somewhat low and the chance of local exploitation is lower, unless you want to hurt yourself.

I worry more about my computer being attacked than my airbag working. It still looks like Apple does not care, even if they are working on the fixes quietly.

patrick0brien
Jan 30, 2007, 11:19 AM
It's ironic that you would say that when you have "never settle" in your signature.

I think the thing is that there is a degree of danger here. Thankfully, the chance of remote exploitation is somewhat low and the chance of local exploitation is lower, unless you want to hurt yourself.

I worry more about my computer being attacked than my airbag working. It still looks like Apple does not care, even if they are working on the fixes quietly.

-bousozoku

I'm up to my neck in software developement. Bugs happen, and fixing them vs. enhancement vs. new development is always a balancing act because the trifecta of Project Management of Time, Money, and Resources always are limited. The question is where are the energies being put?

I don't think any of us armchair bug-pointers have any real basis for critiquing Apple on how they manage their bug-fix workflow, as we know nothing about it. For all we know, they have them fixed as far and are waiting for the end of the month to wrap the compile - or - they've tried to fix them and they're blowing up the builds.

We're wasting breath - or in this case, keystrokes.

As for the sig comment, there's no irony at all, because IMHO there's nothing better for my needs than Apple - and - a wise man once said "too much quality will ruin you". Meaning that 100% quality is impossible - and in trying to reach it, you will destroy yourself. It's a happy medium, and Apple does it best.

Diatribe
Jan 31, 2007, 01:56 AM
As for the sig comment, there's no irony at all, because IMHO there's nothing better for my needs than Apple - and - a wise man once said "too much quality will ruin you". Meaning that 100% quality is impossible - and in trying to reach it, you will destroy yourself. It's a happy medium, and Apple does it best.

I thought striving for perfection is what got Apple to where they are in the first place?

Diatribe
Jan 31, 2007, 10:11 AM
I guess they gave up. No bug yesterday... :D

patrick0brien
Jan 31, 2007, 11:20 AM
I thought striving for perfection is what got Apple to where they are in the first place?

-Diatribe

Well, I can't accurately divine what's going on behind closed doors, but I always got the feeling they wanted to be the best - not necessarily perfect.

bousozoku
Jan 31, 2007, 11:22 AM
-bousozoku

I'm up to my neck in software developement. Bugs happen, and fixing them vs. enhancement vs. new development is always a balancing act because the trifecta of Project Management of Time, Money, and Resources always are limited. The question is where are the energies being put?

I don't think any of us armchair bug-pointers have any real basis for critiquing Apple on how they manage their bug-fix workflow, as we know nothing about it. For all we know, they have them fixed as far and are waiting for the end of the month to wrap the compile - or - they've tried to fix them and they're blowing up the builds.

We're wasting breath - or in this case, keystrokes.

As for the sig comment, there's no irony at all, because IMHO there's nothing better for my needs than Apple - and - a wise man once said "too much quality will ruin you". Meaning that 100% quality is impossible - and in trying to reach it, you will destroy yourself. It's a happy medium, and Apple does it best.

Imagine someone decides to exploit one of the problems. He doesn't wait for a compilation of bugs to exploit. He takes one at a time.

It's nice that Apple wants the fixes in a neat package--that seems their way--but it's not helping us if someone decides to attack.

patrick0brien
Jan 31, 2007, 11:35 AM
Imagine someone decides to exploit one of the problems. He doesn't wait for a compilation of bugs to exploit. He takes one at a time.

It's nice that Apple wants the fixes in a neat package--that seems their way--but it's not helping us if someone decides to attack.

-bousozoku

That is always a risk, yes. And we have to live with it. And often a neat package is the best way to permamnently fix a bug (and not just patch it).

At least we have the comfort in knowing a few things: 1. they haven't found anything serious, and 2. most of what they have found - and have had to do with Apple (and not peripheral) have to be run locally.

I can live with that.

Though, I still have a fundamental problem of the histrionic method of these hackers in publishing the bugs. I still find that the height of hubris and irresponsibility.

bousozoku
Jan 31, 2007, 12:09 PM
-bousozoku

That is always a risk, yes. And we have to live with it. And often a neat package is the best way to permamnently fix a bug (and not just patch it).

At least we have the comfort in knowing a few things: 1. they haven't found anything serious, and 2. most of what they have found - and have had to do with Apple (and not peripheral) have to be run locally.

I can live with that.

Though, I still have a fundamental problem of the histrionic method of these hackers in publishing the bugs. I still find that the height of hubris and irresponsibility.

The hubris belongs to them and the irresponsibility belongs to Apple.

coffey7
Feb 17, 2007, 09:53 PM
What Macs don't have bugs, they are like the Titanic. Unsinkable.

Doctor Q
Sep 18, 2007, 08:28 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Apple enthusiasts and security researchers have been at odds since last August, when David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple’s wireless device drivers. They played a video at the Black Hat conference demonstrating how this flaw could be used to run unauthorized code on a MacBook.

However, their claims have been slammed because the demonstration used a third-party wireless card rather than the one that ships with the MacBook, and because the two hackers still have not published the code used in their attack. Remember this story?

The details have finally been published (http://www.macworld.com/news/2007/09/18/wifidetails/).

There's a bit more behind-the-scenes info here.