Month Of Apple Bugs: January 2007

[MacRumors]

Picking off where the Month of Kernel Bugs left off, security researcher "LMH" and his team is reportedly set to launch another month-long security-hole finding project, this time targeting only Apple's products. According to the Washington Post, the Month of Apple Bugs will be January 2007, where each day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it.

Quote:

LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security.

For the Month of Kernel Bugs, software vendors were not given prior warning before vulnerabilities were released, a practice that has ruffled a few feathers in the industry. According to the Post, the Month of Apple Bugs will run similarly, as Apple will not be given advance notice of the bugs.

Quote:

It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation.

You can read MacRumors' interview with LMH regarding the Month of Kernel bugs here.

Update: IDG/MacWorld provides additional information.

Quote:

Apple enthusiasts and security researchers have been at odds since last August, when David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple’s wireless device drivers. They played a video at the Black Hat conference demonstrating how this flaw could be used to run unauthorized code on a MacBook. However, their claims have been slammed because the demonstration used a third-party wireless card rather than the one that ships with the MacBook, and because the two hackers still have not published the code used in their attack.

LMH said the Apple community’s negative response to Maynor and Ellch’s claims played a role in the decision to launch the Month of Apple bugs.

“I was shocked with the reaction of some so-called ‘Apple fans,’” he said. “I can’t understand why some people react badly to disclosure of issues in their system of choice. … That helps to improve its security."

However, Apple doesn't seem to mind the effort. An Apple spokesman simply replied "We always welcome feedback on how to improve security on the Mac."


[ Digg This ]

[longofest]

Guess January isn't going to be all fun and games for Apple...

[evilgEEk]

Well, as long as it improves OS X security I'm all for it.

[caveman_uk]

For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

[cait-sith]

Good. Better he do it now while Apple is focused on his bugs and ready to release patches as soon as possible.

Is it fair to focus only on Apple bugs? Not really.

[miketcool]

Hopefully the Jan release of Leopard will put a wrench in his gears.

[Some_Big_Spoon]

Gets more press. If he focused on Windows bugs, he'd be one of 10k guys pointing out tens of thousands of bugs. He'll find 30 bugs (maybe) and post them one day at a time. It's more media whoring than anything else unfotunately.

Quote:

Originally Posted by cait-sith

Is it fair to focus only on Apple bugs? Not really.

[longofest]

Quote:

Originally Posted by caveman_uk

For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

The problem about that is that as long as the issue isn't publically disclosed, companies like Apple take their good old time patching them. Earlier this year, a guy was complaining that some issues that he found hadn't been addressed 6 months after he had reported it to Apple, so he finally released it to the public. If I recall, he ended up retracting the information and then the next Apple security update fixed the issue

Quote:

Originally Posted by miketcool

Hopefully the Jan release of Leopard will put a wrench in his gears.

Keep dreaming.

[mcarnes]

Does this guy really think he's doing a service? He is not. Maybe a service to criminals.

[nsbio]

Quote:

Originally Posted by caveman_uk

For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

Perhaps one of the reasons why these guys/gals are doing it this way is to attract Apple's attention and get them to interact/become part of Apple team. Without good arguments, that is, only with idle threats, Apple will never pay attention to them. If, however, some of these "bugs" turn out to be serious, Apple will have to pay attention.
I agree that this is a blatant way of publicity seeking, but nowadays it is the only way to sell a product. And in this case it is a perfectly legal way!

[apachie2k]

like many said before, if he really cared he would just send it to apple...

[840quadra]

Quote:

Originally Posted by caveman_uk

For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

Agreed.

I am still sticking by my comment (in the month of kernel bugs thread) that we need to get used to this kind of treatment from developers, crackers, hackers. I have a feeling that this kind of work will ramp up, and that more and more people will be joining this group with regards to seeking holes in OS X.

My question is, if holes are found, how much is that information worth to people who want to take advantage of it? And also, if it is a moderate to high value, will this company / person take offers to share that information with people who would like to do wrong doing ?

My guess is, the information has value, and I am worried that this person / group would actually sell it to a high enough bidder, regardless of why that person / group needs that info.

[Alexander]

Quote:

Originally Posted by longofest

The problem about that is that as long as the issue isn't publically disclosed, companies like Apple take their good old time patching them.

I agree, but it is irresponsible to give the developer NO time to prepare a patch. Make the window really short, maybe two weeks to a month, and then release them, if you want. Whatever. But ANY software developer should be given at least some time to prepare a patch for security vulnerabilities.

About the only positive I can think of is that it will cause Apple and others to be even more rigorous about security on their own. I'm not sure this is the best way to achieve the goal, though. I think it's more about publicity.

I expect the vast majority of these bugs to be yawners.

[longofest]

Quote:

Originally Posted by Alexander

I agree, but it is irresponsible to give the developer NO time to prepare a patch. Make the window really short, maybe two weeks to a month, and then release them, if you want. Whatever. But ANY software developer should be given at least some time to prepare a patch for security vulnerabilities.

About the only positive I can think of is that it will cause Apple and others to be even more rigorous about security on their own. I'm not sure this is the best way to achieve the goal, though. I think it's more about publicity.

I expect the vast majority of these bugs to be yawners.

Good point. Probably a good compromise would be for the researcher to say "here's the vulnerability. You've got a month, and then it will be public." It sounds kind of threatening, but in the end it would be the best of both worlds.

However, I'm not so sure that the bugs will only be "yawners"... MoKB came out with a couple big ones...

[iMeowbot]

Publicity or advertising don't match up as motivations when the responsible party has been making some effort to remain anonymous.

[motorazr]

what purpose does it serve to finds bugs in software if you aren't going to give the programers a chance to fix them? I mean good intent and all...but it makes little sense if apple won't get advanced notice to fix errors...

[patrick0brien]

Quote:

"Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way," - LMH

Question: Are there any Mac users out there that actually think OS X is 'bulletproof'?

Every now and then some pundit/user blurts out that OS X users think their OS is invulnerable.

Nowhere have I seen this.

Frankly, I feel it is spite. Compared to XP, OS X seems invulnerable. I just hope there aren't any OS X users boasting 'bulletproofness'.

This my $0.02 because I'm tired of the Enderles of the world putting words in my mouth.

[CEAbiscuit]

Mods:

If you would like, merge comments from this thread:

http://forums.macrumors.com/showthread.php?t=261925

Thanks!

[840quadra]

Quote:

Originally Posted by iMeowbot

Publicity or advertising don't match up as motivations when the responsible party has been making some effort to remain anonymous.

Why not?

If he wants to anonymously capitalize on his findings by selling the information to wrong doers, he is less likely to be caught.

[CmdrLaForge]

In principal I think that it is ok to show Apple where the bugs are if any but I think the timing is more then bad. Vista is coming out end of January for the average consumer and Apple wants to beat M$ on security. A month long reporting on Apples bugs will only help selling Vista instead of Mac OS.

my 2 cents

[840quadra]

Quote:

Originally Posted by CmdrLaForge

In principal I think that it is ok to show Apple where the bugs are if any but I think the timing is more then bad. Vista is coming out end of January for the average consumer and Apple wants to beat M$ on security. A month long reporting on Apples bugs will only help selling Vista instead of Mac OS.

my 2 cents

Good point!

In addition to my other comments made in this thread, part of me smells a disgruntled former Apple employee that is spreading information for possibly known holes in the OS and applications. I would almost think that holes in OS X are really not that big or easy to find (if they were many would have been discovered by others now), and that you would need intimate knowledge of the OS to be able to find any worth reporting. Especially 30 to 31 of them!

[yellow]

I feel it's a good thing, I just hope that it's not as sensationalized as the MoKB was. There was some definite FUD being pushed there. I look forward to what LMH brings to the table. UNFORTUNATELY for him, Leopard will likely be out sooner rather than later, and some of his MoABs will be moot at best.

[mkrishnan]

So the Month of Kernel Bugs was only 10 days long?

Mmm, I don't approve of the methods, but I hope the long-term result is better Mac security. I find it kind of sketchy that the MoKB page lists all the exploits but doesn't have a "patched by" column like most security listings do...so I too have to say I feel like these people are more interested in showing off their skills than enhancing security.

But, go ahead... I want to see how many days are in the Month of Apple Bugs.....

[aranhamo]

Quote:

Originally Posted by longofest

However, I'm not so sure that the bugs will only be "yawners"... MoKB came out with a couple big ones...

I don't know about that. The "big one" that I remember hearing about was pretty thoroughly debunked on a couple of sites, in that it doesn't permit arbitrary code execution as "LMH" claimed.

Apple already has channels for working with them on these things. "LMH" is just like that guy at the BlackHat convention; he's just trying to get his 15 minutes of fame. He doesn't really care about OS X security. I've personally reported bugs to Apple, and I've received polite, timely responses from them, and everything I've ever reported was fixed in the next update, and none of mine were ever very critical.

[BRLawyer]

Quote:

Originally Posted by caveman_uk

For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

Ditto. He is no better than a bunch of anonymous "hackers" out there...many of his "bugs" were already debunked by more serious people...this is just food for Windows fanboys, nothing else.