Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Dec 19, 2006, 04:31 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Month Of Apple Bugs: January 2007



Picking off where the Month of Kernel Bugs left off, security researcher "LMH" and his team is reportedly set to launch another month-long security-hole finding project, this time targeting only Apple's products. According to the Washington Post, the Month of Apple Bugs will be January 2007, where each day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it.

Quote:
LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security.
For the Month of Kernel Bugs, software vendors were not given prior warning before vulnerabilities were released, a practice that has ruffled a few feathers in the industry. According to the Post, the Month of Apple Bugs will run similarly, as Apple will not be given advance notice of the bugs.

Quote:
It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation.
You can read MacRumors' interview with LMH regarding the Month of Kernel bugs here.

Update: IDG/MacWorld provides additional information.

Quote:
Apple enthusiasts and security researchers have been at odds since last August, when David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple’s wireless device drivers. They played a video at the Black Hat conference demonstrating how this flaw could be used to run unauthorized code on a MacBook. However, their claims have been slammed because the demonstration used a third-party wireless card rather than the one that ships with the MacBook, and because the two hackers still have not published the code used in their attack.

LMH said the Apple community’s negative response to Maynor and Ellch’s claims played a role in the decision to launch the Month of Apple bugs.

“I was shocked with the reaction of some so-called ‘Apple fans,’” he said. “I can’t understand why some people react badly to disclosure of issues in their system of choice. … That helps to improve its security."
However, Apple doesn't seem to mind the effort. An Apple spokesman simply replied "We always welcome feedback on how to improve security on the Mac."


[ Digg This ]

Last edited by longofest; Dec 20, 2006 at 08:48 AM. Reason: story update
MacRumors is offline   0 Reply With Quote
Old Dec 19, 2006, 04:32 PM   #2
longofest
Editor emeritus
 
longofest's Avatar
 
Join Date: Jul 2003
Location: Falls Church, VA
Send a message via AIM to longofest
Guess January isn't going to be all fun and games for Apple...
longofest is offline   0 Reply With Quote
Old Dec 19, 2006, 04:34 PM   #3
echeck
macrumors 68000
 
echeck's Avatar
 
Join Date: Apr 2004
Location: Boise, Idaho
Well, as long as it improves OS X security I'm all for it.
__________________
Eff it, Dude. Let's go bowling.
echeck is offline   0 Reply With Quote
Old Dec 19, 2006, 04:34 PM   #4
caveman_uk
Guest
 
caveman_uk's Avatar
 
Join Date: Feb 2003
Location: Hitchin, Herts, UK
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.
caveman_uk is offline   0 Reply With Quote
Old Dec 19, 2006, 04:35 PM   #5
cait-sith
macrumors regular
 
Join Date: Apr 2004
Location: canada
Good. Better he do it now while Apple is focused on his bugs and ready to release patches as soon as possible.

Is it fair to focus only on Apple bugs? Not really.
__________________
"`The first ten million years were the worst,' said Marvin, `and the second ten million, they were the worst too. The third ten million I didn't enjoy at all. After that I went into a bit of a decline.'"
cait-sith is offline   0 Reply With Quote
Old Dec 19, 2006, 04:39 PM   #6
miketcool
macrumors 6502a
 
miketcool's Avatar
 
Join Date: Jun 2003
Hopefully the Jan release of Leopard will put a wrench in his gears.
miketcool is offline   0 Reply With Quote
Old Dec 19, 2006, 04:41 PM   #7
Some_Big_Spoon
macrumors 6502a
 
Some_Big_Spoon's Avatar
 
Join Date: Jun 2003
Location: New York, NY
Send a message via AIM to Some_Big_Spoon
Gets more press. If he focused on Windows bugs, he'd be one of 10k guys pointing out tens of thousands of bugs. He'll find 30 bugs (maybe) and post them one day at a time. It's more media whoring than anything else unfotunately.

Quote:
Originally Posted by cait-sith View Post
Is it fair to focus only on Apple bugs? Not really.
__________________
Celebrating 10 years as a MacRumors member.
Some_Big_Spoon is offline   0 Reply With Quote
Old Dec 19, 2006, 04:41 PM   #8
longofest
Editor emeritus
 
longofest's Avatar
 
Join Date: Jul 2003
Location: Falls Church, VA
Send a message via AIM to longofest
Quote:
Originally Posted by caveman_uk View Post
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.
The problem about that is that as long as the issue isn't publically disclosed, companies like Apple take their good old time patching them. Earlier this year, a guy was complaining that some issues that he found hadn't been addressed 6 months after he had reported it to Apple, so he finally released it to the public. If I recall, he ended up retracting the information and then the next Apple security update fixed the issue

Quote:
Originally Posted by miketcool View Post
Hopefully the Jan release of Leopard will put a wrench in his gears.
Keep dreaming.
longofest is offline   0 Reply With Quote
Old Dec 19, 2006, 04:41 PM   #9
mcarnes
macrumors 68000
 
mcarnes's Avatar
 
Join Date: Mar 2004
Location: USA! USA!
Does this guy really think he's doing a service? He is not. Maybe a service to criminals.
mcarnes is offline   0 Reply With Quote
Old Dec 19, 2006, 04:44 PM   #10
nsbio
macrumors 6502a
 
nsbio's Avatar
 
Join Date: Aug 2006
Location: NC
Send a message via Skype™ to nsbio
Quote:
Originally Posted by caveman_uk View Post
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.
Perhaps one of the reasons why these guys/gals are doing it this way is to attract Apple's attention and get them to interact/become part of Apple team. Without good arguments, that is, only with idle threats, Apple will never pay attention to them. If, however, some of these "bugs" turn out to be serious, Apple will have to pay attention.
I agree that this is a blatant way of publicity seeking, but nowadays it is the only way to sell a product. And in this case it is a perfectly legal way!
nsbio is offline   0 Reply With Quote
Old Dec 19, 2006, 04:45 PM   #11
apachie2k
macrumors 6502
 
Join Date: May 2006
Location: NYC
like many said before, if he really cared he would just send it to apple...
__________________
We must remember that the future is neither wholly ours nor wholly not ours....
So where is that bunnny??
apachie2k is offline   0 Reply With Quote
Old Dec 19, 2006, 04:49 PM   #12
840quadra
Moderator
 
840quadra's Avatar
 
Join Date: Feb 2005
Location: Land of 10,000 Lakes
Quote:
Originally Posted by caveman_uk View Post
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.

Agreed.

I am still sticking by my comment (in the month of kernel bugs thread) that we need to get used to this kind of treatment from developers, crackers, hackers. I have a feeling that this kind of work will ramp up, and that more and more people will be joining this group with regards to seeking holes in OS X.

My question is, if holes are found, how much is that information worth to people who want to take advantage of it? And also, if it is a moderate to high value, will this company / person take offers to share that information with people who would like to do wrong doing ?

My guess is, the information has value, and I am worried that this person / group would actually sell it to a high enough bidder, regardless of why that person / group needs that info.
840quadra is offline   0 Reply With Quote
Old Dec 19, 2006, 04:50 PM   #13
Alexander
macrumors member
 
Join Date: Jun 2003
Location: Palo Alto, CA
Quote:
Originally Posted by longofest View Post
The problem about that is that as long as the issue isn't publically disclosed, companies like Apple take their good old time patching them.
I agree, but it is irresponsible to give the developer NO time to prepare a patch. Make the window really short, maybe two weeks to a month, and then release them, if you want. Whatever. But ANY software developer should be given at least some time to prepare a patch for security vulnerabilities.

About the only positive I can think of is that it will cause Apple and others to be even more rigorous about security on their own. I'm not sure this is the best way to achieve the goal, though. I think it's more about publicity.

I expect the vast majority of these bugs to be yawners.
Alexander is offline   0 Reply With Quote
Old Dec 19, 2006, 04:54 PM   #14
longofest
Editor emeritus
 
longofest's Avatar
 
Join Date: Jul 2003
Location: Falls Church, VA
Send a message via AIM to longofest
Quote:
Originally Posted by Alexander View Post
I agree, but it is irresponsible to give the developer NO time to prepare a patch. Make the window really short, maybe two weeks to a month, and then release them, if you want. Whatever. But ANY software developer should be given at least some time to prepare a patch for security vulnerabilities.

About the only positive I can think of is that it will cause Apple and others to be even more rigorous about security on their own. I'm not sure this is the best way to achieve the goal, though. I think it's more about publicity.

I expect the vast majority of these bugs to be yawners.
Good point. Probably a good compromise would be for the researcher to say "here's the vulnerability. You've got a month, and then it will be public." It sounds kind of threatening, but in the end it would be the best of both worlds.

However, I'm not so sure that the bugs will only be "yawners"... MoKB came out with a couple big ones...
longofest is offline   0 Reply With Quote
Old Dec 19, 2006, 04:54 PM   #15
iMeowbot
macrumors 601
 
iMeowbot's Avatar
 
Join Date: Aug 2003
Publicity or advertising don't match up as motivations when the responsible party has been making some effort to remain anonymous.
iMeowbot is offline   0 Reply With Quote
Old Dec 19, 2006, 04:55 PM   #16
motorazr
macrumors 6502
 
Join Date: Oct 2006
Location: The Frozen Waste...wait. Duluth, Minnesota.
what purpose does it serve to finds bugs in software if you aren't going to give the programers a chance to fix them? I mean good intent and all...but it makes little sense if apple won't get advanced notice to fix errors...
motorazr is offline   0 Reply With Quote
Old Dec 19, 2006, 04:56 PM   #17
patrick0brien
macrumors 68040
 
patrick0brien's Avatar
 
Join Date: Oct 2002
Location: The West Loop
Send a message via AIM to patrick0brien Send a message via Yahoo to patrick0brien
Quote:
"Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way," - LMH

Question: Are there any Mac users out there that actually think OS X is 'bulletproof'?

Every now and then some pundit/user blurts out that OS X users think their OS is invulnerable.

Nowhere have I seen this.

Frankly, I feel it is spite. Compared to XP, OS X seems invulnerable. I just hope there aren't any OS X users boasting 'bulletproofness'.

This my $0.02 because I'm tired of the Enderles of the world putting words in my mouth.
__________________
This comment has been edited for Content, Formatted to Fit Your Screen and to Run in the Time Allotted

Last edited by patrick0brien; Dec 19, 2006 at 04:57 PM. Reason: spling an grammer
patrick0brien is offline   0 Reply With Quote
Old Dec 19, 2006, 04:56 PM   #18
CEAbiscuit
macrumors 6502a
 
CEAbiscuit's Avatar
 
Join Date: Jun 2006
Location: The Kitchen
Mods:

If you would like, merge comments from this thread:

http://forums.macrumors.com/showthread.php?t=261925

Thanks!
__________________
Les: It was almost as if they were...organized!!
Mr Carlson: As God is my witness, I thought turkeys could fly.
CEAbiscuit is offline   0 Reply With Quote
Old Dec 19, 2006, 04:57 PM   #19
840quadra
Moderator
 
840quadra's Avatar
 
Join Date: Feb 2005
Location: Land of 10,000 Lakes
Quote:
Originally Posted by iMeowbot View Post
Publicity or advertising don't match up as motivations when the responsible party has been making some effort to remain anonymous.
Why not?

If he wants to anonymously capitalize on his findings by selling the information to wrong doers, he is less likely to be caught.
840quadra is offline   0 Reply With Quote
Old Dec 19, 2006, 04:57 PM   #20
CmdrLaForge
macrumors 68030
 
CmdrLaForge's Avatar
 
Join Date: Feb 2003
Location: around the world
Send a message via AIM to CmdrLaForge Send a message via Skype™ to CmdrLaForge
In principal I think that it is ok to show Apple where the bugs are if any but I think the timing is more then bad. Vista is coming out end of January for the average consumer and Apple wants to beat M$ on security. A month long reporting on Apples bugs will only help selling Vista instead of Mac OS.

my 2 cents
__________________
rMacbook Pro 13" / Cinema Display 23" / iPad Air 128GB / iPhone5 16GB
CmdrLaForge is offline   0 Reply With Quote
Old Dec 19, 2006, 05:02 PM   #21
840quadra
Moderator
 
840quadra's Avatar
 
Join Date: Feb 2005
Location: Land of 10,000 Lakes
Quote:
Originally Posted by CmdrLaForge View Post
In principal I think that it is ok to show Apple where the bugs are if any but I think the timing is more then bad. Vista is coming out end of January for the average consumer and Apple wants to beat M$ on security. A month long reporting on Apples bugs will only help selling Vista instead of Mac OS.

my 2 cents
Good point!

In addition to my other comments made in this thread, part of me smells a disgruntled former Apple employee that is spreading information for possibly known holes in the OS and applications. I would almost think that holes in OS X are really not that big or easy to find (if they were many would have been discovered by others now), and that you would need intimate knowledge of the OS to be able to find any worth reporting. Especially 30 to 31 of them!
840quadra is offline   0 Reply With Quote
Old Dec 19, 2006, 05:07 PM   #22
yellow
Moderator
 
yellow's Avatar
 
Join Date: Oct 2003
Location: Portland, OR
I feel it's a good thing, I just hope that it's not as sensationalized as the MoKB was. There was some definite FUD being pushed there. I look forward to what LMH brings to the table. UNFORTUNATELY for him, Leopard will likely be out sooner rather than later, and some of his MoABs will be moot at best.
yellow is offline   0 Reply With Quote
Old Dec 19, 2006, 05:07 PM   #23
mkrishnan
Moderator emeritus
 
mkrishnan's Avatar
 
Join Date: Jan 2004
Location: Grand Rapids, MI, USA
So the Month of Kernel Bugs was only 10 days long?

Mmm, I don't approve of the methods, but I hope the long-term result is better Mac security. I find it kind of sketchy that the MoKB page lists all the exploits but doesn't have a "patched by" column like most security listings do...so I too have to say I feel like these people are more interested in showing off their skills than enhancing security.

But, go ahead... I want to see how many days are in the Month of Apple Bugs.....
__________________
Mira C. Krishnan
mkrishnan is offline   0 Reply With Quote
Old Dec 19, 2006, 05:15 PM   #24
aranhamo
macrumors regular
 
Join Date: Oct 2004
Big Ones

Quote:
Originally Posted by longofest View Post
However, I'm not so sure that the bugs will only be "yawners"... MoKB came out with a couple big ones...
I don't know about that. The "big one" that I remember hearing about was pretty thoroughly debunked on a couple of sites, in that it doesn't permit arbitrary code execution as "LMH" claimed.

Apple already has channels for working with them on these things. "LMH" is just like that guy at the BlackHat convention; he's just trying to get his 15 minutes of fame. He doesn't really care about OS X security. I've personally reported bugs to Apple, and I've received polite, timely responses from them, and everything I've ever reported was fixed in the next update, and none of mine were ever very critical.
aranhamo is offline   0 Reply With Quote
Old Dec 19, 2006, 05:19 PM   #25
50548
Guest
 
Join Date: Apr 2005
Location: Currently in Switzerland
Quote:
Originally Posted by caveman_uk View Post
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.
Ditto. He is no better than a bunch of anonymous "hackers" out there...many of his "bugs" were already debunked by more serious people...this is just food for Windows fanboys, nothing else.
50548 is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Pick One: Duel Mode - Free from 13th of January until 19th January! Algotechapps iPad Apps 0 Jan 15, 2014 06:15 AM
Pick One: Duel Mode - Free from 13th of January until 19th January! Algotechapps iPhone and iPod touch Apps 0 Jan 15, 2014 06:14 AM
Weekly Photo Contest: January 5 - January 12: WINTRY MIX JDDavis Digital Photography 27 Jan 14, 2014 05:57 PM
January 27" iMac Orders! (Those ordered in January) large farva iMac 1352 Mar 27, 2013 10:51 AM
<Bugs TD> free a month to repay the players zqinet iPhone and iPod touch Apps 9 Feb 18, 2013 01:20 AM

Forum Jump

All times are GMT -5. The time now is 04:01 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC