Month Of Apple Bugs: January 2007

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Dec 19, 2006.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]

    Picking off where the Month of Kernel Bugs left off, security researcher "LMH" and his team is reportedly set to launch another month-long security-hole finding project, this time targeting only Apple's products. According to the Washington Post, the Month of Apple Bugs will be January 2007, where each day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it.

    For the Month of Kernel Bugs, software vendors were not given prior warning before vulnerabilities were released, a practice that has ruffled a few feathers in the industry. According to the Post, the Month of Apple Bugs will run similarly, as Apple will not be given advance notice of the bugs.

    You can read MacRumors' interview with LMH regarding the Month of Kernel bugs here.

    Update: IDG/MacWorld provides additional information.

    However, Apple doesn't seem to mind the effort. An Apple spokesman simply replied "We always welcome feedback on how to improve security on the Mac."


    [ Digg This ]
     
  2. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #2
    Guess January isn't going to be all fun and games for Apple...
     
  3. macrumors 68000

    echeck

    Joined:
    Apr 20, 2004
    Location:
    Boise, Idaho
    #3
    Well, as long as it improves OS X security I'm all for it.
     
  4. Guest

    caveman_uk

    Joined:
    Feb 17, 2003
    Location:
    Hitchin, Herts, UK
    #4
    For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.
     
  5. macrumors regular

    Joined:
    Apr 6, 2004
    Location:
    canada
    #5
    Good. Better he do it now while Apple is focused on his bugs and ready to release patches as soon as possible.

    Is it fair to focus only on Apple bugs? Not really.
     
  6. macrumors 6502a

    miketcool

    Joined:
    Jun 24, 2003
    #6
    Hopefully the Jan release of Leopard will put a wrench in his gears. :cool:
     
  7. macrumors 6502a

    Some_Big_Spoon

    Joined:
    Jun 17, 2003
    Location:
    New York, NY
    #7
    Gets more press. If he focused on Windows bugs, he'd be one of 10k guys pointing out tens of thousands of bugs. He'll find 30 bugs (maybe) and post them one day at a time. It's more media whoring than anything else unfotunately.

     
  8. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #8
    The problem about that is that as long as the issue isn't publically disclosed, companies like Apple take their good old time patching them. Earlier this year, a guy was complaining that some issues that he found hadn't been addressed 6 months after he had reported it to Apple, so he finally released it to the public. If I recall, he ended up retracting the information and then the next Apple security update fixed the issue :rolleyes:

    Keep dreaming.
     
  9. macrumors 68000

    mcarnes

    Joined:
    Mar 14, 2004
    Location:
    USA! USA!
    #9
    Does this guy really think he's doing a service? He is not. Maybe a service to criminals.
     
  10. macrumors 6502a

    nsbio

    Joined:
    Aug 8, 2006
    Location:
    NC
    #10
    Perhaps one of the reasons why these guys/gals are doing it this way is to attract Apple's attention and get them to interact/become part of Apple team. Without good arguments, that is, only with idle threats, Apple will never pay attention to them. If, however, some of these "bugs" turn out to be serious, Apple will have to pay attention.
    I agree that this is a blatant way of publicity seeking, but nowadays it is the only way to sell a product. And in this case it is a perfectly legal way!
     
  11. macrumors 6502

    apachie2k

    Joined:
    May 23, 2006
    Location:
    NYC
    #11
    like many said before, if he really cared he would just send it to apple...
     
  12. Moderator

    840quadra

    Staff Member

    Joined:
    Feb 1, 2005
    Location:
    Land of 10,000 Lakes
    #12

    Agreed.

    I am still sticking by my comment (in the month of kernel bugs thread) that we need to get used to this kind of treatment from developers, crackers, hackers. I have a feeling that this kind of work will ramp up, and that more and more people will be joining this group with regards to seeking holes in OS X.

    My question is, if holes are found, how much is that information worth to people who want to take advantage of it? And also, if it is a moderate to high value, will this company / person take offers to share that information with people who would like to do wrong doing ?

    My guess is, the information has value, and I am worried that this person / group would actually sell it to a high enough bidder, regardless of why that person / group needs that info.
     
  13. macrumors member

    Joined:
    Jun 19, 2003
    Location:
    Palo Alto, CA
    #13
    I agree, but it is irresponsible to give the developer NO time to prepare a patch. Make the window really short, maybe two weeks to a month, and then release them, if you want. Whatever. But ANY software developer should be given at least some time to prepare a patch for security vulnerabilities.

    About the only positive I can think of is that it will cause Apple and others to be even more rigorous about security on their own. I'm not sure this is the best way to achieve the goal, though. I think it's more about publicity.

    I expect the vast majority of these bugs to be yawners.
     
  14. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #14
    Good point. Probably a good compromise would be for the researcher to say "here's the vulnerability. You've got a month, and then it will be public." It sounds kind of threatening, but in the end it would be the best of both worlds.

    However, I'm not so sure that the bugs will only be "yawners"... MoKB came out with a couple big ones...
     
  15. macrumors G3

    iMeowbot

    Joined:
    Aug 30, 2003
    #15
    Publicity or advertising don't match up as motivations when the responsible party has been making some effort to remain anonymous.
     
  16. macrumors 6502

    Joined:
    Oct 24, 2006
    Location:
    The Frozen Waste...wait. Duluth, Minnesota.
    #16
    what purpose does it serve to finds bugs in software if you aren't going to give the programers a chance to fix them? I mean good intent and all...but it makes little sense if apple won't get advanced notice to fix errors...
     
  17. macrumors 68040

    patrick0brien

    Joined:
    Oct 24, 2002
    Location:
    The West Loop
    #17

    Question: Are there any Mac users out there that actually think OS X is 'bulletproof'?

    Every now and then some pundit/user blurts out that OS X users think their OS is invulnerable.

    Nowhere have I seen this.

    Frankly, I feel it is spite. Compared to XP, OS X seems invulnerable. I just hope there aren't any OS X users boasting 'bulletproofness'.

    This my $0.02 because I'm tired of the Enderles of the world putting words in my mouth.
     
  18. macrumors 6502a

    CEAbiscuit

    Joined:
    Jun 28, 2006
    Location:
    The Kitchen
  19. Moderator

    840quadra

    Staff Member

    Joined:
    Feb 1, 2005
    Location:
    Land of 10,000 Lakes
    #19
    Why not?

    If he wants to anonymously capitalize on his findings by selling the information to wrong doers, he is less likely to be caught.
     
  20. macrumors 68040

    CmdrLaForge

    Joined:
    Feb 26, 2003
    Location:
    around the world
    #20
    In principal I think that it is ok to show Apple where the bugs are if any but I think the timing is more then bad. Vista is coming out end of January for the average consumer and Apple wants to beat M$ on security. A month long reporting on Apples bugs will only help selling Vista instead of Mac OS. :(

    my 2 cents
     
  21. Moderator

    840quadra

    Staff Member

    Joined:
    Feb 1, 2005
    Location:
    Land of 10,000 Lakes
    #21
    Good point!

    In addition to my other comments made in this thread, part of me smells a disgruntled former Apple employee that is spreading information for possibly known holes in the OS and applications. I would almost think that holes in OS X are really not that big or easy to find (if they were many would have been discovered by others now), and that you would need intimate knowledge of the OS to be able to find any worth reporting. Especially 30 to 31 of them!
     
  22. Moderator emeritus

    yellow

    Joined:
    Oct 21, 2003
    Location:
    Portland, OR
    #22
    I feel it's a good thing, I just hope that it's not as sensationalized as the MoKB was. There was some definite FUD being pushed there. I look forward to what LMH brings to the table. UNFORTUNATELY for him, Leopard will likely be out sooner rather than later, and some of his MoABs will be moot at best.
     
  23. Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #23
    So the Month of Kernel Bugs was only 10 days long? :rolleyes:

    Mmm, I don't approve of the methods, but I hope the long-term result is better Mac security. I find it kind of sketchy that the MoKB page lists all the exploits but doesn't have a "patched by" column like most security listings do...so I too have to say I feel like these people are more interested in showing off their skills than enhancing security.

    But, go ahead... I want to see how many days are in the Month of Apple Bugs.....
     
  24. macrumors regular

    Joined:
    Oct 14, 2004
    #24
    Big Ones

    I don't know about that. The "big one" that I remember hearing about was pretty thoroughly debunked on a couple of sites, in that it doesn't permit arbitrary code execution as "LMH" claimed.

    Apple already has channels for working with them on these things. "LMH" is just like that guy at the BlackHat convention; he's just trying to get his 15 minutes of fame. He doesn't really care about OS X security. I've personally reported bugs to Apple, and I've received polite, timely responses from them, and everything I've ever reported was fixed in the next update, and none of mine were ever very critical.
     
  25. Guest

    Joined:
    Apr 17, 2005
    Location:
    Currently in Switzerland
    #25
    Ditto. He is no better than a bunch of anonymous "hackers" out there...many of his "bugs" were already debunked by more serious people...this is just food for Windows fanboys, nothing else.
     

Share This Page