Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Month Of Apple Bugs: January 2007
- Thread starter MacRumors
- Start date
- Sort by reaction score
It's kind of tough to sell information when you have already disclosed it for all to see.
I've got $10 that says they won't come up with a new, unknown and unreported bug for every day of the month.
Not per say. You can point out a vulnerability in a paragraph. However the tools, code, and techniques needed to take advantage of that hole can not be contained in the paragraph.
Now that said, pointing out that a hole exists in a particular part of the OS, and what that hole allows, does get a hacker a long ways towards figuring it out himself... if he's smart enough.
I'm currently working in QA for a software team. This man's approach is completely backwards to the way things should be done
Agreed, however who is to say they don't keep some information to themselves, and or important details that make that information useful.
I do doubt that this is his / her intent, however I wouldn't rule it out for someone doing this type of work.
I hope you are correct, however the wording seems to suggest (to me) that the holes have been found, they are just waiting to release them in January..
What an A**hole not telling Apple before posting the holes! If anything comes out of that I would hold him liable for damage.
Isn't this kind of like telling someone they'll be better at self defense, right before you the sh*t out of them? Sure, it might be true, but there are far better ways to go about it
The fact that the "month of OS X bugs" will coincide with the release of Vista certainly suggests that this is nothing more than an attempt to discredit Apple. In fact, it would not surprise me to find out that this hacker is funded by Microsoft. Why only target Mac OS X? Why not Windows? Clearly it is this hacker, not Apple, that has the hidden agenda.
And the methods are terrible. To report a security bug to the public instead of the manufacturer allows other hackers the opportunity to exploit the bug before it can be patched. Shame on him!
Of course, the fact that he made many false statments during his month of kernel bugs shows just how trustworthy he is.
Does OS X have bugs? Of course it does. Do responsible people exploit bugs in this way? Not on your life. Two big thumbs down for this jerk.
And the methods are terrible. To report a security bug to the public instead of the manufacturer allows other hackers the opportunity to exploit the bug before it can be patched. Shame on him!
Of course, the fact that he made many false statments during his month of kernel bugs shows just how trustworthy he is.
Does OS X have bugs? Of course it does. Do responsible people exploit bugs in this way? Not on your life. Two big thumbs down for this jerk.
Actually, what the guy is doing trying to find holes in the OS's security then posting them for all the world to see is technically illegal. It's simply cracking. It's legal as long as you keep your findings to yourself, but once you share them with the rest of the world without contacting the people who own the system you're cracking is pretty much illegal as far as I'm concerned. I really hope Apple shuts this guy up before he gets a chance to do something this stupid. Looking for holes is fine, but spreading them across the web without contacting Apple first makes it obvious this guy is jealous that Mac OS X has far better security than Windows. He sounds like the little brat every elementary school had who was constantly getting in trouble, so they eventually turned into a snitch. Just another nerd trying to inflate his ego.
What he really needs to do is submit any findings he makes to Apple. I'm pretty sure Apple could find a way to sue him if he reports bugs to the web instead of to Apple first. I mean, it IS Apple's intellectual property, right? They have every right to know what people have discovered about Apple's own OS. Apple has every right to know and every right to stay tight-lipped about it. I'd rather Apple release a security patch with vague descriptions like "Airport security patch" and "Quicktime Flaw patch" like they have been doing than have some nerd on the net explain exactly how to exploit flaws. Spreading this information around the net won't get anything done. It'll just make Mac OS users' a little shaky until Apple releases the next security patch. I see no point in that other than giving us Mac users a Nelson "HA HA!"
Self-rightous bastard....
my rant is over!
That was ONE of the MoKB vulnerabilities that ended up being a little less extreme than at first thought. However, there were 9 others, and a couple of them also had arbitrary code execution in their description.
They will have PLENTY to fill a month
Hopefully the Jan release of Leopard will put a wrench in his gears.
Won't happen and if it does people would be stupid to touch 10.5 for a few months afterwards.
If he didn't make them public Apple would just trash his emails. The only way to get Apple to move on the bug fix is to tell the public and there by create a demand for bug fixes. Apple will have a big incentive to fix well publicized bugs.
I could list a few problems but do you think Apple would jump through hoops to correct them? No, you have to make them into something the media wants to run with.
What law is being broken? Specifically. Can you quote it?
Yes it would be illegal if he broke into some one else's system then said how it did it but I'll bet he is just using his own Mac to do all his research. I can't imagine a law that prohibits looking very carefuly at how your own computer is set up. Apple even publishes the source code to the Mac OS X kernel to make this kind of inspection easier.
I'll be curious to see if he kinds exploits that do not require acces to an accounton the machine. If you have a local account that even I can think of stuff
I don't see why Apple would really be against this. It will hopefully find ways they can improve their already stellar OS. It's like when you are writing an English paper and give it to a peer to evaluate. They proof read, find mistakes, give suggestions, and your paper better because of it.
If he really cared he could report them to Apple, and give them some time to fix them. and if they didn't then release them to the public to give more of an incentive to fix them. It doesn't seem to me that anyone here is mad that he is releasing, just that he won't report the bugs to Apple before releasing them to the public.
He would be at least liable for any problems such as malware, viruses and the like that others made with his information as he would technically be an accomplice to the crime, I'm all for him finding bugs and problems, but he should tell Apple with ample time to fix them and then post the problems on the web. This was not placing Mac users at risk and also just so he could be considered a helpful person instead of a total jerk.
I hate the fact he is doing this when Vista will be announced very soon/ during the time period, but what can be done about that....
I expect them all to require some sort of insecure feature or service setup. Like for this exploit to work you have to have files set to open automatically in Safari, or you have to have Apache active, or you have to have physical access to the machine.
Hey, let me add to that statement, I expect at least a quarter of these bugs to be BSD bugs, and not ones that are specific to OSX.
Yeah, but this whole thing has nothing to do with security or the continued support of the OSX platform. This is fodder for all the Zune-toting MS Fanboys who are chafing every time Apple and the Mac Community in general are smug about OSX's security.
Apple and the Mac Community at large are basically painting a bullseye on their chest every time they pretend like OSX is completely impervious to viruses. Yes, its better than Windows, but is that really a huge accomplishment? Apple needs to continue to do what they have been doing, which has seemingly been very timely updates, and continue to remember that they can and should (hopefully with 10.5) continue to make further advances in security (which to its credit, Windows has done) and not rest on their laurels.
However, this "Month of Apple Bugs" is about being on the the front page of C|net, not security. And C|net will be thrilled to have it on there, and maybe accompanied by a blog or two talking about how the iPod is crap.
So if it happens to Microsoft its all fine and dandy. But oh no, someone wants to do it to Apple. The end is near!
If the guy is just out to get attention with false reports then shoot him down. If he is documenting legitimate issues and Apple has been ignoring them then Apple has been failing you the customer by ignoring these issues.
If Apple wants to play with the big boys then it should expect to get the same treatment, Apple was doing so good for so long partly because it was more fun to attack 95% of the market. Now Apple is some what of a media darling, getting good publicity and is riding a wave of good profits.
As a result, it is now cool/fun/desirable to find bugs and try and release viruses for its platforms. Even though some of the "bugs" are very obscure and nigh on impossible to really work out in the wild.
I'm not saying that I think the guy is a god for doing this, and anyone who does this I will always doubt their real motivation, but sometimes people need to do this to get companies to take action and fix real problems. Best thing for Apple is to suck it up, patch what is legit, debunk the rest and hope the security experts side with them.
I agree.
This is how most security companies treat Windows. It's disgusting in a way... The vast majority of virii and hacks wouldn't exist if it weren't for "security" companies publishing their findings publicly. Often, they never even directly inform Microsoft of what they have discovered, or if they do it's after they have gone public.
I think that someone with honorable intentions would announce they will be conducting such a month-long testing regiment and then will disclose their findings privately to Apple, giving them a chance to address the issues, before going public. The public does deserve to know and all should be disclosed publicly, but give Apple a chance to acknowledge, duplicate and even try to patch some of the security issues before telling everyone about them. By releasing publicly, this guy is doing to Apple what countless "security experts" do to Windows and that's identifty and publish tons of security holes, leaving Microsoft playing catch-up and "security" companies begin adapting the information to their virus scanner profiles for which they can charge more money...
As OSX increases in popularity - and it is, Apple is selling more systems now than ever before, we're going to see a lot more of this. And while I do believe that OSX does have an advantage over Windows in terms of general security, I'm also sure that in the hands of capable hackers, it will become yet another lump of digital swiss cheese.
All we can hope for is that Apple's developers are ready for the upcoming onslaught of rogue hackers performing their "services"....That's how 90% of the exploits in Windows work too, you know. Most are "yawners" as Alexander stated, when talking of his expectations of OSX bugs, but the little minor things do matter. And in corporate environments with lazy IT people who relax security features to help work-around network management issues or user data problems, this can wreak havoc. Same goes for careless home users who don't think of themselves at risk or don't understand how they may be at risk.
Good chance of that... And that would be a good place for a hacker to start with OSX - with the BSD kernel and what has been released of the Darwin project. Lots of info out there and already some known exploits to investigate.
At any rate, I think this is just a sign of things to come. OSX's time is finally here to face the music, er... hackers. I think this guy is a complete ass, but he's just the first of many that will come. And as I think it's already been mentioned or alluded to, given "LMH"'s track record and ignoring of Windows, there's a good bet that he's out to expose whatever flaws in OSX that he can so they have no claims of security over Vista. He may not be a Microsoft employee or agent directly, but I think it's showing where his interests lie and he's definitely a detractor of sorts.
Wrong. If he did this to Microsoft, it would be equally evil (mind you, Microsoft would likely find a way to shut him down, so the point is moot; and anyway, he certainly appears to be a Microsoft fanboy, since he has made no effort to document bugs in Windows Vista, which if you hadn't noticed, just had its commercial version released, and with such a new release, likely has more bugs than the current version of OS X).
He already has made false reports regarding the potential vulnerabilities caused by some of the kernel bugs he found. And he's not publicizing bugs that Apple has refused to fix, since he has not yet reported them to Apple.