Question of credibility
I don't really thing that such action is anything else than attracting the media attention to some bunch of incompetent security researchers!!
Why do i say that? Well i am sorry but this 'LMH' is just a big lier, who only knows spreading fuds around mac security for his own benefit.
I mean saying that you found a security bug in a software is rather easy to do, prove that your claim is correct is another story. And this is where 'LMH' is incompetent, or maybe i could also say a lier.
Remember the 'Months of kernel bug'. 'LMH' came very exited (to the point where he was near to make a hole in his pan) to the media to say them he found a security bug in OS X that could trigger a remote attack. This security bug was related to disk images, and 'LMH' made the statement that a corrupted disk image could trigger a remote attack , a memory corruption, or whatever else an attacker could do remotely.
The point is that the only thing that 'LMH' discovered was that a disk image corrupted in a certain way could kernel panic OS X and from this, he conluded that triggering a kernel panic equals to a security bug. However he did not bother to verify wether indeed such bug could really trigger a remote attack.
Being so incompetent or just a lier, someone else bothered to check wether or not this bug was really a security bug or just a bug that the only thing that it can do to the user is crashing his/her computer.
Alastair did go through a detailed analysis of the bug described by 'LMH' and concluded this:
"
So, what have we learned:
- It is not a memory overwrite bug.
- It is not exploitable, except in that you can kernel panic a machine if you can persuade a user to double-click a damaged dmg file.
- It is not, therefore, possible to use this bug for privilege elevation or to execute arbitrary code in the kernel.
"
I would really advise all of you to read the analysis of the bug:
http://alastairs-place.net/2006/11/dmg-vulnerability/#more
The other disk image bug described by 'LMH' is also explained
http://alastairs-place.net/
So now why should i/we believe anything coming fron this guy? Because this is the problem, how can we believe so-called security researchers when they lie to us for their own benefit?
And the other problem is that a lot of them get so exited because they found a bug in OS X (media love such guys) to the point where they do not bother any more to check if what they discovered is really what they think it is.
In the case of 'LMH', its a lie, that's how i call it. Saying that he discovered a security bug when he did not even check wether it was really the case or not, is a lie.
In conclusion, what is the credibility of this guy for this 'Months of Apple bugs'? I would be glad that some people wish to improve the security of a given software. But it is really the aim here, or is it just fud, .......plain fud? This guy already lied, why won't he do it again?
So for me what he says now is just a plain media attraction procedure (manipulated by a third party or not), in other words ....... ********!!!!
When Alastair wrote his article to explian the disk image bug and to prove that what 'LMH' said was wrong, i submitted the news related to the Alastair4 article to macrumors but it did not get publised. What i want to say is that people believe easily wrong information but which sounds exiting. When it comes to say the truth, well that's another story, its a much more difficult task to spread it.
How many web sites covered the disk image bug described by 'LMH'? Plenty of them!!!!
How many of them did cover the Alastair' article which says the TRUTH?
Well, you could count them in your fingers!!!!!
