Month Of Apple Bugs: January 2007

[patrick0brien]

It's a smack at the smugness of Apple's fanatics and that's not a bad thing. Too many times we've had people here go on about how their machines are impervious to attack.

Here's to bringing reality to the Macintosh platform again.

-bousozoku

I agree with that sliver of principle, but it's the method I disagree with. I'd be less twisted about this if the hackers would just state their motivations honestly, and proceed responsibly.

Then, I'd be more apt to think of this as a service, than an effort motivated purely by spite.

 

[bousozoku]

-bousozoku

I agree with that sliver of principle, but it's the method I disagree with. I'd be less twisted about this if the hackers would just state their motivations honestly, and proceed responsibly.

Then, I'd be more apt to think of this as a service, than an effort motivated purely by spite.

Right. It's not a service and it's vicious but sometimes, a splash of cold water is indeed the only way to wake someone from their dream.

People live in complacency because it's easier than living in reality. Reality takes work.

 

[SC68Cal]

Does anyone subscribe to XNews or read Rixstep regularly here? They have been keeping an eye on most of this stuff.

 

[TheBobcat]

I actually forgot this was the month of Apple bugs. Apparently they haven't found anything even remotely significant so far because if they found even an iota of anything, the Windows Fanboys and CNet would be going crazy.

 

[Diatribe]

I actually forgot this was the month of Apple bugs. Apparently they haven't found anything even remotely significant so far because if they found even an iota of anything, the Windows Fanboys and CNet would be going crazy.

That's a pretty ignorant thing to say. If you had looked at what they found you would see that they have in fact found exploitable bugs that can lead to arbitrary code execution.

Short, one can access your machine using these bugs. If that isn't significant then I don't know.

 

[Diatribe]

Woohoo. Apple fixed one of the 19 bugs they found... can only take a year at this rate.

 

[bousozoku]

Woohoo. Apple fixed one of the 19 bugs they found... can only take a year at this rate.

Well, not all of the bugs were things that Apple could fix but some of the others have been fixed by the vendors.

Apple still has a list of bugs from November that need to be fixed, too.

 

[Diatribe]

Well, not all of the bugs were things that Apple could fix but some of the others have been fixed by the vendors.

Apple still has a list of bugs from November that need to be fixed, too.

What do you mean that Apple can't fix? 19 of the 24 bugs are bugs within Apple software or OS X itself. If they can't fix bugs that lead to arbitrary code execution that'd be pretty sad.
Apple is really sloooooooooow when it comes to fixing their bugs. If they don't speed it up they'll have the same problems Windows had when their userbase grows.

 

[SeaFox]

The MOAB site appears to be down now. Someone must have found an exploit on their server.

That would explain this Digg story.

 

[Diatribe]

The MOAB site appears to be down now. Someone must have found an exploit on their server.

That would explain this Digg story.

Working fine for me.

 

[Earendil]

What do you mean that Apple can't fix? 19 of the 24 bugs are bugs within Apple software or OS X itself. If they can't fix bugs that lead to arbitrary code execution that'd be pretty sad.
Apple is really sloooooooooow when it comes to fixing their bugs. If they don't speed it up they'll have the same problems Windows had when their userbase grows.

After spending some time fixing bugs that don't have anything to do with something as extremely vague and obscure as arbitrary code execution, on a small 200,000 line program, I can tell you that I'd be scared if Apple did fix it within a couple days

Finding code that causes a behavior is not always obvious, not only how to fix it, but where the code is that's causing it. Obften times it's the interaction between different pieces of code across different parts of the program.

I don't care how long it takes APple to fix bugs, as long as they are always one step ahead of any hacker trying to find the same code and use it. The day a hacker beats them to it is the day they don't have an excuse for fixing it in time.

 

[bousozoku]

After spending some time fixing bugs that don't have anything to do with something as extremely vague and obscure as arbitrary code execution, on a small 200,000 line program, I can tell you that I'd be scared if Apple did fix it within a couple days

Finding code that causes a behavior is not always obvious, not only how to fix it, but where the code is that's causing it. Obften times it's the interaction between different pieces of code across different parts of the program.

I don't care how long it takes APple to fix bugs, as long as they are always one step ahead of any hacker trying to find the same code and use it. The day a hacker beats them to it is the day they don't have an excuse for fixing it in time.

Well, at least, you're happy.

Apple are obviously not one step ahead. It's just a good thing that no one has decided to do more than make a wake up call.

It would seem that they've got no group for security problems and apparently consider security a very low priority compared to showmanship.

It would seem that they're not using the proper tools on the source code since these things continue to rear their ugly heads. I can understand how a single person writing a small application can't afford a tool to check properly for memory abuses but Apple aren't a small company.

Can they fix everything before they release it? No, but they can check to make certain memory abuses don't happen. At least, one of the problems sounds like something a second year programmer would make without supervision. What happened to code review in their policies and procedures?

 

[Earendil]

Well, at least, you're happy.

Apple are obviously not one step ahead. It's just a good thing that no one has decided to do more than make a wake up call.

It would seem that they've got no group for security problems and apparently consider security a very low priority compared to showmanship.

It would seem that they're not using the proper tools on the source code since these things continue to rear their ugly heads. I can understand how a single person writing a small application can't afford a tool to check properly for memory abuses but Apple aren't a small company.

Can they fix everything before they release it? No, but they can check to make certain memory abuses don't happen. At least, one of the problems sounds like something a second year programmer would make without supervision. What happened to code review in their policies and procedures?

You make it sound so easy

It would actually be far easier for a single programmer to make a small app without security holes, memory leaks, and the like, than it is for a large company to produce a million line program that hits ever aspect of a computer (it's an OS after all), and by definition has to be open in some ways.
I'm not aware of any tools that help you find code execution issues with your code. Also, code review is likely to not solve these problems due to the nature of these things.

I'm curious why you think Apple doesn't care? Anything beyond your gut feeling?

 

[Diatribe]

I'm curious why you think Apple doesn't care? Anything beyond your gut feeling?

Well, for one that some random hacker on the net can find 19 issues in a month, while never having used OS X that much. And second, that Apple is taking a lot of time to fix these things while independant devs have already found the cause of the problem and have already fixed it in a temp fix.

 

[Diatribe]

Well they just fixed some holes from the MOKB (Month of kernel bugs) from November.

http://news.com.com/Apple+closes+another+Wi-Fi+hole/2100-1002_3-6153631.html

If they always take this long it will only be a matter of time till the first exploit.

 

[bousozoku]

You make it sound so easy

It would actually be far easier for a single programmer to make a small app without security holes, memory leaks, and the like, than it is for a large company to produce a million line program that hits ever aspect of a computer (it's an OS after all), and by definition has to be open in some ways.
I'm not aware of any tools that help you find code execution issues with your code. Also, code review is likely to not solve these problems due to the nature of these things.

I'm curious why you think Apple doesn't care? Anything beyond your gut feeling?

It's not tremendously easy or difficult but you have to actually do something.

Let's see. In the early 1990s, I was writing code for the hospital where I worked. Borland was selling a product called CodeGuard which integrated with your code to expose memory errors. Since then, even source code analysers have become a lot more useful.

There has been a product called QC on Mac OS for over 10 years now and I believe OmniGroup is selling ObjectMeter for Objective-C. Apple have people with brains. They could be doing a lot more. If they can't solve the problem, they can hire Borland to modify their tools so that Apple can use them.

There is always an answer but you have to want to do something about it. Obviously, since November, a lot of bugs have been brought to the forefront. If Apple really cared, there wouldn't be quite so many. They should have been caught.

 

[frozencarbonite]

Well they just fixed some holes from the MOKB (Month of kernel bugs) from November.

http://news.com.com/Apple+closes+another+Wi-Fi+hole/2100-1002_3-6153631.html

If they always take this long it will only be a matter of time till the first exploit.

Wow, it took them this long to fix that hole! I remember hearing about it back in November and I didn't use my Airport for weeks. Finally I just gave up on Apple releasing a patch and started using my Airport again. Since I don't live in the city, I don't have many houses around us, so I just took the risk.

 

[SeaFox]

Well, for one that some random hacker on the net can find 19 issues in a month, while never having used OS X that much. And second, that Apple is taking a lot of time to fix these things while independent devs have already found the cause of the problem and have already fixed it in a temp fix.

You actually believe this guy found all these issues in a month? For all you know he spent the last three years building this list. The fact he's released them all this month says nothing about when he actually discovered them. Also, I'm sure he's used OSX more than a little, he also could have been given some of the issues by other hackers.

Don't give the guy any credit just because he's the one with the website.

 

[Diatribe]

You actually believe this guy found all these issues in a month? For all you know he spent the last three years building this list. The fact he's released them all this month says nothing about when he actually discovered them. Also, I'm sure he's used OSX more than a little, he also could have been given some of the issues by other hackers.

Don't give the guy any credit just because he's the one with the website.

You're right, that doesn't change the fact that Apple is taking an aweful lo tof time to fix these things though.

 

[yellow]

You're right, that doesn't change the fact that Apple is taking an aweful lo tof time to fix these things though.

Well, look at it from their perspective. Right now they're trying to roll out a brand new product, 10.5, Leopard. Some of these bug may already be moot in that OS. Some of them may be getting fixed right now for the first patch cycle. I suspect they're spending their time and energy on getting 10.5 out the door and then they will work on patching past OS releases at their leisure.

 

[Diatribe]

Well, look at it from their perspective. Right now they're trying to roll out a brand new product, 10.5, Leopard. Some of these bug may already be moot in that OS. Some of them may be getting fixed right now for the first patch cycle. I suspect they're spending their time and energy on getting 10.5 out the door and then they will work on patching past OS releases at their leisure.

Sorry, but you've got to be kidding me. Since when is 10.4 their PAST OS? Did I miss something and Leopard has been released already?

Until 10.5 is out the door, priority should go to fixing their CURRENT OS and that is still 10.4 nothing else. What they do is cocky and ignorant.

So you think that just because the airbag works already in the new unreleased model, car manufacturers should be allowed more time to fix the broken airbags in their current, on the street line-up?

 

[patrick0brien]

So you think that just because the airbag works already in the new unreleased model, car manufacturers should be allowed more time to fix the broken airbags in their current, on the street line-up?

-Diatribe

If the new yet-to-be-released-model-that-will-work-in-my-current-car-does, then yes.

They may well be folding the fixes into 10.5 while they still have uncompiled builds about.

 

[Diatribe]

-Diatribe

If the new yet-to-be-released-model-that-will-work-in-my-current-car-does, then yes.

They may well be folding the fixes into 10.5 while they still have uncompiled builds about.

Wow, so you'd accept a broken airbag that will be replaced by a new one "maybe" in a couple of months but you don't know when or if at all but you give the manufacturer the benefit of the doubt? Yeah, right.

Sorry, but I find that hard to believe.

 

[patrick0brien]

-Diatribe

I'm sorry you feel that way.

 

[Diatribe]

-Diatribe

I'm sorry you feel that way.

Feel what way?