Apple Computer will soon be a member of the "month of bugs" club. On Jan. 1, two security researchers will begin publishing details of a flood of security vulnerabilities in Apple's products. Their plan is to disclose one bug per day for the entire month, they said Tuesday. The project is being launched by an independent security researcher, Kevin Finisterre, and a hacker known as LMH, who declined to reveal his identity.
Some of the bugs "might represent a significant risk," LMH said in an e-mail interview. "Others have a lower impact on security. We are trying to develop working exploits for every issue we find." The two hackers plan to disclose bugs in the Mac OS X kernel as well as in software such as Safari, iTunes, iPhoto and QuickTime, LMH said. Some of the bugs will also affect versions of Apple's software designed to run on Microsoft Corp.'s Windows operating system, he added. LMH was one of the brains behind the recent Month of Kernel Bugs project, which exposed flaws at the core of several different operating systems. It was inspired by an earlier effort, called the Month of Browser Bugs, which was kicked off in July.
View: The full story
News source: InfoWorld
Some of the bugs "might represent a significant risk," LMH said in an e-mail interview. "Others have a lower impact on security. We are trying to develop working exploits for every issue we find." The two hackers plan to disclose bugs in the Mac OS X kernel as well as in software such as Safari, iTunes, iPhoto and QuickTime, LMH said. Some of the bugs will also affect versions of Apple's software designed to run on Microsoft Corp.'s Windows operating system, he added. LMH was one of the brains behind the recent Month of Kernel Bugs project, which exposed flaws at the core of several different operating systems. It was inspired by an earlier effort, called the Month of Browser Bugs, which was kicked off in July.
View: The full story News source: InfoWorld
This guy is irresponsible and seems to be an attention-seeking egomaniac.
I don't advocate this sort of full disclosure without informing the vendor, first. I can understand if he submitted it months ago, and no action was taken. He might be inclined to 'turn up the heat', but this benefits no one but "LMH".
This guy is irresponsible and seems to be an attention-seeking egomaniac.
I don't advocate this sort of full disclosure without informing the vendor, first. I can understand if he submitted it months ago, and no action was taken. He might be inclined to 'turn up the heat', but this benefits no one but "LMH".
Agreed.
I'm all about people looking for and finding vulnerabilities in competitors products with the same ferocity they do with Windows. However, regardless of the "target" - the vendor should be informed first. At that point I think the vendor should engage the source so that they feel action is being taken (even if it can't be patched overnight) - so that public disclosure doesn't happen until after a fix has been issued.
Time will tell.
Time will tell.
Good point
Time will tell.
Well, that company has been correct. They haven't had spyware or virus problems
Their software is (of course) not perfectly secure, but what Apple has been saying ('We're not affected by viruses or spyware'
In response to your posting, I completely agree that full disclosure of zero day vulnerabilities without informing the vendor is not worth advocation. However, do you not agree that this a deserved slap in the face for the developers of the Mac OS and other Mac specific applications to begin implementing extensive security specific Q and A? More importantly, perhaps this can be taken as a wake up call to the vast majority of Mac users who consider themselves invincible in regards to security. In my opinion, it seems this month of bugs and working exploits is a direct effect of all of the downright cheezy Mac commercials which have numerous times implied Macs are far more secure than Windows PCs (Mac pretty much painted a red bullseye on themselves to hackers around the world). In regards to this benefiting no one but "LMH", I strongly disagree. I feel it benefits a very large portion of the Mac community by making them step out of the invincibility forcefield they are behind and accepting the harsh reality that all Operating Systems and OS specific applications have bugs that are exploitable.
How about reporting the problems responsibly, so the company can make patches? Why put users at risk, just to satisfy some sort of self-indulgence.
Vengeance does not lend itself to rational thoughts, it seems.
Would not Apple's release of 30 patches also "slap the face" enough to satisfy LMH's and your bloodlust? I don't like Microsoft Windows, yet I don't go around advocating zero-day public disclosures to "slap faces".
How about reporting the problems responsibly, so the company can make patches? Why put users at risk, just to satisfy some sort of self-indulgence.
Vengeance does not lend itself to rational thoughts, it seems.
Would not Apple's release of 30 patches also "slap the face" enough to satisfy LMH's and your bloodlust? I don't like Microsoft Windows, yet I don't go around advocating zero-day public disclosures to "slap faces".
Apple have a nasty habbit of just denying such a problem ever exists anyway and even resort to extreme measures to completely debunk the person making the allegations. I fully support this purely to put all of the hardcore Apple fanboys in their place about the security of MacOS, at least for a time.
At the same time, there are not that many Mac users so I don't think this will affect too many people. AND it will be a lot of fun to watch Apple scramble
At the same time, there are not that many Mac users so I don't think this will affect too many people. AND it will be a lot of fun to watch Apple scramble
For some strange, obscure reason, I prefer to see annoying Mac fanboys, instead of annoying Mac viruses...
In response to your question about satisfying mine and LMH's bloodlust (quite the word choice by the way), to some extent, yes, it makes me feel better to see Apple is releasing a whole crapload of patches recently and are taking all of the rapidly evolving threats against their operating system and applications as serious. However, you'd think Apple would change their marketing scheme by now and Mac users around the world would atleast begin to admit they are vulnerable and not invincible to cyber threats.
Obviously you don't like Windows. I am making an assumption here in saying I bet you didn't say a thing or voice your opinion at all when a month of Windows kernel level flaws and IE specific bugs were going on while publicly disclosing zero day vulnerabilities to millions and millions and millions of windows users around the world. And one more time, I absolutely am not whatsoever advocating the public disclosure of zero day vulnerabilities. I am simply throwing my opinion out there on what the ramifications SHOULD be about this Mac month of flaws.
Cheers to Kushan and RazorEye.
Cheers to Kushan and RazorEye.
Do you know markjensen? He might not use Windows, but he's always held the same opinion: no matter what OS, people should try to report to the vendor first, not just go out and scream for attention.
I feel the same way: what's the use in putting people at risk.
I'm sure markjensen can defend himself, but I would like to state that he has been one of the best debaters when it comes to different OS'es. By that, I mean he manages to tell others why he prefers the OS he uses, but never bashes other OS'es. On top of that, he's consistent, and doesn't spread FUD.
Markjensen: keep up the good work :p
You stated how not informing the vendor about bugs ahead of public disclosure was "not worth advocating" in your first sentence, and the rest of your post was going on and on about how Apple deserved it, and how you think that the users need to suffer, too.
As for your self-described "assumption", feel free to look through my posting history.
You stated how not informing the vendor about bugs ahead of public disclosure was "not worth advocating" in your first sentence, and the rest of your post was going on and on about how Apple deserved it, and how you think that the users need to suffer, too.
As for your self-described "assumption", feel free to look through my posting history.
Mark-
First and foremost, you have my apologies for incorrectly assuming that you didn’t voice your opinion on the month of Windows kernel and IE flaws. I didn't look back at previous posts and based my assumption upon you saying "I don't like Windows." Clearly this was a bad assumption on my behalf. The key thing is that at least I used the word assume. I am very confident that you'll agree with me in that forums of this nature should not whatsoever include personal bashes and should remain on subject. Again, sorry for incorrectly assuming something about you.
I stated "I completely agree that full disclosure of zero day vulnerabilities without informing the vendor is not worth advocating." A.K.A I don't advocate full disclosure of zero day vulnerabilities, as I clearly stated in the above line, as well as numerous other times in my responses and I do NOT "go around advocating zero-day public disclosures to slap faces." I'm not exactly sure how you interpreted my stance incorrectly, perhaps you read it wrong. You said the rest of my post went on and on about how Apple deserved it and how I think the users need to suffer too. Please allow me to dissect my initial posting, statement by statement, which you are referring to.
***"However, do you not agree that this a deserved slap in the face for the developers of the Mac OS and other Mac specific applications to begin implementing extensive security specific Q and A?" I would like a yes or no answer from you on this question. I understand you don't agree with the term "slap the face," but please provide me your answer and why you answer the way you do.***
***"More importantly, perhaps this can be taken as a wake up call to the vast majority of Mac users who consider themselves invincible in regards to security." Is it not a fact that some Mac users consider themselves nearly invincible from security threats? My opinion is that yes they do, but for damn good reasoning. Obviously everyone in here knows Macs are, hands down, more secure than Windows, they have been since day 1 and will continue to be for quite some time. Please understand I don't think the Mac users who feel this way need to suffer, I simply feel they should take this month of flaws as a wake up call that hacker dudes all over are beginning to shift their targets to the Mac OS and Mac specific applications.***
***"In my opinion, it seems this month of bugs and working exploits is a direct effect of all of the downright cheezy Mac commercials which have numerous times implied Macs are far more secure than Windows PCs (Mac pretty much painted a red bulls eye on themselves to hackers around the world)." I don't think Apple "deserves" what is currently happening to them, specifically in regards to Mac users being very vulnerable due to the upcoming zero day exploits, but I do feel very strongly that it is a direct consequence of them designing the commercials the way they did. I therefore feel they deserve the repercussions which follow a bad choice being made.***
***"In regards to this benefiting no one but "LMH", I strongly disagree. I feel it benefits a very large portion of the Mac community by making them step out of the invincibility force field they are behind and accepting the harsh reality that all Operating Systems and OS specific applications have bugs that are exploitable." It's difficult for me to understand how someone doesn't agree with my above statement. Clearly it will benefit and open the eyes of some Mac users who are in sleep mode when it comes to keeping things up to date since they think their level of security is still way ahead of Windows machines (which obviously it still is, and I thoroughly know this and acknowledge it as a cold hard fact). However, coupled with this benefit is that harsh and unfortunate truth that the users of the affected software are at risk and more importantly, the "code researcher" has publicly disclosed it without first notifying the vendor, therefore not allowing a patch to be created, tested, and released for the affected users.***
Conclusion, you and I both strongly agree that guys or gals who disclose zero day vulnerabilities without notifying the vendor are not doing the right thing. However, it does appear that we strongly disagree on the possible advantages which can come of doing so.
I do not like Microsoft very much, but I don't have a loathing or anger. I just disagree with many of their business practices. As for their products, they just don't suit me well. I have even been known to compliment their products on occation - the latest IIS has an impressive security record (which I posted in BPN several months ago).
EDIT: Answering your "yes or no" question... No, I don't feel that Apple's developers "need" a slap in the face. They started with a BSD base. They know that updates and bug fixes are constant. They have been working on a brand-new OS. OSX is a complete rewrite from what OS9 was - much more so than XP to Vista, which keeps the same infrastructure. Are developers responsible for advertisements from the corporate marketing department? Do users also need to be exposed because some people don't like "smug" attitude in their ads? I am about as much a fan of Apple's business practices as I am of Microsoft. DRM and lock-in are tools they both use, and neither of those tools benefit the consumer.
Last edited by markjensen on 21 Dec 2006 - 01:59
I do not like Microsoft very much, but I don't have a loathing or anger. I just disagree with many of their business practices. As for their products, they just don't suit me well. I have even been known to compliment their products on occation - the latest IIS has an impressive security record (which I posted in BPN several months ago).
EDIT: Answering your "yes or no" question... No, I don't feel that Apple's developers "need" a slap in the face. They started with a BSD base. They know that updates and bug fixes are constant. They have been working on a brand-new OS. OSX is a complete rewrite from what OS9 was - much more so than XP to Vista, which keeps the same infrastructure. Are developers responsible for advertisements from the corporate marketing department? Do users also need to be exposed because some people don't like "smug" attitude in their ads? I am about as much a fan of Apple's business practices as I am of Microsoft. DRM and lock-in are tools they both use, and neither of those tools benefit the consumer.
I have been know to compliment Apple's products as well : )
My intent in the question wasn't whether or not they "need" a slap in the face, my intent was to raise the question of perhaps it is truly time to implement further and more extensive security auditing into the development stage for the Apple coders. Developers are absolutely not responsible for what the corporate marketing department brewed up. They are however directly responsible for finalizing applications and OS revisions which have very serious exploitable code flaws in them, as is any Microsoft or Linux or Unix developer. No, users do not need to be exposed because some people don't like the smug attitude in the marketing practices. Unfortunately though, it appears exposing the user to the exploits, from sys admin to the end user, is sometimes what has to happen to provide the staunch wake up call that is needed.
I am now officially done posting : ) Work productivity has decreased and it's time to haul ass before Christmas.
Merry Christmas and Happy New Year.
Whatever platform you use, no one should be advocating the use of scare tactics, and possible damage to users machines, as is being done here.
We need to remember that it gives developers/users/enthusiasts who run non-Apple OS's and/or who espouse the idea of non-Apple OS's special glee to even marginally dethrone Apple. At lest those developers/users/enthusiasts who have some beef with the company.
Apple has been viewed with disdain for years because it actually delivered on promises the competition couldn't even hope to make.
Although this Month Of Security Bugs idea will yield some benefit in the long run, it really is nothing more than hackers/code-writers getting together to see who can be the first to bring down Apple. It's not a public-service. It's an ego-trip that is completely exemplary of the individual virus-writer's mindset. Any public service rendered by this sort of childish indulgence is simply a by-product of otherwise malicious and slef-serving intentions. And one that might end up causing more harm than good.
But fair enough. When my OS X system is rendered unusable by a plethora of viruses and malware . . . *then* we'll talk. Until then, keep trying, kids.
First of all, it's not at all hard to get a good shot in on Apple.
Second, Apple has to be in top place before it can be dethroned. And *any* company who's product is so unpopular that its only been adopted by 3-4% of its market is certainly not a market leader. Unless it's a niche market and desktop/laptop computers are NOT a niche market.
Third, Apple is still cathching up to its competition in a lot of ways. ILife, for example, offers almost nothing that Windows XP users haven't been enjoying for years. And has Apple figured out yet that there's room on a mouse for 2 buttons? Need another example? Ok, the upcoming "Leopard" service pack is featuring 'Time Machine', which is a (I'll use Steve's own word here) "photocopy" of either System Restore or Volume Shadow Copy. Now where have I seen those before?
And finally, I don't think it's about "bringing down Apple" (it's not that hard)... it's about defeating Mac user's misconception that OS X is invincible or "perfect".
As you know it's a very difficult task to overcome that kind of thinking and I think that's what this project is all about.
And the blind fanboys continue to lead the blind who will soon enough be fanboys.
I am not sure where you think Apple is going to get dethroned from, because last time I checked, they don't have any sort of throne, crown, or lead other than the mp3 player market, and that is due to advertising, not product superiority.
Apple have gained market share and popularity over the last 5 or so years due to the iPod and some clever marketing.
Go back 7 or 8 years and most people out side of the States (I'm talking about the general public not followers of technology like most people on Neowin) had not seen an Apple computer and thought PCs we all that was available.
Now they are a household name.
Mac OS and Mac OS X were secure not because they were coded well (All complex programs have flaws and holes, it impossible not to) but because they were a target not bothering with.
So Up until now Apples claims have been correct. To my knowledge they have never stated they were more secure because there OS had no flaws.
Apple have gained market share and popularity over the last 5 or so years due to the iPod and some clever marketing.
Go back 7 or 8 years and most people out side of the States (I'm talking about the general public not followers of technology like most people on Neowin) had not seen an Apple computer and thought PCs we all that was available.
Now they are a household name.
Mac OS and Mac OS X were secure not because they were coded well (All complex programs have flaws and holes, it impossible not to) but because they were a target not bothering with.
So Up until now Apples claims have been correct. To my knowledge they have never stated they were more secure because there OS had no flaws.
Eh? Most everyone knew what macs were because they were used so much in schools. They just didn't know that it was an acceptable home PC.
Well, if I used fanboi logic I could say XP is "perfect" because I have yet to be affected by a security vulnerability or a single incident of malware. But I'm not a fanboi. I live in the real world and know that XP is not perfect and neither is OS X.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.