Month of security bugs set to bite Apple

Apple Computer will soon be a member of the "month of bugs" club. On Jan. 1, two security researchers will begin publishing details of a flood of security vulnerabilities in Apple's products. Their plan is to disclose one bug per day for the entire month, they said Tuesday. The project is being launched by an independent security researcher, Kevin Finisterre, and a hacker known as LMH, who declined to reveal his identity.

Some of the bugs "might represent a significant risk," LMH said in an e-mail interview. "Others have a lower impact on security. We are trying to develop working exploits for every issue we find." The two hackers plan to disclose bugs in the Mac OS X kernel as well as in software such as Safari, iTunes, iPhoto and QuickTime, LMH said. Some of the bugs will also affect versions of Apple's software designed to run on Microsoft Corp.'s Windows operating system, he added. LMH was one of the brains behind the recent Month of Kernel Bugs project, which exposed flaws at the core of several different operating systems. It was inspired by an earlier effort, called the Month of Browser Bugs, which was kicked off in July.

View: The full story
News source: InfoWorld

Report a problem with article
Previous Story

Kaspersky Lab's Secret Sauce Uses 'Woodpeckers'

Next Story

Intel to Launch Core 2 Quad Chip in January

32 Comments

Commenting is disabled on this article.

That is *exactly* what this project is all about. Dismissing the fanboi fantasy that OS X is "perfect".

Well, if I used fanboi logic I could say XP is "perfect" because I have yet to be affected by a security vulnerability or a single incident of malware. But I'm not a fanboi. I live in the real world and know that XP is not perfect and neither is OS X.

It's simple, there are so many viruses for Windows at it is the market leader. Therefore the biggest target.

Apple have gained market share and popularity over the last 5 or so years due to the iPod and some clever marketing.
Go back 7 or 8 years and most people out side of the States (I'm talking about the general public not followers of technology like most people on Neowin) had not seen an Apple computer and thought PCs we all that was available.
Now they are a household name.

Mac OS and Mac OS X were secure not because they were coded well (All complex programs have flaws and holes, it impossible not to) but because they were a target not bothering with.

So Up until now Apples claims have been correct. To my knowledge they have never stated they were more secure because there OS had no flaws.

Quote - Elektricity said @ #14
It's simple, there are so many viruses for Windows at it is the market leader. Therefore the biggest target.

Apple have gained market share and popularity over the last 5 or so years due to the iPod and some clever marketing.
Go back 7 or 8 years and most people out side of the States (I'm talking about the general public not followers of technology like most people on Neowin) had not seen an Apple computer and thought PCs we all that was available.
Now they are a household name.

Mac OS and Mac OS X were secure not because they were coded well (All complex programs have flaws and holes, it impossible not to) but because they were a target not bothering with.

So Up until now Apples claims have been correct. To my knowledge they have never stated they were more secure because there OS had no flaws.

Eh? Most everyone knew what macs were because they were used so much in schools. They just didn't know that it was an acceptable home PC.

You would be correct if OSX was not inherently more secure the Windows. Before OSX, there were viruses for the Apple... I got a few. OSX fixed those issues. Your market size theory does not hold water since there are many more viruses and worms for Linux and BSD than OSX, and they hold much smaller market share.

Until then, keep trying, kids.

And the blind fanboys continue to lead the blind who will soon enough be fanboys.

I am not sure where you think Apple is going to get dethroned from, because last time I checked, they don't have any sort of throne, crown, or lead other than the mp3 player market, and that is due to advertising, not product superiority.

mac os x insnt invulnerable but it is not as easy to crack and hack as windows. if you know that the system folder is read only you would feel much safer just by the idea

Apple has never stated it is invulnerable to such security risks. They simply stated that OS X is by default more secure than Windows, and also that there are still no viable virus threats to the Mac OS.

Whatever platform you use, no one should be advocating the use of scare tactics, and possible damage to users machines, as is being done here.

Edguardo in that regard yes I totally agree with you, I disagree totally with people who post the exploit's code to the public before even informing the vendor of the problem, that shows a totally lack of responsibility on their part and goes out to show they really don't care an apiece about users, they are just in a fame trip about becoming front page.

Dude...did you read my first statement? To re-iterate it further, reporting the problems responsibly so the company can make patches instead of puting users at risk is something I implicitly agree with and I am by no means cheering LMH and Kevin Finisterre for conducting it this way. I am merely expressing what I feel are some advantages of the way it is being done.

In response to your question about satisfying mine and LMH's bloodlust (quite the word choice by the way), to some extent, yes, it makes me feel better to see Apple is releasing a whole crapload of patches recently and are taking all of the rapidly evolving threats against their operating system and applications as serious. However, you'd think Apple would change their marketing scheme by now and Mac users around the world would atleast begin to admit they are vulnerable and not invincible to cyber threats.

Obviously you don't like Windows. I am making an assumption here in saying I bet you didn't say a thing or voice your opinion at all when a month of Windows kernel level flaws and IE specific bugs were going on while publicly disclosing zero day vulnerabilities to millions and millions and millions of windows users around the world. And one more time, I absolutely am not whatsoever advocating the public disclosure of zero day vulnerabilities. I am simply throwing my opinion out there on what the ramifications SHOULD be about this Mac month of flaws.

Cheers to Kushan and RazorEye.

Obviously you don't like Windows. I am making an assumption here in saying I bet you didn't say a thing or voice your opinion at all when a month of Windows kernel level flaws and IE specific bugs were going on while publicly disclosing zero day vulnerabilities to millions and millions and millions of windows users around the world. And one more time, I absolutely am not whatsoever advocating the public disclosure of zero day vulnerabilities. I am simply throwing my opinion out there on what the ramifications SHOULD be about this Mac month of flaws.

Cheers to Kushan and RazorEye.


Do you know markjensen? He might not use Windows, but he's always held the same opinion: no matter what OS, people should try to report to the vendor first, not just go out and scream for attention.
I feel the same way: what's the use in putting people at risk.

I'm sure markjensen can defend himself, but I would like to state that he has been one of the best debaters when it comes to different OS'es. By that, I mean he manages to tell others why he prefers the OS he uses, but never bashes other OS'es. On top of that, he's consistent, and doesn't spread FUD.

Markjensen: keep up the good work

Dude. I did read it. From beginning to end.

You stated how not informing the vendor about bugs ahead of public disclosure was "not worth advocating" in your first sentence, and the rest of your post was going on and on about how Apple deserved it, and how you think that the users need to suffer, too.

As for your self-described "assumption", feel free to look through my posting history.

Quote - markjensen said @ #7.2
Dude. I did read it. From beginning to end.

You stated how not informing the vendor about bugs ahead of public disclosure was "not worth advocating" in your first sentence, and the rest of your post was going on and on about how Apple deserved it, and how you think that the users need to suffer, too.

As for your self-described "assumption", feel free to look through my posting history. ;)

Mark-

First and foremost, you have my apologies for incorrectly assuming that you didn’t voice your opinion on the month of Windows kernel and IE flaws. I didn't look back at previous posts and based my assumption upon you saying "I don't like Windows." Clearly this was a bad assumption on my behalf. The key thing is that at least I used the word assume. I am very confident that you'll agree with me in that forums of this nature should not whatsoever include personal bashes and should remain on subject. Again, sorry for incorrectly assuming something about you.

I stated "I completely agree that full disclosure of zero day vulnerabilities without informing the vendor is not worth advocating." A.K.A I don't advocate full disclosure of zero day vulnerabilities, as I clearly stated in the above line, as well as numerous other times in my responses and I do NOT "go around advocating zero-day public disclosures to slap faces." I'm not exactly sure how you interpreted my stance incorrectly, perhaps you read it wrong. You said the rest of my post went on and on about how Apple deserved it and how I think the users need to suffer too. Please allow me to dissect my initial posting, statement by statement, which you are referring to.

***"However, do you not agree that this a deserved slap in the face for the developers of the Mac OS and other Mac specific applications to begin implementing extensive security specific Q and A?" I would like a yes or no answer from you on this question. I understand you don't agree with the term "slap the face," but please provide me your answer and why you answer the way you do.***

***"More importantly, perhaps this can be taken as a wake up call to the vast majority of Mac users who consider themselves invincible in regards to security." Is it not a fact that some Mac users consider themselves nearly invincible from security threats? My opinion is that yes they do, but for damn good reasoning. Obviously everyone in here knows Macs are, hands down, more secure than Windows, they have been since day 1 and will continue to be for quite some time. Please understand I don't think the Mac users who feel this way need to suffer, I simply feel they should take this month of flaws as a wake up call that hacker dudes all over are beginning to shift their targets to the Mac OS and Mac specific applications.***

***"In my opinion, it seems this month of bugs and working exploits is a direct effect of all of the downright cheezy Mac commercials which have numerous times implied Macs are far more secure than Windows PCs (Mac pretty much painted a red bulls eye on themselves to hackers around the world)." I don't think Apple "deserves" what is currently happening to them, specifically in regards to Mac users being very vulnerable due to the upcoming zero day exploits, but I do feel very strongly that it is a direct consequence of them designing the commercials the way they did. I therefore feel they deserve the repercussions which follow a bad choice being made.***

***"In regards to this benefiting no one but "LMH", I strongly disagree. I feel it benefits a very large portion of the Mac community by making them step out of the invincibility force field they are behind and accepting the harsh reality that all Operating Systems and OS specific applications have bugs that are exploitable." It's difficult for me to understand how someone doesn't agree with my above statement. Clearly it will benefit and open the eyes of some Mac users who are in sleep mode when it comes to keeping things up to date since they think their level of security is still way ahead of Windows machines (which obviously it still is, and I thoroughly know this and acknowledge it as a cold hard fact). However, coupled with this benefit is that harsh and unfortunate truth that the users of the affected software are at risk and more importantly, the "code researcher" has publicly disclosed it without first notifying the vendor, therefore not allowing a patch to be created, tested, and released for the affected users.***

Conclusion, you and I both strongly agree that guys or gals who disclose zero day vulnerabilities without notifying the vendor are not doing the right thing. However, it does appear that we strongly disagree on the possible advantages which can come of doing so.

Quote - Edguardo said @ #7.3
Sounds like we agree on what proper disclosure should be. We disagree on the benefits of this showboating stunt. I think that these sorts of actions cause users more pain than it causes the company (which just fixes the problem as fast as they can).

I do not like Microsoft very much, but I don't have a loathing or anger. I just disagree with many of their business practices. As for their products, they just don't suit me well. I have even been known to compliment their products on occation - the latest IIS has an impressive security record (which I posted in BPN several months ago).

EDIT: Answering your "yes or no" question... No, I don't feel that Apple's developers "need" a slap in the face. They started with a BSD base. They know that updates and bug fixes are constant. They have been working on a brand-new OS. OSX is a complete rewrite from what OS9 was - much more so than XP to Vista, which keeps the same infrastructure. Are developers responsible for advertisements from the corporate marketing department? Do users also need to be exposed because some people don't like "smug" attitude in their ads? I am about as much a fan of Apple's business practices as I am of Microsoft. DRM and lock-in are tools they both use, and neither of those tools benefit the consumer.

Quote - markjensen said @ #7.4
Sounds like we agree on what proper disclosure should be. We disagree on the benefits of this showboating stunt. I think that these sorts of actions cause users more pain than it causes the company (which just fixes the problem as fast as they can).

I do not like Microsoft very much, but I don't have a loathing or anger. I just disagree with many of their business practices. As for their products, they just don't suit me well. I have even been known to compliment their products on occation - the latest IIS has an impressive security record (which I posted in BPN several months ago).

EDIT: Answering your "yes or no" question... No, I don't feel that Apple's developers "need" a slap in the face. They started with a BSD base. They know that updates and bug fixes are constant. They have been working on a brand-new OS. OSX is a complete rewrite from what OS9 was - much more so than XP to Vista, which keeps the same infrastructure. Are developers responsible for advertisements from the corporate marketing department? Do users also need to be exposed because some people don't like "smug" attitude in their ads? I am about as much a fan of Apple's business practices as I am of Microsoft. DRM and lock-in are tools they both use, and neither of those tools benefit the consumer.

I have been know to compliment Apple's products as well : )

My intent in the question wasn't whether or not they "need" a slap in the face, my intent was to raise the question of perhaps it is truly time to implement further and more extensive security auditing into the development stage for the Apple coders. Developers are absolutely not responsible for what the corporate marketing department brewed up. They are however directly responsible for finalizing applications and OS revisions which have very serious exploitable code flaws in them, as is any Microsoft or Linux or Unix developer. No, users do not need to be exposed because some people don't like the smug attitude in the marketing practices. Unfortunately though, it appears exposing the user to the exploits, from sys admin to the end user, is sometimes what has to happen to provide the staunch wake up call that is needed.

I am now officially done posting : ) Work productivity has decreased and it's time to haul ass before Christmas.

Merry Christmas and Happy New Year.

This just makes it clear once again that if Mac OSX were to be the mainstream OS these days then it would be as insecure and as unstable as any other mainstream OS. sorry all the fanboys but it's the truth.

However, I think that Apple is very good at pretending as mentioned by Kushan. They need someone who will humiliate them otherwise they just keep pretending to be this out of the world operating system with no security issues. I mean they take every jab at Microsoft for security problems they can. Not that MS is perfect, but at least it doesn't tout things and tries to make money by humiliating other people.

At the same time, there are not that many Mac users so I don't think this will affect too many people. AND it will be a lot of fun to watch Apple scramble :nuts: I like 2007 already hehe!

I would say it would be nice to see a month of Microsoft Security issues, but they have been running the same thing every month for the past 10 years.

Quote - Knight85 said @ #5
However, I think that Apple is very good at pretending as mentioned by Kushan. They need someone who will humiliate them otherwise they just keep pretending to be this out of the world operating system with no security issues. I mean they take every jab at Microsoft for security problems they can. Not that MS is perfect, but at least it doesn't tout things and tries to make money by humiliating other people.

At the same time, there are not that many Mac users so I don't think this will affect too many people. AND it will be a lot of fun to watch Apple scramble :nuts: I like 2007 already hehe!

For some strange, obscure reason, I prefer to see annoying Mac fanboys, instead of annoying Mac viruses...

The more disclosure to the public, the more work I get! I deal with at least 20 apple clients a week and I ask them how they feel about their security and 99.99999% of them say we are protected because it's an apple Hah!

markjensen-

In response to your posting, I completely agree that full disclosure of zero day vulnerabilities without informing the vendor is not worth advocation. However, do you not agree that this a deserved slap in the face for the developers of the Mac OS and other Mac specific applications to begin implementing extensive security specific Q and A? More importantly, perhaps this can be taken as a wake up call to the vast majority of Mac users who consider themselves invincible in regards to security. In my opinion, it seems this month of bugs and working exploits is a direct effect of all of the downright cheezy Mac commercials which have numerous times implied Macs are far more secure than Windows PCs (Mac pretty much painted a red bullseye on themselves to hackers around the world). In regards to this benefiting no one but "LMH", I strongly disagree. I feel it benefits a very large portion of the Mac community by making them step out of the invincibility forcefield they are behind and accepting the harsh reality that all Operating Systems and OS specific applications have bugs that are exploitable.

Oh, yes. Slapping the face. Very good security policy.

How about reporting the problems responsibly, so the company can make patches? Why put users at risk, just to satisfy some sort of self-indulgence.

Vengeance does not lend itself to rational thoughts, it seems.

Would not Apple's release of 30 patches also "slap the face" enough to satisfy LMH's and your bloodlust? I don't like Microsoft Windows, yet I don't go around advocating zero-day public disclosures to "slap faces".

Quote - markjensen said @ #4.1
Oh, yes. Slapping the face. Very good security policy.

How about reporting the problems responsibly, so the company can make patches? Why put users at risk, just to satisfy some sort of self-indulgence.

Vengeance does not lend itself to rational thoughts, it seems.

Would not Apple's release of 30 patches also "slap the face" enough to satisfy LMH's and your bloodlust? I don't like Microsoft Windows, yet I don't go around advocating zero-day public disclosures to "slap faces".

Apple have a nasty habbit of just denying such a problem ever exists anyway and even resort to extreme measures to completely debunk the person making the allegations. I fully support this purely to put all of the hardcore Apple fanboys in their place about the security of MacOS, at least for a time.

What is more irresponsible though? A hacker who informs a company at the same time as the public of vulnerabilities in their software, or a company who for years has touted its "safe" operating system that doesn't have "all those problems" of the leading one?

Time will tell.

Quote - RazorEye said @ #3
What is more irresponsible though? A hacker who informs a company at the same time as the public of vulnerabilities in their software, or a company who for years has touted its "safe" operating system that doesn't have "all those problems" of the leading one?

Time will tell.


Good point

Quote - RazorEye said @ #3
What is more irresponsible though? A hacker who informs a company at the same time as the public of vulnerabilities in their software, or a company who for years has touted its "safe" operating system that doesn't have "all those problems" of the leading one?

Time will tell.


Well, that company has been correct. They haven't had spyware or virus problems ;)

Their software is (of course) not perfectly secure, but what Apple has been saying ('We're not affected by viruses or spyware') has pretty much been correct up to now.

From another source on this news item:

As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message.

This guy is irresponsible and seems to be an attention-seeking egomaniac.

I don't advocate this sort of full disclosure without informing the vendor, first. I can understand if he submitted it months ago, and no action was taken. He might be inclined to 'turn up the heat', but this benefits no one but "LMH".

Quote - markjensen said @ #2

This guy is irresponsible and seems to be an attention-seeking egomaniac.

I don't advocate this sort of full disclosure without informing the vendor, first. I can understand if he submitted it months ago, and no action was taken. He might be inclined to 'turn up the heat', but this benefits no one but "LMH".

Agreed.

I'm all about people looking for and finding vulnerabilities in competitors products with the same ferocity they do with Windows. However, regardless of the "target" - the vendor should be informed first. At that point I think the vendor should engage the source so that they feel action is being taken (even if it can't be patched overnight) - so that public disclosure doesn't happen until after a fix has been issued.

I'm all for disclosing Mac bugs. Maybe all the Mac fanboys will get off their high horse when they see their precious OSX isn't as safe as they pretend it to be. Only reason they haven't been hit by anything big yet is because no one cares enough to really go after that 3-5% of their market share.

Eh maybe these people who have "month of bugs" should go work for one of the companies and try to fix the bugs rather than just coming out with "yo there is a bug here, it works like this.... Evil people go exploit it before it is fixed"