The month of Apple bugs
By Steve Ragan Dec 21, 2006, 19:22 GMT
LMH, the man behind the popular disclosures The Month of Kernel Bugs and Month of Browser Bugs, returns in January with researcher Kevin Finisteere for a new project, The Month of Apple Bugs. The goal is to release an exploit, bug, or flaw in several Apple products during the entire month of January.
The reasons reported by Kevin Finisteere to Robert McMillian of IDG News are “to raise awareness of security vulnerabilities in Apple's products and to "stomp smugness," Finisterre said via e-mail.” The smugness Finisteere speaks of is one some, not all Macintosh users have, “Apple is more secure and less likely prone to attacks or exploits because the development and design of the software and hardware is flawless.”
This thought, while false, does hold some base of truth as you rarely hear of exploits and other issues surrounding security on a Macintosh. Another mitigating factor is compared to the volume of bugs, exploits, viruses, and malicious code for XP, Macintosh does appear on the surface to be “bullet-proof.”
The popular TV Ads, featuring a Windows person and a Macintosh person point out in one commercial that Macintosh does not get things like viruses or spyware on its system. As proven this month, the Word exploits that centered on Microsoft Office also affected Apple’s OS X with Office 2004 installed. Apple users were quick to point out that it was a Microsoft product running on an Apple operating system that was at risk and not the Apple OS software it’s self. Another example came this summer when a flaw with OS X’s wireless driver software proved that there was a method to exploit Wi-Fi access and hijack a system running OS X. The topic of AirPort cards and Bluetooth access exploitation is still a sore spot.
September of this year saw a security patch released by Macintosh to fix ten separate security issues for OS X, dealing with privilege escalation, DoS, Spoofing, and Exposure of Sensitive Information on systems which were unpatched and open to attack. Unpatched meaning every system running Macintosh OS X version 10.4.7 or less was open to these exploitations.
The Macintosh OS is just as open to exploitation as the rest of the popular operating systems. Windows and several flavors of Linux too have their share of woes, and problems. Most authors of viruses or exploits simply do not target OS X partly because of its part UNIX kernel, and the lack of users operating on the system. Another problem with OS X is that there is no noise or huge uproar when there is an attack or exploit. Now, with January approaching, the noise level is rising from users and security critics alike.
In an email interview given to Robert McMillian LMH said, “[Some of the bugs] might represent a significant risk. Others have a lower impact on security. We are trying to develop working exploits for every issue we find.” The project will attempt to disclose bugs inside the OS X kernel as well as software, such as, QuickTime, iPhoto and iTunes, among others. Some software from Apple designed to run on Microsoft Windows might be affected as well.
Researchers in the security sector are talking about January and the Apple month because they think it is an irresponsible move on part by LMH and Finisteere to disclose this information without first giving Apple a chance to react. John Viega, McAfee's vice president and chief security architect, told SCMagazine.com "It's important to emphasize that something like this is irresponsible disclosure," he said. "Apple is not being given a chance to address (these bugs). I think that's a huge detriment to their customers." There is a thin line to walk when dealing with a disclosure like what LMF plans.
The part to allow Apple time to react is how most public releases are done. Other releases cause software makers to go into reaction mode and quickly put a patch together and release a fix. These are known as 0-Day releases. Microsoft sees the latter form of public disclosures more often than not. Those in the security world might not agree with this method of release, and they may want first crack at systems and code before the public does, but rest assured that when the first bug hits the web they will be reading with interest like the rest of us.
On macrumors.com, there is a thread about The Month of Apple Bugs and the issue is almost even split.
User MacinDoc comments, “The fact that the "month of OS X bugs" will coincide with the release of Vista certainly suggests that this is nothing more than an attempt to discredit Apple. In fact, it would not surprise me to find out that this hacker is funded by Microsoft. Why only target Mac OS X? Why not Windows? Clearly it is this hacker, not Apple, that has the hidden agenda. And the methods are terrible. To report a security bug to the public instead of the manufacturer allows other hackers the opportunity to exploit the bug before it can be patched. Shame on him! Of course, the fact that he made many false statements during his month of kernel bugs shows just how trustworthy he is. Does OS X have bugs? Of course it does. Do responsible people exploit bugs in this way? Not on your life. Two big thumbs down for this jerk.”
While not the general view of others on the forum, this comment follows the same pattern as the others. The method of disclosure is wrong, the fact it targets only Apple is wrong, and so on. The fact he targets Apple only is the point, and at no time were the postings about the Month of Kernel Bugs false or incorrect. Another point made on the forum from user SeaFox, “I expect them all [disclosed bugs] to require some sort of insecure feature or service setup. Like for this exploit to work you have to have files set to open automatically in Safari, or you have to have Apache active, or you have to have physical access to the machine…. I expect at least a quarter of these bugs to be BSD bugs, and not ones that are specific to OSX.”
If that is the case and most are BSD related, the simple fact OS X is based off BSD sill makes them valid issues. One user made the comment that “This is how most security companies treat Windows. It's disgusting in a way... The vast majority of virii and hacks wouldn't exist if it weren't for "security" companies publishing their findings publicly. Often, they never even directly inform Microsoft of what they have discovered, or if they do it's after they have gone public.”
While this is true, the fact it happens is why Phishing schemes are easier to catch, spam filters get smarter, and why malicious hackers are always writing new code and searching for more ways to exploit systems. There is a good and bad side to the methods the security companies use.
While users and security firms are waiting to see how this turns out the point is simple. No matter what, this will be a good chance at positive PR for Apple. No matter how many bugs are found or exploits released they will patch them. They will likely patch them faster than Windows does simply because they are public and because people will demand them.
If the exploits or bugs are false or very low on the scale of security, someone will point that out. If they are made up, they will be debunked. Taking a step back to look at it from all sides, you can see that Apple will still come out better after all is said and done.
Speaking of Apple, what do they think of all of this and the hype? They welcome it and one Apple spokesperson is quoted as telling IDG News, “We always welcome feedback on how to improve security on the Mac.”
One thing will be clear after all is said and done, LMH and Finisteere will be seen as evildoers in the eyes of some and heroes in the eyes of others, and Windows will likely see another round of exploits at the same time, what few there might be, are released for the Mac.