Month of Apple Bugs Debuts in January

An anonymous reader writes "A pair of security researchers has picked January 2007 as the Month of Apple Bugs, a project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it. According to a post over at The Washington Post's Security Fix blog, the project is being put together by researchers Kevin Finisterre and the guy who ran November's Month of Kernel Bugs project." From the post: "It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation."

Some thoughts and considerations

[daveschroeder]

Brian Krebs seems to have some kind of fascination with "proving" that Mac OS X is "insecure" while simultaneously accusing Apple of using strong-arm tactics to try to silence critics. (Note: going after people for leaking confidential information is not the same as a situation in which people are making security issues known.)

Every reasonable person on the planet already knows, and has known, that every OS has bugs, vulnerabilities, and security issues, and Mac OS X is no exception. The simple, undeniable truth is that for a variety of reasons, including marketshare and the security architecture of the OS, Mac OS X is a far more secure general purpose desktop operating system for most users than any viable alternative. There is almost zero malware of any kind "in the wild", no malware with vectors for mass propagation, and little with ANY kind of propagation capability whatsoever. And contrary to popular opinion among some, Apple does indeed respond to, and fix, security vulnerabilities, including crediting the discoverer(s) when said person or entity provides Apple with enough information to verify the issue. It has continuously and consistently improved on this front, mostly as a result of working with people in the enterprise and academic communities (e.g., Apple University Executive Forum and MacEnterprise.org). There is always room for improvement, but we have seen Apple make marked progress in disclosing, accurately describing, and fixing vulnerabilities in Mac OS X. As with most commercial vendors, Apple does not comment on security issues before they are fixed. So don't expect Apple to make public statements and explanations of any kind until after a particular vulnerability is addressed.

What should be "interesting" to see isn't whether or not Apple "does anything" to "scuttle" the project; it will be whether Apple has previously had any chance to respond to any of the issues that will be disclosed. If not, this little project doesn't prove anything at all, other than that every operating system, Mac OS X included, has bugs. (Duh?) What's important is the general security architecture, practical security state-of-affairs on the platform, and how the vendor responds to issues. I'll be far more interested to see how and when Apple responds to the issues raised, and if it properly "triages" the issues and handles them accordingly (on this note, predict that people will complain Apple is taking "too long" to fix some of the issues, when in reality it is devoting programming and testing and QA resources to the issues in the order of importance and impact).

Re:Some thoughts and considerations

[gravesb]

I also think the quality of the bugs will be interesting. If all 30 bugs are show stoppers, then there are some serious underlying issues that should be addressed. If, however, they are insignificant or extremely contrived (this application can install malware if the user types in the admin password), then won't it really be an admission that the parties involved can't find critical security holes? (Not that they don't exist, its almost impossible to prove a negative in general one, and that one specifically.) It should be good for Apple regardless, in that major holes are id'd and can be fixed, or their security reputation is improved.

Re:Some thoughts and considerations

[Ed+Avis]

In a sense it matters nothing at all whether Apple has previously had a chance to respond. I don't think any exploit tool has a special mode where it only takes advantage of vulnerabilities if the vendor has had a reasonable time to fix them. Nobody should care about how good the vendor's excuses are about why the security holes haven't been fixed; only that they haven't.

Re:Some thoughts and considerations

[Incongruity]

(I'm not a mac fanboy, but I play one on slashdot)

I also think the quality of the bugs will be interesting. If all 30 bugs are show stoppers, then there are some serious underlying issues that should be addressed.
And I totally agree. If there are bugs, better to have them out there and then fixed than it is to have them be obscure pieces of knowledge that a motivated few will use for their gain.

In the end, a month of OS X bugspotting can only be a good thing, IMHO.

Re:Some thoughts and considerations

[daveschroeder]

This has nothing to do with whether or not holes will be maliciously exploited by some; of course they will be.

What matters most is how Apple responds to issues once it knows about them, whether it discovers them internally, is privately informed, or finds out via a project like this.

You can't fix a bug you don't know about, and saying Apple should somehow magically know about them all itself is disingenuous. All software will have bugs, and people other than the vendor will always discover some of them. Some of these bugs will be able to be used as avenues for exploit.

The only question is whether, as a responsible security researcher, you give the vendor a chance to respond before disclosing, or not. This has zero to with what other malicious people will do.

I understand you're probably one of those people who doesn't think there is any value at all in informing the vendor and giving them an opportunity to fix an issue before widely disclosing it, so this discussion isn't likely to get anywhere.

Re:Some thoughts and considerations

[BarryJacobsen]

What if the reason they haven't been fixed is because some asshat is waiting for a publicity stunt to reveal 30 some exploits that have been found instead of giving them the information to fix them NOW. Some how if this was any field other than computers I think people would look at this very differently: I have some information about cancer and can give a formula that almost any scientist could turn into a working cure given a reasonable amount of time, but I'm going to wait a few weeks and then release part of the information every day for a month on my website (don't forget to click the banner ads!).

Re:Some thoughts and considerations

[cyngus]

I don't care at all about a vendor's excuses, I care about their reasons. If the reason there is a bug that hasn't been fixed is that they were working on something more important, good. Its all a matter of priorities. If there is a bug in the airport implementation that only occurs when doing something obscure like roaming across access points and transitioning from an 802.11a to an 802.11g connection while using certificate authentication, big deal that you didn't catch it. I'm glad Apple didn't waste resources trying to find it, I'm happy they spent time building ZFS drivers.

Let me know the first time you build a bug free device driver, let along an operating system and then you can open your trap.

Re:Some thoughts and considerations

[Zebra_X]

"Mac OS X is a far more secure general purpose desktop operating system for most users than any viable alternative. There is almost zero malware of any kind "in the wild", no malware with vectors for mass propagation, and little with ANY kind of propagation capability whatsoever."

Because none has been written? How many people have bothered to write something for an OS with ~ 4% of the market share when there is a whole 96% out there waiting to be owned, apparently no one. There has been one attempt at a rudimentary Trojan recently, but OS X goes largely unexploited, and for good reasons - too much work with little gain.

It doesn't help that OS X actually uses a real programming language for the OS - this for the most part helps to keep the script kiddies out.

Here is the thing - when and if, OS X gains a reasonable amount of market share, you can be sure that it, and it's users will become a target.

What I think many people do not realize is that Microsoft is now trying to deal with protecting users from themselves. This is the basis for the whole UAC framework. Most of the malware is now propagated by users themselves. For example the find a "helpful" toolbar that says: "Download this great new toolbar!" the user clicks OK and they are owned. There is NOTHING to prevent this from happening on OS X, except for the fact that no one has bothered, yet. This issue isn't so much the technology as it is user education. Don't get me wrong, Windows makes it "easier" to exploit the system once you get user consent since there is really no privilege partitioning. However it is abundantly clear from stories about computer users are at fault when they get infected. Frequently we'll hear: "I did X, Y and Z and then the computer started acting funny!" The key being that the user actually did something to cause the infection.

I think, though I have no proof, that the present Mac user base is fundamentally savvier than the average PC user. This is quite likely to change as the number of adopters of OS X increases. This is why education needs to start now - about how to "safely" use a computer. And about how no one is really "safe" if they don't know how to distinguish bad actions (downloading and running un-trusted browser components) from good actions (not clicking on the attachment that says RUN ME!). Phishing is a perfect example of users not understanding how to determine if a page is legitimate or not. This form of attack it is not relegated to any particular platform.

Choosing a fringe operating system is one way out of the trap, but as the malware writers have shown over the last 5 years, they are smart, resourceful and capable of staying ahead of the curve.

I think maybe you should reexamine the reasons for the perceived sense of security afforded by OS X. I think it has less to do with technology and more to do with smarter users and a disinterest from the people who might want to own your machine.

Re:Some thoughts and considerations

[Abcd1234]

That's insane. No software product, no matter how well intentioned the developers, will ever be completely absent of bugs come release-time. Obviously, defensive code practices and other techniques can reduce the number of bugs generated, and a well-designed architecture can minimize the impacts of bugs that *do* leak through, but no product will ever be perfect.

The "Windoze Haters" feel the way they do because, time and again, Microsoft has demonstrated that they produce software which is not only very buggy (certainly more so than their competators), but faulty by it's very design (eg, wiring IE into the OS, which made it a perfect vector for infection). Worse yet, when they release fixes, they are just as likely to introduce *new* bugs as fix the old ones, demonstrating a significant lack of competance (not to mention further calling into question the underlying architecture).

Re:Some thoughts and considerations

[Udo+Schmitz]

whether Apple has previously had any chance to respond to any of the issues that will be disclosed.

No they hadn't and they won't. From the Washington Post: "As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message."
Just a publicity stunt.

Re:Some thoughts and considerations

[Achromatic1978]

Nowhere did I ever say the code would be perfect. What I /was criticizing was the GP's attitude that it didn't matter what bugs Appple did have in OS X as long as they 'reacted' to them when announced. What I did was contrast that with the constant lambasting that MS stuff gets (indeed, legitimately, a lot of the time) - for doing that, 'reacting to security issues'. It's not acceptable for MS to do that, so why is it (as the GP said) the 'most important thing' that 'Apple does that'? That was the entirety of my point (and a little rhetorical, considering where I am).

Re:Some thoughts and considerations

[Abcd1234]

Except that, thus far, OSX has proven itself to be far less bug-ridden, out of the box, than any MS product. If, in five years, Apple has proven to be as unreliable as MS, you can bet people will be complaining just as loudly about them.

Re:Some thoughts and considerations

[Trillan]

I don't oppose making the bugs public at all. But I do think this needs to be done in a fair manner.

Specifically:

1. Bugs should be in Mac OS X 10.4 (or possibly 10.3).
   Pre-release software is not a fair target. It's under NDA, and is bound to have a bunch of issues. Apple has a system in place for dealing with 10.5 issues.
2. All bugs should be reported to Apple via Radar.
   Posting without giving Apple advance notice is fine, but forcing Apple to deal with potentially thousands of reports from readers isn't.
3. The web and Radar report should both include steps to reproduce.
   This really falls under the category of "duh." A bug report that can't be reproduced is simply not worth much (although it isn't entirely worthless).

Re:Some thoughts and considerations

[TheRaven64]

It would be, if ever Apple actually fixed bugs. The oldest bugs I have in their bug tracking system marked as 'open' are from 2004. The latest one relates to the implementation of NSMutableArray's -sortUsingSelector: method. This is given the name of a compare method and sorts the objects in the array by calling it on pairs of objects. I took some code that used this and worked on PowerPC and compiled it for Intel. After calling this method, the results were incorrectly sorted. Calling it again, they were in a different, still unsorted, order.

I thought it must be my code, so I added a load of debugging output to my -compare: method. I found that the it was giving the correct result, and enough comparisons were performed to be able to create a sorted array. The final results, however, did not reflect this; if the comparisons said a is before b, and b is before c, the resulting array would often contain a c b.

I was going to just copy the GNUstep implementation of this method into a category and use this in my application, but when I looked at it I noticed that theirs called -sortUsingFunction:context: where the context was a the selector and the function was one that just invoked the method. I wondered if Cocoa did this too, so I tried using -sortUsingFunction:context: with a function that just called my -compare: method. And then it worked. It seems that someone wrote some 'clever' optimisations for Intel in the -sortUsingSelector: method, and broke it completely.

Re:Some thoughts and considerations

How many people have bothered to write something for an OS with ~ 4% of the market share when there is a whole 96% out there waiting to be owned, apparently no one. There has been one attempt at a rudimentary Trojan recently, but OS X goes largely unexploited, and for good reasons - too much work with little gain.

The same could easily have been said of Unix and VMS circa 1993, yet those platforms saw enormous and successful efforts at subversion. If the 4% Mac market includes some very profitable data -- and judging by how many security researchers use Macs, it does -- it will be targeted. Either the blackhats can in general always subvert OS X but have universally agreed not to say so, or they can on average only get into a few of the systems they try to get into. I personally feel it's more the latter, but that is just opinion.

Most of the malware is now propagated by users themselves. For example the find a "helpful" toolbar that says: "Download this great new toolbar!" the user clicks OK and they are owned. There is NOTHING to prevent this from happening on OS X, except for the fact that no one has bothered, yet. This issue isn't so much the technology as it is user education. Don't get me wrong, Windows makes it "easier" to exploit the system once you get user consent since there is really no privilege partitioning. However it is abundantly clear from stories about computer users are at fault when they get infected. Frequently we'll hear: "I did X, Y and Z and then the computer started acting funny!" The key being that the user actually did something to cause the infection.

We would need some decent statistics to assert "most", however all of the Windows users *I* have seen who have gotten hosed did the following: go onto college campus, activate wireless, get hosed by Windows virus propogating over the wireless. The Windows users among my friends and family do not execute files from the Internet, but they do view pictures and due to how Windows operates those are the same thing.

I think maybe you should reexamine the reasons for the perceived sense of security afforded by OS X. I think it has less to do with technology and more to do with smarter users and a disinterest from the people who might want to own your machine.

We sort of agree: for a serious enough attacker, *all* machines are vulnerable in some fashion exactly as all cars can be stolen. However, I disagree and think that OS X is quite more secure than Windows, possibly in the same ballpark as desktop Linux but not quite OpenBSD, and not just because the market share is lower. OS X, Linux, BSD, etc. are designed for multi-user operation and have benefitted from a long (and embarrassing) history of penetration testing going back before the Internet Worm of 1988. Even the X11 GUI has a full-featured security system in place -- nearly no one makes full use of it because the defaults are sane on modern distros.

Re:Some thoughts and considerations

[ivan256]

No software product, no matter how well intentioned the developers, will ever be completely absent of bugs come release-time.

That is a ridiculous assertion. If you'd like to add something about a minimum level of complexity to that, then maybe it would be plausible, but it still wouldn't be provable. As your statement stands, though, it is completely false. There are hundreds if not thousands of simple to moderately complex software products available today that have no bugs.

Re:Some thoughts and considerations

[ceoyoyo]

Your argument has some merit, but the difference between zero wild exploits for OS X an what, 150,000 or something, for Windows would indicate there's something more going on than marketshare.

Sure, OS X gets shielded because it's not as common, but total protection? I think being built on UNIX, already having security features that MS is building into Vista, separating user accounts and root, all incoming ports closed by default and not having your web browser and mail client allowed to do whatever they want probably have a lot to do with it.

Re:Some thoughts and considerations

[99BottlesOfBeerInMyF]

So it's okay if (and I'm not suggesting this is the case) you design something with severe holes all over the place, as long as you fix them when it's brought to your attention? You might want to tell all the "Windoze Haters" here. Apparently this is not acceptable.

You've presented a false dichotomy. It is unreasonable for a developer to create insecure bug ridden software, with no testing, unless it is unlikely for other reasons that that software will be compromised (only running on an internal net or something). For a consumer grade desktop, it is reasonable for a company to do a level of testing and design that keeps their product reasonably secure in the real world. Normally, this would be a non-issue, since any product that did not meet these criteria would fail in the market, but one monopoly dominates the desktop OS space and is being leveraged into the server space. In this, I don't think anyone can fault Apple as their product is very rarely compromised, as compared to the other offerings in the market. That is the first issue, dealing with bugs not known by the designers, but which perhaps should be.

The other set of bugs are bugs the vendor knows about, but does not fix anyway. Within a company it is hard to say how many of these exist, but I've been told by former employees MS fixes about half of the security bugs that are reported internally. Further, MS has a poor track record fixing bugs that are know publicly as well. Apple has a pretty good track record with public bugs (not perfect, but good) and I don't know about internal bugs.

I much prefer my OS vendor to be proactive, not reactive, to security.

I much prefer my security vendor to be both, in a balanced fashion. It is good to audit code and design securely, but it is also good to react quickly to known, public threats that probably present more risk.

Re:Some thoughts and considerations

[Incongruity]

It would be, if ever Apple actually fixed bugs.

Well, this sort of thing certainly wouldn't stop them from fixing bugs and it'd likely put more pressure on Apple to fix a bug or two, so I don't see how it'll end up worse for users and developers, unless Apple really doesn't care about their code quality, in which case, this'll illustrate it well enough that we'll all hear it loud and clear (assuming serious bugs are discovered in this process).

Re:Some thoughts and considerations

[Abcd1234]

Oooh, congratulations, you completely ignored the point of my argument and got me on a technicality. How very clever of you.

Re:Some thoughts and considerations

[jrockway]

http://www.openbsd.org/

Re:Some thoughts and considerations

[Zebra_X]

I agree with you on almost everything - we take one thing for granted. We, as technical experts would never willingly divulge a root level password if prompted for a hard to determine reason.

Users, windows, linux, unix, bsd, what have you - if they don't know why, or don't care why they are being asked for the password, or are tricked into thinking that they are doing one task while executing another, may supply the root password to a bad program. There has already been a demo of such an exploit where a fake escalate box was displayed to an OS X user and snatched the admin password for their machine.

Kids I think are also much less aware of "bad" places and will easily follow links recieved from "trusted" sources such as IM's from friends and e-mails. This is something that I've observerd from watching younger individuals using pc's. I also consider the browser the fundamental pathway to destruction on end users systems. It is there that a program can either, exploit the host browser to gain system level access or gain the users consent to conduct priviledged activities.

One for the imagination:
Browser (Firefox for example) has a hole.
Malicious page drops an application on the file system and adds a login hook.
Application loads the next time user logs in, asks for admin privileges, use types password.
Application does bad things.

In this scenario the user would think the request for the password is associated with the action of logging in, and not due to a recent visit to a web page. No exploit is needed.

While we (computer peeps) won't reasonably allow ourselves to be compromised, self administered machines by uneducated or unknowing users will continue to be sources of compromise which is effectivly my point - mac users, especially linux users, and of course the ultra paranoid OpenBSD users know enough when something is fishy. I'm just making the point that 95% of the people out there just don't know enough to prevent getting pwnd.

Re:Some thoughts and considerations

[kwerle]

I'm thinking that you're not the only person who sorts arrays using sortUsingSelector on an intel machine.

I'm also thinking that they probably haven't done anything with that particular code in the past 8 years.

I am thinking that it is a problem with your code.

Re:Some thoughts and considerations

[Ed+Avis]

You can't fix a bug you don't know about, and saying Apple should somehow magically know about them all itself is disingenuous.

I don't think so at all. It's an indication of the sad state things are in when security holes are accepted as inevitable. If we still have buffer overflows in the year 2006, it's because nobody has really bothered to do what's necessary to eliminate them once and for all. (Switching to a safe language like Cyclone would fix all these, for example.) Ditto format string vulnerabilities, or integer overflows, or most of the other classes of bug that make up 90% of security holes.

I agree that it's best to give the vendor time to respond before making public that there is a security hole - assuming the vendor actually does fix it promptly. All I'm saying is that a bug is a bug, and it's not somehow less serious because of a positive attitude by Apple, or because they have improved greatly in the past couple of years, or whatever. At the end of the day, if the system is insecure then it's insecure, and if the bug found its way into released software this is a failure. With the speed at which worms can spread, you cannot rely on patching fast enough, and so what happens _after_ the bug is found is fairly unimportant. What matters is that the bug exists at all.

Re:Some thoughts and considerations

[epee1221]

I'm not sure how low that "minimum level of complexity" is.


Bug report #195442

Line 6 of hello.c:
printf("Hello world!\n");
This should contain a comma between the first and second words.
Suggested fix:
printf("Hello, world!");
Thank you for reporting this bug. Your suggested change has been implemented.


Bug report #195450

Line 6 of hello.c:
printf("Hello, world!");
Printed string does not end with a newline or whitespace, making the output difficult to process. Suggested fix: Append printf("\n"); after line 6.
Thank you for reporting this bug. Your suggested change has been implemented.

And you can imagine the fun that ensues about documenting these changes.

Re:Some thoughts and considerations

[99BottlesOfBeerInMyF]

Because none has been written? How many people have bothered to write something for an OS with ~ 4% of the market share when there is a whole 96% out there waiting to be owned, apparently no one.

This is an unsupported assertion. Logically, just because there are no propagating worms does not imply that no one has tried and failed to create one.

There has been one attempt at a rudimentary Trojan recently, but OS X goes largely unexploited, and for good reasons - too much work with little gain.

If it is "too much work" then you've strongly implied that OS X is fundamentally more secure than Windows, since it is basically no work to make a Windows worm. As for the gain, some worms are still written for reasons of prestige, which the first real OS X worm would create a lot of. For financial gain, some recent worms have begun data mining and Macs have lots of valuable financial data, especially as compared to the average Windows box, many of which are pirated installs running in China or something. Finally, worm authors generally try to spread as much as possible and to new platforms. Adding another exploit to the 6 your worm uses on Windows, will hit those same vulnerable Windows boxes for little return compared to adding one that hits OS X. There have been Linux/Windows cross-platform bugs... why not OS X?

It doesn't help that OS X actually uses a real programming language for the OS - this for the most part helps to keep the script kiddies out.

This is one way, some of OS X is more secure, fundamentally, than Windows.

Here is the thing - when and if, OS X gains a reasonable amount of market share, you can be sure that it, and it's users will become a target.

OS X users are a target for worms now, just not an easy one. More people will try to exploit it as it gains market share, but not just for the reason you imply. One of the reasons OS X is not targeted as much is because malware authors have a fairly limited skill set, much of which is very Windows centric. As more malware authors become mac users, more will also target the mac, in addition to the increased number of potential victims and easier propagation.

What I think many people do not realize is that Microsoft is now trying to deal with protecting users from themselves.

This is a very counter-productive attitude for a security person. Blame is irrelevant to good security, only results matter. You can say that an infection is wholly the user's fault for running an untrusted binary. You can just as logically say the OS failed because it did not provide a good mechanism that let a user safely run an untrusted binary. Since running untrusted binaries is a huge part of what users want/need to do, I think it is unreasonable to blame them for doing this, rather I blame the OS for being designed to accommodate the wrong tasks. I'm not sold on Window's solution to this and I think it has some serious design flaws at present, but in general I think this needs to be addressed.

Most of the malware is now propagated by users themselves.

My personal data and all the presentations at security conferences I saw this year fail to support this assertion. Most malware spreads via user interaction, if you're just counting malware variants. If, however, you're looking at infections, most are the result of malware requires no action from the user. These worms spread faster and more widely than malware that relies upon user interaction.

For example the find a "helpful" toolbar that says: "Download this great new toolbar!" the user clicks OK and they are owned. There is NOTHING to prevent this from happening on OS X, except for the fact that no one has bothered, yet.

There are several things on OS X that mitigate this. First, all the holes that let a download auto execute an arbitrary binary have been quickly plugged. Second, when a user runs a binary for the first time, they are made aware that it is a program and warned and given t

Re:Some thoughts and considerations

[Pootie+Tang]

This may have been modded down as a troll, but I think there is validity.

The parent poster says "Every reasonable person [...] already knows [...] that every OS has bugs". But being reasonable isn't sufficient, you need to both be reasonable and informed. And many people aren't informed enough to know this. Apple's marketing department isn't helping. They have a commercial, while only a metaphor, implies you don't need to worry about security if you have a mac. That kind of thing makes some people think that OS X/macs are immune to security problems.

"the security architecture of the OS, Mac OS X is a far more secure" is more of the same. It's anti-FUD or whatever you want to call it. I wish someone would explain this wonderful security architecture to me that makes OS X "far more secure". I think it's an overstatement.

I agree that Apple has a good track record both in default configuration as well as in getting bugs fixed. I think this "Month of Apple Bugs" is stupid. However this anti-FUD still pisses me off. The security practices (or lack thereof) of the USERS of machines has as much influence or more as the underlying OS. It's hard enough getting people to follow safe computing as it is, the anti-FUD is a step in the wrong direction.

Re:Some thoughts and considerations

[TheRaven64]

I thought so too, which is why I had someone else look it over. We spent three hours digging through my code, to no avail. We instrumented it, and found the compare method was returning the correct results. We also found that sorting using a function that did nothing other than call the method worked. Can you think of any possible reason why:

1. The code would work on PowerPC.
2. The code would work if called via a function on Intel.
3. The code would not work if called directly on Intel.

We couldn't.

Re:Some thoughts and considerations

[99BottlesOfBeerInMyF]

I'm just making the point that 95% of the people out there just don't know enough to prevent getting pwnd.

I'd argue that systems don't let people easily run untrusted software safely and give them enough information and granularity of control to allow the average user to avoid being compromised. Apple announced some new frameworks in 10.5, and then pulled the references to them from their public facing Web pages. Those frameworks were a Mandatory Access Control framework for applications and an application signing framework for determining trust of applications. Combining these two, you have most of what is needed to build a system that is reasonable secure, by default, for the average user who wants to run random software.

First, asking users for a password should be a very rare thing and always accompanied by specific comments on what the software wants and granular options as to what it is allowed to do. Suppose some user downloads Firefox. It is easy for this program to be signed and check-summed as coming from an official source. Better yet, there is no reason it cannot be verified as from a reputable group from a free certification agency or from Apple themselves. This speaks to the trust level as determined by the second framework I mentioned. On the other hand, some malware might be signed as from a specific Website, but any such software somehow signed as from a specific reputable company would be discovered and the cert revoked very quickly. This places it one or two notches down the trust ladder.

When each of these programs is run, different restrictions are put in place. A signed and certified app like Firefox is given an ACL specified by the app itself, and customizable by the end user. It can open only files it creates without asking and can access the internet and a few services. Or, it is only certified as from a given Website. In which case it can still only access files it creates (limited in total disk used), and it cannot access the internet. When run, the user is informed that it wants access to the internet on ports normally reserved for Webpages and the user is given the choice of letting it access the internet or not or customizing that access. When the malware is run, it to is restricted to accessing only files it created and cannot access the internet. If it wants to send spam the user is given a choice. If it wants to access an address book, the user is given a choice. If it wants to patch the kernel and install a rootkit the user is given a very strongly worded choice along the lines of "The program 'toolbarwhiz' would like complete access to control your computer completely for all time. This behavior is typical of a malicious software. (Stop it from completely controlling my computer for all time)(Let it have complete control of my computer forever)(advanced options).

Such a warning is sufficient to deter most credible software vendors from selling unsigned software that asks for unreasonable permissions. An official software registration/activation service removes another big portion of the motivation for this. Such a system is not trivial to build, but it is within the bounds of what we can currently create. It would stop the vast majority of both worms and trojans and make creating new ones a difficult social engineering challenge. Until we get to a level of security functionality such as I just described, I don't think user education for the masses will work. They need the tools and control first, before a reasonable amount of education will be effective.

Re:Some thoughts and considerations

What are the bug numbers?

Re:Some thoughts and considerations

[kwerle]

Can you think of any possible reason why...

You have a memory smasher on Intel that either behaves differently or correctly on PPC.

That's the one that jumps first to mind...

Re:Some thoughts and considerations

[nathanh]

Mac OS X is a far more secure general purpose desktop operating system for most users than any viable alternative.

With all those caveats what you're really saying is that OS X is more secure than Windows. Because Windows is the only viable alternative for most users as a general purpose desktop OS.

Well duh. More secure than Windows; that's not exactly an achievement.

The problem is that OS X and Windows are both at the bottom of the pile for security. OS X is marginally better than Windows but they're both woefully inadequate. For a litany of faults look no further than the preferred language (Obj-C), the hardware platform (no NX), the OS design itself (UNIX without caps or privs), etc. Linux is hardly the model of security either but even Fedora/Debian/SuSe leaves OS X in the dust. The only problem is that thanks to your caveats we can't compare OS X to Linux because Linux isn't a viable alternative for most users.

Make no bones about it: OS X is not secure. It is better than Windows. That's very mild praise indeed.

Re:Some thoughts and considerations

[jschoenberg]

So, substitute Microsoft for Apple in the same list, and ask yourself, do you feel the same way? Obviously the large majority of security researchers and hackers don't, so do you think the public is unfair to Microsoft about vulnerabilities?

Re:Some thoughts and considerations

[Zebra_X]

You just don't get it do you? It's not about the technology anymore.

All the security in the world isn't going to stop john q jane from authenticating itself and allowing a malicious program to run as root if it doesn't know any better. The only thing that will stop it from taking that action is it fully comprehending the chain of events that led to the request, and the subsequent outcome of approving it. I think many individuals just don't care, or don't understand the implication of such actions.

I will address some of your concerns:

"Unsupported assertion" - it's not unsupported, no one has successfully written a wide spread attack on OS X. There are holes in OS X, which is the point of the January 'sploit fest, as there are holes in almost every operating system.

"If it is "too much work" then you've strongly implied that OS X is fundamentally more secure than Windows"
Actually what I said was "too much work with little gain". The return on the investment just isn't there. Look what PC's are being used for - botnets. There is real tangible value in open relays and DOS Nets, people will pay for the service, thus having a large collection of broadband connected computers to do as you wish has high value. When there is already an existing, ample supply of easily exploitable users and systems, why bother finding another source? BTW, we already know that Windows can be more easily exploited than other operating systems.

"since it is basically no work to make a Windows worm."
Uh huh, so you have experience here? Seriously though - don't trivialize the complexity involved in deploying a large scale exploit and profiting from it.

"As for the gain, some worms are still written for reasons of prestige, which the first real OS X worm would create a lot of."
Yeah, it would also land you in jail. And the OS X community as a whole seems to love their computers, I don't think anyone would really receive too many kudos.

"For financial gain, some recent worms have begun data mining and Macs have lots of valuable financial data, especially as compared to the average Windows box, many of which are pirated installs running in China or something."

This might be one of those unsupported assertion you've been talking about? What organizations use Macs to store their financial information? More over, which organizations have been subject to these data mining worms (that have yet to be written)? And what data mining worms? I thought there we're any? Having a background in IT in finance organizations I can tell you they most certainly don't run Macs. What type of "valuable" data? Sources?

"This is a very counter-productive attitude for a security person. Blame is irrelevant to good security, only results matter."

When you do all that you can to prevent a user from taking a harmful action as simple as running a program - and they continue to do it, what do you do? If users continue to grant programs admin access because they ask for trusted resources, what do you do then? Unlike OS X, that's where Microsoft is with their users. People keep running programs that they shouldn't. The answer, enforcing code signing and creating of a chain of trust between publisher and user is the only way. The problem is that to sign the code, you need to be a trusted party - and you must pay an external organization for that validation otherwise, the trust means nothing. Though, enforcing code signing simply is not an option and fundamentally disallows users from extending their computers further.
There really is no answer to this problem when the end user is also tasked with the responsibility of administering his/her own system and is not qualified to do so.

"My personal data and all the presentations at security conferences I saw this year fail to support this assertion. Most malware spreads via user interaction."

Actually, that is basically what I said. Users cause malware to succeed; there are very few no click exploits for windows anymore. They usually re

Re:Some thoughts and considerations

[squiggleslash]

Every reasonable person on the planet already knows, and has known, that every OS has bugs, vulnerabilities, and security issues, and Mac OS X is no exception.

I would disagree with that. If you'd said "The vast majority of technically knowledgable people" instead of "Every reasonable person on the planet", then yes, it would have some truth to it. But as it is, no. Ask the average "reasonable" person, and the answer is a "don't know" because it's not that person's field of expertise, and in a surprising number of cases, there are people adamant that the Mac doesn't have vulnerabilities and security issues. (And saying that they're, by definition, "unreasonable", isn't helping.)

At the same time though, I'd also raise the question of whether anything you just said is really that relevent. You appear to be willing to allow the false sense of security to continue to permuate through the computer community with such statements as:

Mac OS X is a far more secure general purpose desktop operating system for most users than any viable alternative. There is almost zero malware of any kind "in the wild", no malware with vectors for mass propagation, and little with ANY kind of propagation capability whatsoever. And contrary to popular opinion among some, Apple does indeed respond to, and fix, security vulnerabilities, including crediting the discoverer(s) when said person or entity provides Apple with enough information to verify the issue. It has continuously and consistently improved on this front, mostly as a result of working with people in the enterprise and academic communities (e.g., Apple University Executive Forum and MacEnterprise.org). There is always room for improvement, but we have seen Apple make marked progress in disclosing, accurately describing, and fixing vulnerabilities in Mac OS X. As with most commercial vendors, Apple does not comment on security issues before they are fixed. So don't expect Apple to make public statements and explanations of any kind until after a particular vulnerability is addressed.

Realistically, this leaves the reader with the impression that Macs are more secure, they'll always be so, and that there's really nothing to worry about (because this guy is pulling a "stunt", right?)

Mac OS X is another variant of Unix. It's not a particularly bug-free version, though it is quite stable. It is not without obvious security holes, notably the fact that the vast majority of Mac users are used to dialogs popping up unprompted asking them for an "Administrator" username and password, a username and password that makes a scripted root access merely a "sudo" away. It has survived, thus far, by laying low, in the sense that the market share makes network effects, critical to the success of any worm or virus, close to non-existant. It has, I guess, also survived by Apple being smart and turning off remote-access services by default, though I'd hazard a guess that most malware suffered by Windows users involves outgoing connections rather than portscans and server daemon buffer-overflow exploits. The combination of the two measures, though, makes it, thus far, free from attack.

But that's a poor argument for people to use who use the "security" angle to sell Mac OS X to newcomers. It's also a poor argument for people to rely upon if they want to be sure that their machines are kept intrusion free. I think there's every reason to worry about Mac users being lulled into a false sense of security, especially if Apple is planning to popularize their platform as they appear to be attempting to do at the moment. If Apple has a 20% or 30% marketshare, how improbable is it that the bugs will start to be exploited?

We then get to this issue:

What should be "interesting" to see isn't whether or not Apple "does anything" to "scuttle" the project; it will be whether Apple has previously had any chance to respond to any of the issues that will be disclosed. If not, this l

Re:Some thoughts and considerations

[Trillan]

The three points I addressed were pre-release, radar, and repro steps.

Now I consider bugs from private betas covered by NDAs to be forbidden fruit, and that's true of Microsoft as well. However, public betas are fair game. So it depends on the nature of the release, both for Microsoft and Apple..

Although it's possible there's another system somewhere, the only system I'm aware of for reporting bugs to Microsoft requires me to pay them. They may, at their discretion, return the money. I'm not risking my money to help Microsoft, so I don't expect anyone else to. And since Microsoft doesn't have a public and free bug reporting system, the repro steps would have to be public only at first. I don't like public only. Ideally, vendors should be notified first; simultaneously is the minimum. But by plugging their ears and requiring a credit card number, they're digging their own grave here.

I should say, by the way, that I don't especially like bugs being publicly disclosed quickly. It wouldn't be the way I'd handle it. But I don't think people who do it should be tarred and feathered. Maybe that wasn't clear.

Re:Some thoughts and considerations

[Khabok]

It should be good for Apple regardless, in that major holes are id'd and can be fixed, or their security reputation is improved.

Just in time to incorporate new procedures into Leopard to boot.

Consumers: We're hearing about bugs in Mac now! wtf can we get viruses?!?!?!
Apple: Very probably not, but if you upgrade to Leopard we can guarantee no viruses!

Done and done.

Re:Some thoughts and considerations

[CDPatten]

"Every reasonable person on the planet already knows, and has known, that every OS has bugs, vulnerabilities, and security issues, and Mac OS X is no exception. "

That is pretty ballsy to call the majority of slashdotter's unreasonable.

Re:Some thoughts and considerations

I, for one, have grown quite tired of Apple and the the MacFanBoi's claims that OS X is perfectly secure. Its even prevalent on the securityfocus list dedicated to Apple products, where every security concern, malware or exploit is somehow poo-poo'd into not existing. (Reference: Apple dmg and safe files problems; reference: wireless driver exploits; ad nauseum.)

Also reference, for the second year running, OS X itself has made it to the SANS top20 vulnerabilities. http://www.sans.org/top20/?portal=ddc5dd3511b787e1 a2d58aeb8338dfaa and http://www.sans.org/top20/2005/?portal=ddc5dd3511b 787e1a2d58aeb8338dfaa

I'm really hoping that the month of Apple bugs shuts up Apple, shuts up the MacFanBio, and actually gets someone paying attention to the damn things -- at least as far as to kick them and their users out of the corporate environment.

Re:Some thoughts and considerations

[Goaway]

Second, when a user runs a binary for the first time, they are made aware that it is a program and warned and given the option to abort. This makes it harder for a trojan to hide as data.

Incorrect. Only when you click a non-executable file that will open in a previously unused program are you warned. Clicking an executable directly gives no warning.

Also, as the ".app" extension is hidden by default, it is trivial to create an app named along the lines of "HotChick,jpg.app" with a Preview JPEG icon that will look nearly exactly like a safe JPEG file.

Third, by default OS X users don't have as many privileges as Windows users and there are additional hoops for malware to jump through for some activities, although not all.

The default first user created on a Mac is an administrator. Most people will use this account. It has write access to all applications in /Applications/. Furhtermore, it is trivial for malicious software running on an admin account to infect Installer.app and steal root access the next time the user types in his password when installing an app.

Fourth, the concentration of security researchers running IDS software of some sort, or closely looking at suspicious binaries is higher on OS X than Windows, thus increasing the chances and speed of new malware being discovered.

That's a pretty vague and unsupported claim. And what does this "concentration" even signify?

Re:Some thoughts and considerations

[99BottlesOfBeerInMyF]

All the security in the world isn't going to stop john q jane from authenticating itself and allowing a malicious program to run as root if it doesn't know any better.

Umm, what? who is john q jane and why are they an "it" and if they are an "it" how can they know anything? Please rephrase this in understandable English.

I think many individuals just don't care, or don't understand the implication of such actions.

Of course they don't. They're trying to accomplish a series of tasks and making the reasonable assumption their the computer in front of them is designed sanely to perform those tasks. It's not sane for someone to click on some icon the downloaded called "nekkidpics.jpg" and have it install a program that starts sending thousands of e-mail messages without telling them. The average user reasonably assumes no system would be designed that way and is thus infected with malware.

t's not unsupported, no one has successfully written a wide spread attack on OS X. There are holes in OS X, which is the point of the January 'sploit fest, as there are holes in almost every operating system.

I've just disproved your theory. I tried to write an OS X worm just now and it did not work because metasploit didn't have any unpatched OS X vulnerabilities in it. Thus, people have tried and failed to write worms because it is too hard. Just because holes exist does not mean they are easy or convenient to exploit.

The return on the investment just isn't there.

I already addressed the point of motivation.

Uh huh, so you have experience here? Seriously though - don't trivialize the complexity involved in deploying a large scale exploit and profiting from it.

You obviously have not seen the tools now available. There are point and click GUIs even.

Yeah, it would also land you in jail.

Threat of punishment is not a very good motivator in these cases. The risks are too low and most criminals do not believe they will be caught, regardless of the real risks.

This might be one of those unsupported assertion you've been talking about? What organizations use Macs to store their financial information?

Please the password I use to access my credit card account is stored on my Mac. The passwords for dozens of online stores are likewise stored there. It need not be some company's financial info.

More over, which organizations have been subject to these data mining worms (that have yet to be written)? And what data mining worms? I thought there we're any?

You thought there weren't any worms? There are several worms that now mine for data including online account info and credit card data. None have yet been discovered attacking Macs, but the motivation to mine this data is pretty clear. Heck, I saw report of one the other day that snags WoW account info.

When you do all that you can to prevent a user from taking a harmful action as simple as running a program - and they continue to do it, what do you do?

You understand that users want to run programs and provide them a safe way to do so.

If users continue to grant programs admin access because they ask for trusted resources, what do you do then?

MS has all the leverage here. They can stick old programs in a VM if they want and design a system that makes it clear that any software that wants unreasonable privileges is an unacceptable risk by labeling it in giant bright red flashing letters as a potential worm.

The answer, enforcing code signing and creating of a chain of trust between publisher and user is the only way.

I'm all in favor of code signing, if it is handled carefully so as not to violate antitrust law. That is to say, multiple pay and free signing agencies with trust levels the user can set and defaults that avoid favoritism.

The problem is that to sign the code, you need to be a trusted party - and you must pay an external organ

Re:Some thoughts and considerations

Yes, I use these methods all of the time on OS X and it works just fine. Google for endian-ordering and test your code some more.

Re:Some thoughts and considerations

Wow, nice to see we're all acting like small children here. I think you also missed the point of his argument. As he explains half way through the post, there are many simple to moderately complex software solutions with no bugs. By bugs of course is implied issues that will actually impair the use of the software, not mistakes in the interface messages as another poster seems to have picked up on.

Re:Some thoughts and considerations

[daveschroeder]

Nice troll. Even got me to respond. ;-)

I, for one, have grown quite tired of Apple and the the MacFanBoi's claims that OS X is perfectly secure.

1. Apple does not, and never has, claimed Mac OS X is "perfectly secure" or anything near "perfectly secure".

2. No reasonable person makes that claim. If some jackass wants to say that Mac OS X is invulnerable, they're exactly that. A jackass.

Its even prevalent on the securityfocus list dedicated to Apple products, where every security concern, malware or exploit is somehow poo-poo'd into not existing. (Reference: Apple dmg and safe files problems; reference: wireless driver exploits; ad nauseum.)

What's prevalent? If you're talking about the focus-apple list, we've already collectively decided that Safari's "safe files" feature should be disabled by default at a minimum, and preferably discontinued altogether. As to the wireless driver exploit, which is fixed, Johnny Cache, David Maynor, nor SecureWorks, to this day, provided Apple with ANY useful or verifiable information the vulnerability even existed. Remember, they were presenting themselves as professional security researchers with a "responsible disclosure policy", even hiding the brad of the 3rd party wireless card they used, to this day (we have since discovered it was the Raytheon RayLink chipset). Krebs totally sensationalized it, as is typical for him. Further, this vulnerability was a general 802.11 vulnerability, which affected far more chipsets than the ones Apple uses, and far more operating systems, including Windows and Linux. But Apple got ALL the bad press, alone, for a vulnerability that is actually quite difficult to exploit in practice and, even then, requires that the attacker be within 802.11 range.

Care to explain to me how that's fair?

So you're a troll *and* a liar.

Also reference, for the second year running, OS X itself has made it to the SANS top20 vulnerabilities. http://www.sans.org/top20/?portal=ddc5dd3511b787e1 a2d58aeb8338dfaa and http://www.sans.org/top20/2005/?portal=ddc5dd3511b 787e1a2d58aeb8338dfaa

"Second year running." *Chuckle*.

Anyway, yeah, please do take a look at those lists. Since Mac OS X is by far the most used desktop operating system other than Windows, is it any surprise it would show up on the SANS list? Behind everything Windows-related, of course.

I'm really hoping that the month of Apple bugs shuts up Apple,

Well, since Apple doesn't claim that Mac OS X is anything you've claimed they do, and in fact doesn't even comment on security issues before they are patched, it probably won't be too hard to "shut up" Apple, since they'll be almost completely silent on this issue.

shuts up the MacFanBio,

Unlikely.

and actually gets someone paying attention to the damn things

Macs can already be managed quite well in a corporate/enterprise setting with an IT staff anywhere remotely worth their salt.

-- at least as far as to kick them and their users out of the corporate environment.

It really irks you that people use Macs, doesn't it? And that the share is growing, especially in academic, research, and enterprise environments? Well, sorry bud, but that's going to continue, and for good reason: it's a manifestly more secure operating system, not just for reasons of marketshare, and people are sick of Windows and all of its problems.

And for non-managed systems, there is no question that Mac OS X is the better choice for the typical general purpose desktop user. Look how quickly a typical user gets a Windows system packed with spyware and how much malware, including self-propagating malware, and all manner of vulnerabilities, including ones exploitable from remote in Windows' stock configuration, that keep getting discover

Re:Some thoughts and considerations

[mrchaotica]

No software product, no matter how well intentioned the developers, will ever be completely absent of bugs come release-time.

Except TeX ; )

Re:Some thoughts and considerations

[boone]

If, in five years, Apple has proven to be as unreliable as MS, you can bet people will be complaining just as loudly about them.

Uhm, are we in the same universe? There is nothing that Apple could do short of becoming MS that would make Apple users complain. It used to be that MS was this horrible evil entity because of the monopoly they hold and abuse. But then Steve Jobs did a group hug with the *AA's of the world and came away with the STD affectionately called DRM, and leveraged it to a online music monopoly. Apparently He was just doing us all a favor and saving us from that evil called "choice". MS is evil for abusing a monopoly, but Apple is good for creating and abusing one as well? If you are expecting logic from the Apple cultists you are not sane.

Re:Some thoughts and considerations

[boone]

He was actually pointing out that the point of your argument was dull. His point was a bit sharper.

Re:Some thoughts and considerations

[Durandal64]

Marketshare numbers take into account when offices buy PCs from Dell in lots of 50, 100, 150, etc ... That's a severe slant in the numbers that makes it seem like ordinary consumers only choose to buy a Mac 4% of the time. This really isn't true. I don't know what the actual number is for personal computer purchases, but it's almost certainly higher. With regards to the platform being worthwhile for malware authors, that's very significant. Corporate PCs are more likely to be hardened and secured against attack than your out-of-the-box Windows PC. So Macs are probably plenty worthwhile for malware authors. But the big vector for propagation, Internet Explorer 6, is not available for OS X.

Re:Some thoughts and considerations

[Divebus]

I'm not in favor of ANYONE going on a FAULT FINDING MISSION against a manufacturer, especially one who has shown more due diligence than most. No need for them to do the same exercise with Vista - a month on the Internet will take care of that. Relatively, both OS X and Linux have proven themselves in general security rather handsomely.

But really... what if January was a month of testing Kevin and LMH's kneecaps with iron pipes without letting them talk it over first? How would they feel? That's essentially what they wish to do with OS X and I'm sure they've already got some things lined up. That makes it a premeditated ambush.

If they were being helpful, then be helpful. Discuss it with Apple first. If their goal is to cause damage, then a fie upon their kneecaps. Any reasonable soul with an ounce of integrity wouldn't even do this to Microsoft.

Hopefully, Apple will welcome the testing with patches for all three vulnerabilities which will make them even stronger.

Re:Some thoughts and considerations

[Divebus]

"...OS X goes largely unexploited, and for good reasons - too much work with little gain."

Windows is the only OS I know of that will get an exploit if you leave it alone long enough. Only the "air gap firewall" can help it.

Security comparisons between OS X and Windows has less to do with smarter users (trust me on that one) and more to do with the origin of the OS. Windows is a shell on top of DOS which was not a network aware OS (why am I telling you this?). Everything built on top of 'WinDOS' in the Redmond vacuum chamber didn't even consider the dangers of an unauthenticated scripting host with free access to anything and everything on the machine. That's a primary issue with Windows. Outlook just has to check for new email to obey the embedded commands. The Internet was a very rude awakening for Microsoft.

With only 30% (or so) of the servers on the Internet being Windows http://news.netcraft.com/archives/web_server_surve y.html, why are they the clear majority of compromised servers? http://attrition.org/errata/statistics/stats-26.ht ml. I've seen numbers in the 95% range and I'm still seeing Code Red and Nimda attacks on my logs. That dims the safety through obscurity excuse.

The real motherlode is all the Windows machines connected straight to DSL and cable modems. That's the electronic equivalent of standing on a street corner in Key West bent over with your shorts down to your ankles. It's also the source of almost 100% of the spam we get.

Mac OS X was built upon a flavor of Unix (there - I said it) which was network aware from the start with 100,000 sets of eyeballs on the code.

That said, I heartily agree that "click here to see the dancing monkeys" exploits are the fault of naive users.

Re:Some thoughts and considerations

[Goaway]

Of course they don't. They're trying to accomplish a series of tasks and making the reasonable assumption their the computer in front of them is designed sanely to perform those tasks. It's not sane for someone to click on some icon the downloaded called "nekkidpics.jpg" and have it install a program that starts sending thousands of e-mail messages without telling them. The average user reasonably assumes no system would be designed that way and is thus infected with malware.

Where were you going with this argument? It applies equally to Windows and Mac OS X.

Re:Some thoughts and considerations

Extraordinary claims neccessitate extraordinary proofs.

sortUsingSelector: is a bit tricky, so you may want to check that:

1/ Have you different classes in your array ? Are the compare methods "compatible" (ie [a compare:b] and [b compare:a] gives opposite results ?)

2/ Is your ordering correct ? Are you sure that if ab and bc, there is no way that ac ?

3/ Is your ordering stable ? Is there any way that the ordering changes during the sort by side-effect ?

Even better, post code to reproduce.

Re:Some thoughts and considerations

[99BottlesOfBeerInMyF]

Where were you going with this argument? It applies equally to Windows and Mac OS X.

It demonstrates the folly of blaming users for security problems when they have not been given reasonable tools to accomplish normal tasks. I'd like to see both Apple and Microsoft work towards solving this, and both have implemented some measures, which are still very weak. The difference is, on Windows this is a real problem and machines are exploited in large numbers every day. This has been the case for many years. On OS X, it has not yet become a real problem and is only a potential problem.

Re:Some thoughts and considerations

[Goaway]

Oh, no argument there. Except I am not sure that Apple has actually implemented any measure at all against it. The OS is wide open to malicious software run by the user.

Re:Some thoughts and considerations

[99BottlesOfBeerInMyF]

Oh, no argument there. Except I am not sure that Apple has actually implemented any measure at all against it. The OS is wide open to malicious software run by the user.

Well, Apple has some protection in the form of default user privileges, warnings for application downloads, and the like. It is certainly not strong. They also have a number of potential solutions including filesystem level ACLs, and not yet released frameworks for application signing and mandatory access controls. Hopefully, they will bring these to market in a usable way before it ever does become a major problem.

Re:Some thoughts and considerations

[ripragged]

This has got to be the most ass-backward situation imaginable. I purchased a computer with an operating system that is more reliable, and has less malware written for it. I am willing to state that publicly. I encourage others to buy computers with operating systems more reliable, that have less malware written for them. For this I am labeled by the pejorative, "fanboy," and am regarded as stupid by security researchers. In 20 years as a Macintosh user - all of them online, and downloading like a fiend, by the way - I've never had a single virus or malware attack. Not one. Boy am I stupid. I don't think the Mac is bulletproof. There is no such thing, but I'm really not worried about security, either. My theory is that you have to be pretty smart to crack a Mac. Malicious code-writing is mostly the work of stupid people. That cuts the odds that malicious code will appear in the wild. Add the fact that criminals don't like to work hard. The smart criminal will write malicious code where it is easiest. Most malicious code is derivative - tweaked here and there to go around patches that thwarted the last iteration. It's mostly effective only against Windows and Microsoft applications because that's where most of it started. Again, criminals are too lazy and for the most part too stupid to write original code. Statistically, the Mac is even more secure. Add the fact that real security experts are constantly trying to find vulnerabilities in OS X, and publishing their findings. They are looking for exploits that could be - hacks that haven't happened yet. In the Windows world, the bad guys have the lead. Mac is even more secure. So, to me, the Month of Apple Bugs is largely a joke. A month of burnt matches would be more interesting. "Look! It doesn't work the second time."

Re:Some thoughts and considerations

Oh gee. Here comes Dave again. The twit that almost got fired for putting that server online. Migod what a bleating maniac.

Re:Some thoughts and considerations

Translation: you can't afford a Mac.

Do have fun playing with your big brother's old eMachine, though. Maybe he'll let you have his Packard Bell when he goes off to college.

Impossible

[daemonenwind]

This can't possibly be true.

OS X is inherently secure. There is no possible way 31 separate security holes could exist; Darth Jobs saw to it personally.

Re:Impossible

You are correct, only 33 holes exist, all of them created by the chewbacca conspiracy. Fear my logical conclusions. UUUUUHHHHHGGGG

Re:Impossible

[Wizard+Drongo]

You're forgetting; this is Slashdot.

It's Emperor Gates, Darth Ballmer, but Master Jobs, and Master Linus too, for that matter. Although I'm seeing Linus as a yoda-like guy and Jobs as definitely more of a Samuel-L kinda guy...

"I'm fuckin' tired of these motherfucking bugs in my motherfucking kernel!!"

Re:Impossible

[daemonenwind]

Yes, I fully realize I'm spending karma to make this joke.

I guess it just proves that Mac fanbois have no sense of humor.

(FWIW, I always saw Jobs as Palpatine in SW:TPM. Benevolent on the face, manipulative and nasty in the background. His use of Woz and little percolations on Jobs's ego makes me see this)

Re:Impossible

[Trillan]

No, it just proves you find humor in trolling. Randomly adding Darth to someone's last name simply isn't funny.

Darth Torvalds
Darth Bush
Darth Jobs
Darth Stallman
Darth Blair
Darth Bin Laden

It's okay to find meta-humor amusing - i.e., the fact that Apple fanboys don't find it funny -- but posting to elicit that kind of response is trolling by definition.

Now, personally, I wouldn't waste mod points modding it down anyway, but I would not m2 Unfair someone who did. My only point is this: You're not being nearly as clever as you think.

Re:Impossible

[enrevanche]

It's more like Ballmer the Hut.

Re:Impossible

[russotto]

Bill Gates: Darth Velop ("envelop")
Steve Jobs: Darth Vision ("envision")
Bin Laden: Darth Plosion ("implosion")
Bush: Darth Competent
Stallman: Darth GNU (what else?)
Linus: Come on, you can't Darth Linus.

Re:Impossible

[ktappe]

There is no possible way 31 separate security holes could exist;

Kidding aside, I'll be impressed if he's able to locate 31 distinctly separate, true security holes in 31 days. He'll find some to be sure, but I predict he'll try to stretch some into two and others will be either "by design" or only security holes if you use the term very loosely. But we'll see.

-Kurt

Re:Impossible

[Trillan]

See, now coming up with alternate names to use... that's actually funny. I got a good chuckle out of this list. Darth GNU indeed! :)

Re:Impossible

He's not finding 31 holes in 31 days, he's publishing 31 holes in 31 days.

A month of Apple bugs...

A week of Apple games.

Re:A month of Apple bugs...

A full month of bug-chasing.

Re:A month of Apple bugs...

And, somehow, that still seems prefferable to decades of both.

Hmm...

[GoodbyeBlueSky1]

[...]announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation. This sort of thing seems like a win-win, it's like legal extortion. Either you publish your findings and get lots of attention (sell ads on your site, gain notoriety, etc) or get paid hush money by a big corporation.

Too bad MS doesn't seem to care that much about their rep, or Vista could be a goldmine!

Re:Hmm...

[Em+Adespoton]

Too bad MS doesn't seem to care that much about their rep, or Vista could be a goldmine!

What makes you think it isn't?

Re:Hmm...

[hobo+sapiens]

Yeah, I personally cannot wait for the Decade of Vista Bugs!

Re:Hmm...

[epee1221]

It's more of a lose-lose for Apple. Either Finisterre delivers on his promise, and 31 undocumented security holes are identified, or he doesn't and, whether he was just talking big or actually getting hush money, Apple is seen as having silenced him.

In response to these great efforts

I will be posting his credit card numbers at a rate of one a day. I am curious to see how he responds and if he is able to patch his wallet for each.

It is not up to this schmuck to prioritize Apples develoment tasks. If something he publishs goes wild and affects my company, he will find himself in litigation.

Re:In response to these great efforts

You sound as self-important as he does.

Re:In response to these great efforts

It is not up to this schmuck to prioritize Apples develoment tasks.

If Apple chose to not prioritize security issues, what's that got to do with this guy? They should catch the bugs themselves.

If something he publishs goes wild and affects my company, he will find himself in litigation.

Because APPLE screwed up and shipped software with security holes? Why not sue Apple?

(And please, don't tell me that all software has security holes. If that's your attitude you've lost the game already.)

Only 7?

[FunkeyMonk]

[blockquote]Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation.[/blockquote]

A few years ago, I worked for a corporation to transfer their database into Oracle. Having worked on the project for nine months, I can't possibly see how anybody could have limited themselves to just 7 bugs.

But it seems the summary is surmising the researcher was paid off... I doubt Apple would succumb to such blackmail. If they can find 31 real problems in OS X, then good! Let's tighten things up!

But if it's more "proof of concept viruses" for the mac, then I'll call FUD FUD FUD.

Irresponsible

[Phroggy]

I'm all in favor of taking Apple to task for failing to fix a bunch of bugs, but releasing detailed information to the public without notifying the vendor first is simply irresponsible. The only reason it's being done this way is shameless self-promotion: if Apple fixed all the bugs in advance, then they'd have nothing left to show for their month of Apple bugs, so people wouldn't freak out about it.

In short, their goal isn't really to get these bugs fixed ASAP; their goal is to spread fear and panic. If the bugs get fixed eventually, that's just icing on the cake. The problem with this is that it could cause some real problems for Mac network admins out there, many of whom don't have a lot of extra time to deal with unpatched security holes. If it was just a matter of "sticking it to Apple", that would be one thing, but this will affect a lot of innocent victims.

Yes, I'm a Mac user. No, that isn't why I feel this way; Microsoft should get advance notice too.

Re:Irresponsible

If all the bugs were fixed in advance you'd also still have fuckfaces like Gruber claiming the holes don't exist. I'm also a Mac user.

Re:Irresponsible

[moore.dustin]

He is many things, but not irresponsible.

Sure he may be doing this for self promotion, but what is wrong with using your knowledge to get some recognition? What he gets from this will be worth far more than what he would if he submitted these bugs to be fixed to Apple. Unless Apple is ready to thank he personally for all the bug fixes in a public manner and allow him to post the exploits after they were fixed, then why not?

It is not his public duty to make sure Apple's OS is safe, if anything, it is his to prove that it is not. Hell, you could say it is more irresponsible to not release them to the public than to just submit them to be fixed to Apple. If every XP exploit was sent in like that people would think/know XP was the safest thing around... either way those sys admins you spoke of still have a hard job no matter what. So they have to guard against new threats with these going public... what is new there? That is there job, to be on top of this. That is why they read /. and know where to look to see what the bugs actually end up being when released.

Re:Irresponsible

[jellomizer]

No you point to the security updates. To proove there were wholes. And you tell them there is a good chance you will get more. Also if a guy is going around claim that holes don't exist. Just put him in the same group of people who beleave man didn't go to the moon, or Macro-Evolution is a myth. Fixing the bug before it is a problem is better then just trying to proove some wacko wrong.

Re:Irresponsible

[truthsearch]

If the person who started this whole Month of Bugs is trying to remain anonymous then how can it be for self-promotion? If they're trying to spread fear it's to make the public put pressure on the vendors to fix flaws.

Re:Irresponsible

[soft_guy]

In my opinion, if he has already submitted the bugs to Apple (easy to do - visit bugreport.apple.com) and they haven't fixed them yet - then in my opinion, what he is doing is totally OK. If he didn't at least file a bug with Apple, while he may (or may not, IANAL), be in legal troubel, he is at the very least kind of a jerk.

Re:Irresponsible

[n0dna]

First off, do you actually know that these are all 0-Day exploits and/or that Apple is unaware of them?

Second, are you claiming that Apple doesn't (and they'd be the only OS maker) have people rummaging around on the net looking for news of bugs/exploits/holes? It would seem to me that if this wiener can find the bugs, so could Apple.

It appears that this is just another attempt to show that Apple is as indifferent to fixing security holes as anybody else, but for some reason Mac users just don't seem to mind.

Re:Irresponsible

So you favour security by obscurity. Personally, I don't and this is the reason - if i'm not aware that an application or OS I administrate is currently open to remote attack, than I can't defend it against attack. If I am aware, then I can take necessary steps to hinder an attack while I wait for the patch - standard procedure. I am not for publishing full exploit script and putting attack tools on the net, but I would like to know details sufficient details to help me in security. Details like which port, what can happen, a helpful segment of code payload, etc.

Publishing data like this isn't to spread fear and panic, maybe they want to do that - i don't know, but publishing info on security risks is standard, as long as they notify the original company or programmers and give them reasonable time, than nothing is happening out of the ordinary. Is there some special reason you want Mac users to be not aware of security holes in their system and drag on the length of time they are at risk from an remote attack? If a researcher can figure out an attack, there are people out there who don't tell anyone what they have discovered except in IRC channels with bad reputations. That's why I believe security through obscurity works so well for the criminal element.

And defending network admins who leave systems unpatched....Lazy isn't a good reason for anything. patching OS's and keeping on top of what's secure and what's not is part of the job. and what's "if Apple fixed all the bugs in advance", I'm sure they tried, I'm sure people believe that phrase, but it's not reality, at all, they didn't, no OS has to date, so I find it a pretty big if...if we all used PSI powers instead of computers we also wouldn't be talking about Apple OS security....so what.

Re:Irresponsible

[phoenixwade]

I understand the point of giving the vendor the opportunity to fix it first, however, this technique does have the advantage of motivating the developer. It's a strong arm tactic, granted, but it does motivate for a rapid response. I wonder if there will be something new next month, or if we are going to see exploits/bugs that have already been documented somewhere else. If it's the latter, then Apple deserves the kick in the butt to fix whatever is broke.

On the other hand, as has been pointed out elsewhere, This gives Apple an opportunity to turn this to their advantage.

It should be an interesting month, regardless.

Re:Irresponsible

[jellomizer]

Submit the bug to Apple/Microsoft wait a 2-5 days then post it publically. That way you get the best of both sides.

First you give the company a head start in fixing the security hole before a well package exploit go public.
But you get you shameless self promition of being "Mr. Uber Geek, I am smarter then you because I have more free time to do these things.".
If the patch isn't released shortly after posing people can take additonal measures to protect their system.

It is like finding a persons (lets call him John) car door is unlocked, you know whos car it is, and you yell out Hey Johns door is unlocked! If you see him tell him his door is unlocked, I think John is in the store!

vs.

Just going in the store and tell him his door is unlocked.

Re:Irresponsible

what is wrong with using your knowledge to get some recognition? A lot of people in jail have used their knowledge for recognition. It's how you use that knowledge to gain recognition that matters.

Unless Apple is ready to thank he personally for all the bug fixes in a public manner and allow him to post the exploits after they were fixed, then why not? Because some users don't upgrade their machines. Ya, they're stupid. So what is your point?

It is not his public duty to make sure Apple's OS is safe, if anything, it is his to prove that it is not. So it is his public duty to prove that Apple's OS is not safe? Hasn't this fact been proven already?

The truth is that he is not adding any measurable public awareness.

This is just an exercise in his own self-promotion, and has nothing to do with advancing public knowledge of computer security.

So they have to guard against new threats with these going public... what is new there? The difference? No patch, no recourse.

Re:Irresponsible

What makes you think the 'bad guys' don't know about these problems already? If one person is able to discover or gather all these problems why wouldn't someone or, even more probable, a group of people, have been able to find them also? There are people whose primary goal and/or job is find to security vulnerabilities. Releasing these problems publicly probably only causes a small pike in exploits. Most of the people with the technical knowledge to take advantage of the info would probably already have been using the exploit or would have been using some other method. The incentive to use the published security problems may actually decreased by being made public, because the hackers(crackers whatever), know the problem is likely to be patched soon. Additionally, now the administrators have been made aware of the problem and can implement temporary work-around fixes in some of the cases.

Re:Irresponsible

[Trillan]

There is still no evidence that SecureWorks' hole exists. The subsequent patches from Apple are completely unrelated to the claimed vulnerability. I'm still waiting to see what SecureWorks has; so far, it really looks like nothing.

Re:Irresponsible

[Anthracks]

From TFA:

As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message.

So yeah, assuming Apple hasn't already found these bugs independently, they are 0-day and previously undisclosed.

Re:Irresponsible

It's perfectly responsible to just release the info on the bugs, I'm a Mac and Linux user, the faster the bugs are made public the faster the devs are forced to fix the probles instead of sit on them while a select few hackers that have known about these bugs the whole time get to pick apart every machine they find.

Re:Irresponsible

[Jasin+Natael]

No way. If he discovered ways to bypass a security system, and knowingly gave thieves access to my property, he would be -- ethically for sure, and most likely legally -- a willful accomplice to trespass and any associated crime. Whether he's granting access to my land, my safe, a bank vault, or my computer, it's trespassing and it's a crime he participates in.

I couldn't care less what his beef is with Apple; the fact that he's distributing this information to people who would use it to commit crimes, before notifying the property owners who are their prospective victims, is abhorrent. It is nothing less than enabling and encouraging criminal acts, with malice aforethought. In our above analogy, even if the lock maker or security system vendor had ignored him in the past, that does not and cannot give him the right to aid and abet criminal acts against that company's customers.

He is many things, but not irresponsible.

Perhaps he is not irresponsible. I guess "criminal" and "despicable" would be better labels after all.

Re:Irresponsible

[spun]

And yet, if a locksmith writes a book that details how a certain brand of lock is not secure, including reproducible instructions given in order to prove he is correct, and then someone uses that book to break into your house, that locksmith will IN NO WAY be liable for your loss. I don't think your logic holds up. This person is not "knowingly giving thieves access to your property," he is publishing security information.

I once told a friend that if you eat polonium you will die. I suppose that makes me responsible for Litvinenko's death?

Re:Irresponsible

[moore.dustin]

So if I post a video of how to pick a lock and then someone breaks into your house via picking a lock, I am at fault? If I make a post of how to tap a phone and then someone taps yours, I am at fault? I could go on for ages. The criminal is the one who commits the crime. In some cases, those who provide the means are also guilty, but this is not one of those cases.

Re:Irresponsible

[Zonnald]

And if you give me the URL to download torrent from and I use it to download the latest film, then you are legally responsible?

Re:Irresponsible

[Jasin+Natael]

And yet, if a locksmith writes a book that details how a certain brand of lock is not secure, including reproducible instructions given in order to prove he is correct, and then someone uses that book to break into your house, that locksmith will IN NO WAY be liable for your loss.

If he did it with malice aforethought and took pains, like this anonymous jerk, to ensure that the manufacturer is caught with their collective pants down, then yes. This sensationalist "security researcher" is a sadist, sitting back and instilling fear, intentionally enslaving the vendor to work on their product in sequence of his priorities, in some kind of sick race to see if the vendor can fix the problem before the customer, caught in the middle, gets ripped off.

If you publish exploits in any medium for any device, and do not notify the relevant vendor ahead of time, notwithstanding past coercive and/or retributive behavior on the part of the vendor in question, then you are doing the same thing as this guy. By announcing this ahead of time, he calls criminal attention to his site, and is acting with malice toward the vendor and its customers. In essence, he's inviting everybody to gather at the starting line so that they can race to get to the innocent people's property first. The vendors, racing to defend it, and the criminals racing to exploit and expropriate it. All so he can be notable as the officiator of the race.

A book would come out differently. But even then, you should tell the vendor before it hits the shelves.

Re:Irresponsible

[failedlogic]

I agree with parent poster.

I also wonder though as an aside: here on Slashdot, and I tend to agree with the arguement, there are critques of analysts at 'independent' research firms for not doing their research properly and it therefore impacting upon the public perception (read: stock performance) of the company be analysed.

I have to wonder if there is also an economic downside to this type of research. And sure, Apple is a 'big' company by most measures but the bottom line still effects wether or not people keep their jobs.

Re:Irresponsible

[GaryPatterson]

It's not his job to protect OS X users, and releasing a list of security holes without giving the vendor an opportunity to reply or repair them certainly doesn't help OS X users.

He wants to publish a list of ways your computer can be maliciously affected, and then what? Will he stand back and say "this is it, I'm not responsible for how it's used?"

That's almost a textbook definition of irresponsible - doing something and not taking any blame for the repurcussions.

Yes, it's not directly his fault if a hacker causes damage, but having provided the instructions and a map, he's at best an accomplice to any criminal acts. It's not enough to pretend that he would bear no blame, and I think it's not going out too far on a limb to say that the legal system would lump him in with the actual perpetrators (certainly in the current climate of hysteria).

In short - he is *not* a security researcher. He's a hacker looking for publicity. I hope he gets a *lot* of publicity, just not the sort he wants.

Hint to Apple PR: you can make hay from this

[toby]

Memo to Apple PR:
Work with this guy. Simply ensure that each bug identified is fixed ASAP, and issue a press release about it. This lets you capture and keep the high ground by showing that you care more about security and quality than the competition does. Up for it?

Just remember, where the big bad guys see "little people to be silenced," others see "opportunity."

Re:Hint to Apple PR: you can make hay from this

[Mr.+Underbridge]

Memo to Apple PR: Work with this guy. Simply ensure that each bug identified is fixed ASAP, and issue a press release about it. This lets you capture and keep the high ground by showing that you care more about security and quality than the competition does. Up for it?

Memo to toby: We don't negotiate with terrorists.

--Steve

Re:Hint to Apple PR: you can make hay from this

[tonywong]

That just escalates this guy's standing and position in the 'newsy' community. Why would you want to build his fame and fortune for him? You pander to his fancies of being a security guru and he will hold you hostage with a 'security review' every time he needs a PR boost.

Ignore this guy and keep doing things the way they've been done. It has been responsive and working.

Re:Hint to Apple PR: you can make hay from this

[Udo+Schmitz]

Memo to toby:
I doubt the guy wants to work with anyone.
As I just quoted in another post:Washington Post: "As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message."
I guess his emphasis is on page views and ad revenue. Not making the world of computers a saver place. Hope that doesn't shatter your weltanschauung.

Re:Hint to Apple PR: you can make hay from this

[Doctor+Memory]

Just remember, where the big bad guys see "little people to be silenced," others see "opportunity." Yeah — the opportunity to silence some little people, to curry favor with the big bad guys...

Re:Hint to Apple PR: you can make hay from this

[dangitman]

Work with this guy. Simply ensure that each bug identified is fixed ASAP, and issue a press release about it.

It sounds like (especially based on their last such publicity stunt, that "this guy(s)" does not want to be worked with, and just wants maximum drama and exposure for his site. Interesting that one of them doesn't want to be known by name. They don't sound particularly co-operative, especially if they had anything to do with the "wireless security flaws" beat-up.

Re:Hint to Apple PR: you can make hay from this

[pklinken]

toby ?
toby wong?
tony ?
tony wong ?
f***ing charlie chan

Test of a common theory!

[GodInHell]

Hey! This is a unique (and for this mac user, kind of worrisome) oppourtunity to test the MS theory that realeasing this kind of information causes a prolifieration of exploits and only serve to teach people what kind of holes to look through.

If there is a sudden spike in viri and back end hacks on macs, then we'll know. The question is, will the community care either way - if it turns out that this kind of activity rapidly accelerates the spread of black-hat script idiots, will there be reprecussions, or will we fall in along the common mantra that "obsucrity is not protection" (though most snipers would disagree).

-GiH

Re:Test of a common theory!

[peragrin]

well people like rob enderle will say see there was a 300% increase in Mac viruses just this week. of course it means it went from 1 to 4 but hey at least he would be right for once.

The fact is that *nix's dealt with mass propagating viruses and auto excuting text formats 20 years ago. They figured out how to limit their spread simply. OS X while not bullet proof or perfect has at least a solid foundation to work with. Windows including Vista has an unstable one at best. Vista's security system at least in the betas could be bypassed by changing an entry in the registry. That's secure?

Next up though will be the intelligent ans secure file system. A filesystem that deals with users and permissions on it's own. preventing access to files without authorization.

Re:Test of a common theory!

[toadlife]

"The fact is that *nix's dealt with mass propagating viruses No it didn't.

"...and auto excuting text formats 20 years ago." That's just spiffy, but auto-executing text formats are not the cause of malware propagation on Windows.

"Vista's security system at least in the betas could be bypassed by changing an entry in the registry. That's secure?" A registry key which you would need admin access to change.

Re:Test of a common theory!

[uhlume]

Vista's security system at least in the betas could be bypassed by changing an entry in the registry. That's secure?

...And *NIX's security system can be bypassed by chmod -R 666'ing /etc, adding all users to wheel/sudoers, and/or...well, really, any number of ways. That's secure?

Oh wait, yeah, it is.

It goes without saying that any administrator knowledgeable enough to change system settings (particularly those which aren't exposed for easy access) has the capability and the potential to change them to something stupid. So long as the defaults are sane for people who wouldn't know from a registry entry or a group file, who cares?

Next up though will be the intelligent ans secure file system. A filesystem that deals with users and permissions on it's own. preventing access to files without authorization.

Now you're just stringing words together for fun without regard to meaning. Do you have even the foggiest notion of how filesystems are actually implemented? What are you trying to describe, and how is it different from EXT3 or NTFS or any even remotely modern kernel-level filesystem?

Re:Test of a common theory!

[petard]

will we fall in along the common mantra that "obsucrity is not protection" (though most snipers would disagree).

The common mantra is not "obscurity is not protection". The common mantra is "Security through obscurity is really not security." You're repeating a common misunderstanding. If instead you read "Security that relies on obscurity is bad" then you have a better understanding of the criticism of security through obscurity.

In other words, obscurity may help, but it should not be the primary feature of your security plan. In fact, you should not rely on obscurity for anything important at all. Just consider yourself lucky if you benefit from it for a little while.

Re:Test of a common theory!

[GodInHell]

Still.. should it be proved out that these kinds of tactics increase the risk to the common (enterprise?) user, would you justify them anyway?

I appreciate that argument for releasing data on security breaches under the theory that "the bad guys know this, the good guys don't" if it should turn out that they are instead cheap classes on compromising common system architecture, I would feel the need to wonder what steps could be taken (by law makers) to discourage them.

Re:Test of a common theory!

[peragrin]

current *nix filesystems have the user just like any other piece of meta data. NTFS doesn't have anything like that in practice. whether it's there or not it's not used by windows. Booting from another disk eliminates all security systems in place for any OS. It's a glaring security problem. it's a point no one has begun working on.

On OS X the root user isn't activated that command can't be given. Ubuntu is doing the same thing. Viruses can't spread that way without a lot of manual input by the user. it's not a task that you can automate. Try it a bunch of people have been that's why after 6 years there has been no self replicating viruses for OS X. just a couple of trojans that can only target one machine at a time.

Also how many window users will give an app full access to install. mac Apps that don't need admin access don't ask for it during install. Yet for some reason MSFT apps for the mac, do need admin access. The difference? Windows Media Player 9 needed admin access to install yet mplayer or VLC don't yet they all achieve the same thing.

Re:Test of a common theory!

[uhlume]

current *nix filesystems have the user just like any other piece of meta data. NTFS doesn't have anything like that in practice. whether it's there or not it's not used by windows. Booting from another disk eliminates all security systems in place for any OS. It's a glaring security problem. it's a point no one has begun working on.

...Apparently you've never heard of filesystem-level encryption: a feature available in some form in every modern OS I can think of, including NTFS in Windows.

On OS X the root user isn't activated that command can't be given. Ubuntu is doing the same thing.

As is Vista -- the initial user account created during installation has, essentially, the ability to sudo, but is not the actual Administrator account. By default, the Administrator account doesn't even appear as a login option.

Care to remind me of your point again?

Also by this author...

[XxtraLarGe]

Month of Homeland Security Vulnerabilities!
The places where terrorists could to the absolute most damage if they were to strike within the next few hours!

Re:Also by this author...

[telbij]

And you thought Windows was a security nightmare. no... really.

Re:Also by this author...

[russotto]

In this season? The Mall of America, the King of Prussia Mall, Sawgrass Mills Mall, etc....

Actually, if the terrorists are REALLY clever, they'll take down all the jewelry stores and florist shops and stands on Christmas Eve. The damage done by the women to men who saved their gift shopping for the last minute should shut the country down for weeks (taking down the florist shops prevents effective apologies, of course).

Re:Also by this author...

[Hoch]

I understand that you are joking, but if the terrorists were satisfied with malls, we would see more attacks there. What they want to attack are symbols of power. They don't attack only to hurt us, but to bolster their cause at home. By attacking symbols of power, they appear strong. While this might not be the same in Israel, this has been an American standard. Why do you think that Al quaeda attacked the same building twice? Not for the body count, but for the symbolism.

Re:Also by this author...

[SkunkPussy]

I don't think you're right. You are extrapolating from too little information. There has only been one al-qaida attack on american soil. There is little evidence that there will even be another one. Right now ts impossible to have any kind of generalisation or modus operandi of these so called "terrorists".

A benefit to the Mac community, surely?

[xwizbt]

At the moment, MacOS X Hints has a couple of bugs as its first two articles. One is a flaw in Text Editor, the other a possible data loss in iWeb. A month of Apple bugs, to me, means at least 30 bugs found and fixed. Apple has a proven track record when it comes to security updates, and the Software Update function works extremely well to roll out updates with an awe-inspiring ease.

I'd like to say I'm confident they won't find thirty bugs, but that's unlikely. The important thing to focus on, however, is that a bug discovered is a bug that can be sorted. In actual fact, the 'Report bug' options in Safari and a number of other applications shows just how seriously Apple takes this. Bring it on...

Re:A benefit to the Mac community, surely?

[Ash-Fox]

Apple has a proven track record when it comes to security updates,

Proven, how?

I've read articles in the past that mentioned Apple was often slower than Microsoft at releasing critical updates. The Linux communities being faster than Microsoft often at releasing critical security updates.

Re:A benefit to the Mac community, surely?

[Lars+T.]

Apple has a proven track record when it comes to security updates,

Proven, how?

I've read articles in the past that mentioned Apple was often slower than Microsoft at releasing critical updates. Well, if you read it, it must be true then.

Re:A benefit to the Mac community, surely?

[Ash-Fox]

Well, if you read it, it must be true then.

I agree, that doesn't sound very factual without providing at least one link, although I'm sure the more, the better.

However, the question remains. Proven, how?

Hmm, January 2007...

[kiltyj]

Isn't something else happening in the OS world... near the end of the month, maybe?

Memo to Mr Underbridge

[toby]

... :-)

I disapprove

[Sloppy]

I have to admit I sometimes waffle on my opinion regarding disclosing to vendors first, versus disclosing to the whole world simultaneously. Both approaches have some advantage.

This approach does not.

If the goal of disclosing to the whole world is to give users a chance to defend themselves (since it is assume that black hats may already know about these holes, and may already be expoiting them) then why delay until January?! And why dole out the information one bug, one day, at a time?

By delaying, you gain the disadvantage of vendor-only disclosure: today's users aren't getting the information to at least try to protect themselves from exploits that are possible right now.

Best-case, you also may get the advantage of vendor-only disclosure. Maybe Apple has been told about these bugs and has had an opportunity to address them. But the article doesn't say that. We just don't know. So that's a best case, and the worst case is that we'll get the disadvantage of simultaneous public disclosure: the script kiddies get to start exploiting the bugs right away, while the users have to wait for a fix from a big clumsy vendor. And that's not counting the intentional delay, where people might be exploiting the bug between now and the disclosure.

This is a bad idea, no matter which camp you're in (exception: black hats).

Re:I disapprove

"If the goal of disclosing to the whole world is to give users a chance to defend themselves (since it is assume that black hats may already know about these holes, and may already be expoiting them) then why delay until January?! And why dole out the information one bug, one day, at a time?"

The delay is to overlap with the Macworld Expo, starting January 8th. The one-day-at-a-time is to get the maximum publicity.

Re:I disapprove

[MetaKey]

"Maybe Apple has been told about these bugs and has had an opportunity to address them. But the article doesn't say that. We just don't know."

Actually, yes, we do know.

FTFA: "As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message."

It's a childish and self centered move on the part of "LMH" to NOT inform the vendor. Apparently, he is more concerned about puffing himself up than with security or the well being of the computing community.

Actually, in the short term "LMH" is seriously compromising security. Ethical behavior is to open a dialog with the vendor. If the vendor does not participate in the dialog and demonstrate a good-faith effort to fix the reported vulnerabilities then make the vulnerabilities public.

But, of course, that doesn't get you your 15 minutes of fame..

Re:I disapprove

[alphasubzero949]

Maybe Apple has been told about these bugs and has had an opportunity to address them.

Like InputManagers? Oompa-Loompa, Inqtana.B, and more recently, 'iAdWare' all used InputManagers in order to execute as admins easily have read/write access to /Library/InputManagers. If you think that the easy solution is to not run as an admin for day-to-day tasks, you still have to worry about ~/Library/InputManagers. Apple dismissed InputManagers as a "feature." Fortunately, however, there is an easy way to protect yourself:

mkdir /Library/InputManagers chmod 0700 /Library/InputManagers chflags 017 /Library/InputManagers

and likewise for your home Library folder. If you really want to tighten things down to the point where you need to boot into single user mode, do this instead:

mkdir /Library/InputManagers sudo chown 0:0 /Library/InputManagers sudo chmod 0700 /Library/InputManagers sudo chflags 1600017 /Library/InputManagers

Unfortunately, Panther users have to take an extra step as Apple decided to add a sticky bit to /Library in Tiger without applying that security fix to older iterations of OS X. So in order to enjoy the same permission model, Panther users need to run this:

sudo chmod 1775 /Library

That is one example of how users can protect themselves now instead of waiting for Apple to do something (read: most likely never).

Re:I disapprove

[SeaFox]

If the goal of disclosing to the whole world is to give users a chance to defend themselves (since it is assume that black hats may already know about these holes, and may already be expoiting them) then why delay until January?! And why dole out the information one bug, one day, at a time?

Because if they just gave out all the info now, in a couple weeks Apple will have issued a patch for most/all of them, which would spoil the effect for Vista's launch. If they release them one at a time, Apple wont be able to have patches ready for the last few at least before the big day. Plus, an event like this gives FUD-slingers the added bonus of these lines:

"You know they've discovered a new big in OSX every day this month."

"They've discovered __ bugs in OSX this month alone!"

"There are __ unpatched bugs on OSX right now."

Re:I disapprove

[alphasubzero949]

Correction: Forgot to insert my br tags after each command. Hopefully readers can still understand what is being accomplished.

Re:I disapprove

[strikethree]

The idea is that you immediately give full disclosure to the vendor and partial disclosure with a mitigation strategy to the public. Once the bug has been fixed, full disclosure is given to the public so that they can oooh and aahhh about how clever you were. Anything less (or more) is putting people at unnecessary risk.

strike

Unethical

[polyex]

Not allowing Apple or any other software developer the opportunity to protect its users from a security exploit and then posting instructions on a public website that allow someone to commit a criminal act is at a minimum unethical and may even open this character up to a lawsuit if anyone is seriously hurt financially or otherwise (remember hospitals, cancer researchers etc use computers). This behaviour shows another agenda beyond helping vendors (well perhaps helping one in particular).

Re:Unethical

[mandelbr0t]

Theory is theory. I can post instructions on a fictional <insert crime here>, and the person who commits the crime is 100% guilty, even if he got the idea from me. Classic examples: The Great Train Robbery, Strangers on a Train, The Italian Job. The only thing that can be done is to limit distribution of such texts on the basis that they are harmful to society at large. This is the way that Hate Literature is managed; you certainly can't stop somebody from writing it, but you can bust him the second he provides his writing to someone else.

As to unethical, I'd say No. The case can be made that disclosing such information is in the interest of the general public. It could also be argued that it was done as a last resort: the vendor wouldn't deal with us when we went to them privately, so we released the information publicly. I'm sure Ralph Nader has released information that could be used to do something dangerous or illegal.

mandelbr0t

Re:Unethical

[polyex]

Thanks for totally ignoring my point about identifing the issue and bringing it to the attention of the manufacturer before making it public. Say what you want about free speech and such, people can still be sued (and usually for a lot less than this sort of behaviour) if someone ends up getting hurt from this. If instructions on how to exploit computer security are ok, then why not instructions on how to exploit previously unknown airline security holes? They are both aiding in the commision of a crime Disclosing information to the people who are trying to maintain the product is ethical, not doing that first and telling the world how they can take advantage before the manufacturer has a chance to fix it, serves no purpose other than to see a crime come to fruition, even if you dont actually do the final deed yourself.

Fascinating.

When the "month of kernel bugs" happened, everyone criticized Linux for having so many bugs.
Now that the "month of Apple bugs" is happening, everyone is criticising the guy finding the bugs.

Re:Fascinating.

No, it's Mac fan-bois who are criticising.

Why don't software companies offer bounties?

[Jon+Abbott]

Why don't large software companies offer bounties to find their security flaws and disclose them in private before they become a problem? I know security companies do this sometimes, as well as underground organizations to find 0-day exploits, so why aren't the software companies themselves getting into this game? I would think that it would motivate programmers at the company in question to tighten up their code, especially if the bounty cash cuts into their results sharing.

Re:Why don't software companies offer bounties?

[Anthracks]

Some do. Mozilla, for one. I imagine there are others out there too.

Re:Why don't software companies offer bounties?

[nasch]

Is it known if this produces a black market for bugs? Is the benefit of writing a security bug and having a friend/alter ego report it for a reward greater than the penalty for being found to have written a security bug?

Re:Why don't software companies offer bounties?

Is the benefit of writing a security bug and having a friend/alter ego report it for a reward greater than the penalty for being found to have written a security bug?

If I found out about it it wouldn't. I'd rip the developer's head off and poop down his throat.

do they need advance notice?

[toby]

I think anything Apple says in response will have a wide audience, which means its message won't be lost. And that message could be as simple as, "We know we have bugs. Instead of pretending we don't or burying them in bureaucracy, we're going to fix whatever he finds. Keep em coming!"

Yeah, I know, I'm hopelessly naïve.

Re:do they need advance notice?

[Udo+Schmitz]

Come again? Are you trolling? Do you really think releasing exploits to the public without giving the vendor advance notice isn't anything but irresponsible?

Re:do they need advance notice?

[toby]

If this guy really has 30 zero-day remote exploits for OS X, then Apple really does have a problem.

He'll be scraping the barrel to find one or two. And either way, I still think it's a PR opportunity for Apple. Or at worst, tuff love!

Shotgun + Fish + Barrel

OS-X is the most insecure OS this side of Lunix. Pointing out how insecure either of them is like shooting fish in a barrel.

In fact, there is probably SO many undocumented exploits... he should probably expand it to a year.

bugs != insecure all the time

[netsfr]

Just wanted to point out that a bug doesn't mean any OS is insecure. It could be that a pixel is green where it should be blue... And sometimes one man's "bug" is another's "by design".

Prior Notification

[Midnight+Thunder]

If they give the company a months notice to fix the issues then publishing them afterwards would be incentive for Apple to fix bugs there were made aware about, but failed to fix. Publishing before notifying Apple, sounds like just wanting free bragging rights.

Month of Apple Bugs

[wile_e8]

To be followed by the Decade of Microsoft Bugs. Welcome, Vista...

Irresposible behavior for security professionals

[Urd]

There are channels and processes for dealing with security issues. Official channels and processes. Failure to use these show the clear lack of professionalism on the security workers' behalf. I would never ever work with these people or anyone who associates themselves with these practices or endorses them (including the company that may employ them). I simply wouldn't ever trust them to be either professional, knowledgeable or to actually work for me.

And I do control a rather large security related budget at a fortune 100 company. They will never get a slice of my security budget...

Viri

is the latin plural of men, and your usage of it indicates that you just looove being tag-teamed by them. Shut your pie-hole, cum bucket.

Month of OpenBSD bugs

[Xugumad]

Me, I'm waiting for him to do a month of OpenBSD bugs...

stipulated to be true

[fermion]

We can accept the following as a given:

• every system has bugs
• Some bugs will result in the creation of security issues
• Bugs that do not result in the creation of security issues or other user problems will be ignored
• If an exploit does not exist in the wild, the developer will claim a fix for the bug can be deferred
• if a developer is secretly altered of a bug, the developer will claim the fix can be deferred because the bug is secret
• If a white hat hacker has found a bug, then someone else probably has as well
• Just because a exploit is not known, does not mean that it does not exist and just waiting for release
• Hackers that release bug lists are just looking for attention and friends

Given all of these varied assumption, there is no simple answer to the reporting of bugs. There is really no reason to keep the bugs secret, as that does a disservice to the customers and allows the manufacturer to postpone a fix. If the issue is serious, then it will get out anyway, and the sooner the fix the better. By making the bug public, the developer can openly discuss the issue and justify the action or inaction.

In the end the only shitty thing to do is sit on a bunch of bugs and then release then in mass. This of course is going to overwhelm the developer, and expose a bunch of issues that cannot be quickly be fixed. It is not only an attack on the developer, but an attack on the innocent users. I have no problem with hackers releasing bugs as they are found, but building up an arsenal is something that only black hats would do.

As far as if a particular OS is secure, this probably has more do with the quality of code rather than error rate. Even quality code will have errors. The difference is that quality code is written in such a way that side effects are minimized by clearly defined interfaces and domains of data. This leads to code that can be easily fixed without the problem of a change effecting many other unrelated systems. Ever since we were told that MS Windows can not function with IE or WMP, and it took 5 years to generate an upgrade, we are all very suspicious about the code quality of MS Windows.

Of course?

[SuperKendall]

This has nothing to do with whether or not holes will be maliciously exploited by some; of course they will be.

Of course? Why would that be?

Some holes disclosed previously have, for example, included flaws in the OS X SSH daemon. You might think that would make a great target to exploit, except that it doesn't ship enabled by default - so the universe of computers you are going to be able to reach with a remote attack is exceedingly small. Thus, even though there's an exploit you probably would not see one for that hole.

Similarly other exploits previously disclosed have been in areas you can only reach by penetrating the OS in the first place, or gaining admin access. Again this initial effort to reach that position makes writing exploits more trouble than it's worth.

So generically, you cannot say that every hole automatically leads to a malicious exploit. If that were true, there actually would be viruses and malware for OS X today.

why not EndNote?

[derniers]

its only an application but maybe he could do EndNote in February (its the shortest month and he may need the rest of the year for Vista), he could easily find a bug a day in that most despised piece of software (which unfortunately has no substitute), I find one most every day without trying......... of course, if he called customer support to report a bug he would be put on hold for the whole month

The implication against Oracle?

[Saanvik]

I haven't seen any posting that backs up the implication that Oracle did something to halt the "Week of Oracle Database Bugs". I think it's more likely, as others have said, that the researcher just couldn't meet the goals of that project.

Clearly he had issues, otherwise why ask for help, and why do a week instead of 30 days, as the other projects have been?

Does anyone have anything approaching proof to show that Oracle intimidated or otherwise caused the previous project to halt?

security guru?

[toby]

If he's sitting on remote exploits for OS X, we might as well get them out in the open.

As others have pointed out, it's pretty difficult to make your OS X system vulnerable. Many home and corporate users are already behind a router. The others can tighten their software firewall and disable unnecessary services.

That leaves the usual attack vectors, Outlook and IE... uh wait... Mail.app and Safari. Even if he has some remote exploit against standard mail client and browser, unless this stunt suddenly changes the character of incoming spam, I don't see that having much effect on end users. I still think Apple's best response is to make lemonade.

Whatever they do, they can't do worse than MS (delay, denial, and more defects).

stunt will probably backfire

[toby]

They'll probably come out of this looking foolish, whatever Apple does.

Thirty exploits for OS X would be quite a find - and if they have them, let's get them outed; OS X users aren't in as much danger from this as people around here are trying to claim.

There are bugs in Oracle?

[drew]

In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation.

Maybe he just couldn't find enough for a whole week?

Riddled, With Bugs

[bughunter]

Q: What's worse than finding a bug in your Apple?

A: Finding half a bug!

Awe-inspiring ease?

and the Software Update function works extremely well to roll out updates with an awe-inspiring ease.

Will you mac-heads stfu already? You don't need to put fruity icing on your comments to make Apple sound any more godlike. We get it. If OS X were any more phallic in nature, you'd be sucking on it all day long. Enough.

Sounds like a busy month for you, Dave.

[Zhe+Mappel]

Brian Krebs seems to have some kind of fascination with "proving" that Mac OS X is "insecure" while simultaneously accusing Apple of using strong-arm tactics to try to silence critics. . . What should be "interesting" to see isn't whether or not Apple "does anything" to "scuttle" the project; it will be whether Apple has previously had any chance to respond to any of the issues that will be disclosed.

Wow--I don't know how "you" do "it," "Dave." Even your preemptive spin on the month-of-bugs makes my iBook feel snappier!

Re:Irresposible behavior for security professional

Security worker ? These are independent researchers donating time. When you get a free lunch,
don't whine about the menu. Ignore them if you like, it'll result in your beloved corporate
getting compromised by "unprofessional" people who are smarter and less ignorant than you.

fair test?

[v1]

each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it.

Is it fair to say you are testing the operating system, and then discuss bugs in say, safari? Do we beat on Word bugs when we are discussing Windows security?

Applications run in userland, a bug in a user application is not likely to compromise the machine nearly as far as a bug in the OS. For the purposes of this January test, I will be discounting anything that is not an actual OS bug. (now if a bug in an app is allowed to escallate into the os through a hole in the OS or a bad design of the os's API, then yes we can beat on that all day long, and should)

If it is anything like recent history...

[SkiifGeek]

If it is anything like the recent 'exploits' targeting the platform, then it is possible that the whole month will be taken up with vulnerable InputMangers, variations to the MachOMan PoC from ROY.G.BIV, vulnerabilities in third party code that is not enabled by default (such as against the installed PHP version), or vulnerabilities in image processing code (something that some researchers are focussing on).

All of these are known about and relatively trivial to uncover. Finisterre has received coverage in the past for claiming that he has numerous OS X vulnerabilities that Apple are refusing to acknowledge, and LMH's MoKB effort seemed to have an unhealthy focus on OS X (and there is debate over the effectiveness of some of those disclosed vulnerabilities and analysis).

Announcing this project via Brian Krebs, instead of on security mailing lists and disclosure sites, appears nothing more than self-promotion. This does nothing to help those who are opposed to this project, or these researchers, but is more than likely to lead to a major flamefest and could end up like the disclosure of the 'Remote Apple Wireless vulnerability' disclosed at the Black Hat Briefings in August - a small grain of truth, but a huge slab of self-promotion and wild-ass guessing to follow up.

Reason

[Kancept]

He did offer a reason and it was embedded in the binary background of the letter stating he was closing the site. It stated that Oracle Sued. Should go check the comments in the article for that for a rundown on how to obtain it.

Not just a good idea

[d_54321]

An excellent idea.

Just imagine if /. hosted a "Month of /. Bugs".

Wouldn't that be a fun trip into humility?