Month of Apple Bugs Debuts in January

An anonymous reader writes "A pair of security researchers has picked January 2007 as the Month of Apple Bugs, a project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it. According to a post over at The Washington Post's Security Fix blog, the project is being put together by researchers Kevin Finisterre and the guy who ran November's Month of Kernel Bugs project." From the post: "It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation."

Some thoughts and considerations

[daveschroeder]

Brian Krebs seems to have some kind of fascination with "proving" that Mac OS X is "insecure" while simultaneously accusing Apple of using strong-arm tactics to try to silence critics. (Note: going after people for leaking confidential information is not the same as a situation in which people are making security issues known.)

Every reasonable person on the planet already knows, and has known, that every OS has bugs, vulnerabilities, and security issues, and Mac OS X is no exception. The simple, undeniable truth is that for a variety of reasons, including marketshare and the security architecture of the OS, Mac OS X is a far more secure general purpose desktop operating system for most users than any viable alternative. There is almost zero malware of any kind "in the wild", no malware with vectors for mass propagation, and little with ANY kind of propagation capability whatsoever. And contrary to popular opinion among some, Apple does indeed respond to, and fix, security vulnerabilities, including crediting the discoverer(s) when said person or entity provides Apple with enough information to verify the issue. It has continuously and consistently improved on this front, mostly as a result of working with people in the enterprise and academic communities (e.g., Apple University Executive Forum and MacEnterprise.org). There is always room for improvement, but we have seen Apple make marked progress in disclosing, accurately describing, and fixing vulnerabilities in Mac OS X. As with most commercial vendors, Apple does not comment on security issues before they are fixed. So don't expect Apple to make public statements and explanations of any kind until after a particular vulnerability is addressed.

What should be "interesting" to see isn't whether or not Apple "does anything" to "scuttle" the project; it will be whether Apple has previously had any chance to respond to any of the issues that will be disclosed. If not, this little project doesn't prove anything at all, other than that every operating system, Mac OS X included, has bugs. (Duh?) What's important is the general security architecture, practical security state-of-affairs on the platform, and how the vendor responds to issues. I'll be far more interested to see how and when Apple responds to the issues raised, and if it properly "triages" the issues and handles them accordingly (on this note, predict that people will complain Apple is taking "too long" to fix some of the issues, when in reality it is devoting programming and testing and QA resources to the issues in the order of importance and impact).

Re:Some thoughts and considerations

[gravesb]

I also think the quality of the bugs will be interesting. If all 30 bugs are show stoppers, then there are some serious underlying issues that should be addressed. If, however, they are insignificant or extremely contrived (this application can install malware if the user types in the admin password), then won't it really be an admission that the parties involved can't find critical security holes? (Not that they don't exist, its almost impossible to prove a negative in general one, and that one specifically.) It should be good for Apple regardless, in that major holes are id'd and can be fixed, or their security reputation is improved.

Re:Some thoughts and considerations

[Incongruity]

(I'm not a mac fanboy, but I play one on slashdot)

I also think the quality of the bugs will be interesting. If all 30 bugs are show stoppers, then there are some serious underlying issues that should be addressed.
And I totally agree. If there are bugs, better to have them out there and then fixed than it is to have them be obscure pieces of knowledge that a motivated few will use for their gain.

In the end, a month of OS X bugspotting can only be a good thing, IMHO.

Re:Some thoughts and considerations

[BarryJacobsen]

What if the reason they haven't been fixed is because some asshat is waiting for a publicity stunt to reveal 30 some exploits that have been found instead of giving them the information to fix them NOW. Some how if this was any field other than computers I think people would look at this very differently: I have some information about cancer and can give a formula that almost any scientist could turn into a working cure given a reasonable amount of time, but I'm going to wait a few weeks and then release part of the information every day for a month on my website (don't forget to click the banner ads!).

Re:Some thoughts and considerations

[Abcd1234]

Except that, thus far, OSX has proven itself to be far less bug-ridden, out of the box, than any MS product. If, in five years, Apple has proven to be as unreliable as MS, you can bet people will be complaining just as loudly about them.

Re:Some thoughts and considerations

[Trillan]

I don't oppose making the bugs public at all. But I do think this needs to be done in a fair manner.

Specifically:

1. Bugs should be in Mac OS X 10.4 (or possibly 10.3).
   Pre-release software is not a fair target. It's under NDA, and is bound to have a bunch of issues. Apple has a system in place for dealing with 10.5 issues.
2. All bugs should be reported to Apple via Radar.
   Posting without giving Apple advance notice is fine, but forcing Apple to deal with potentially thousands of reports from readers isn't.
3. The web and Radar report should both include steps to reproduce.
   This really falls under the category of "duh." A bug report that can't be reproduced is simply not worth much (although it isn't entirely worthless).

Re:Some thoughts and considerations

How many people have bothered to write something for an OS with ~ 4% of the market share when there is a whole 96% out there waiting to be owned, apparently no one. There has been one attempt at a rudimentary Trojan recently, but OS X goes largely unexploited, and for good reasons - too much work with little gain.

The same could easily have been said of Unix and VMS circa 1993, yet those platforms saw enormous and successful efforts at subversion. If the 4% Mac market includes some very profitable data -- and judging by how many security researchers use Macs, it does -- it will be targeted. Either the blackhats can in general always subvert OS X but have universally agreed not to say so, or they can on average only get into a few of the systems they try to get into. I personally feel it's more the latter, but that is just opinion.

Most of the malware is now propagated by users themselves. For example the find a "helpful" toolbar that says: "Download this great new toolbar!" the user clicks OK and they are owned. There is NOTHING to prevent this from happening on OS X, except for the fact that no one has bothered, yet. This issue isn't so much the technology as it is user education. Don't get me wrong, Windows makes it "easier" to exploit the system once you get user consent since there is really no privilege partitioning. However it is abundantly clear from stories about computer users are at fault when they get infected. Frequently we'll hear: "I did X, Y and Z and then the computer started acting funny!" The key being that the user actually did something to cause the infection.

We would need some decent statistics to assert "most", however all of the Windows users *I* have seen who have gotten hosed did the following: go onto college campus, activate wireless, get hosed by Windows virus propogating over the wireless. The Windows users among my friends and family do not execute files from the Internet, but they do view pictures and due to how Windows operates those are the same thing.

I think maybe you should reexamine the reasons for the perceived sense of security afforded by OS X. I think it has less to do with technology and more to do with smarter users and a disinterest from the people who might want to own your machine.

We sort of agree: for a serious enough attacker, *all* machines are vulnerable in some fashion exactly as all cars can be stolen. However, I disagree and think that OS X is quite more secure than Windows, possibly in the same ballpark as desktop Linux but not quite OpenBSD, and not just because the market share is lower. OS X, Linux, BSD, etc. are designed for multi-user operation and have benefitted from a long (and embarrassing) history of penetration testing going back before the Internet Worm of 1988. Even the X11 GUI has a full-featured security system in place -- nearly no one makes full use of it because the defaults are sane on modern distros.

Re:Some thoughts and considerations

[ceoyoyo]

Your argument has some merit, but the difference between zero wild exploits for OS X an what, 150,000 or something, for Windows would indicate there's something more going on than marketshare.

Sure, OS X gets shielded because it's not as common, but total protection? I think being built on UNIX, already having security features that MS is building into Vista, separating user accounts and root, all incoming ports closed by default and not having your web browser and mail client allowed to do whatever they want probably have a lot to do with it.

Re:Some thoughts and considerations

[99BottlesOfBeerInMyF]

So it's okay if (and I'm not suggesting this is the case) you design something with severe holes all over the place, as long as you fix them when it's brought to your attention? You might want to tell all the "Windoze Haters" here. Apparently this is not acceptable.

You've presented a false dichotomy. It is unreasonable for a developer to create insecure bug ridden software, with no testing, unless it is unlikely for other reasons that that software will be compromised (only running on an internal net or something). For a consumer grade desktop, it is reasonable for a company to do a level of testing and design that keeps their product reasonably secure in the real world. Normally, this would be a non-issue, since any product that did not meet these criteria would fail in the market, but one monopoly dominates the desktop OS space and is being leveraged into the server space. In this, I don't think anyone can fault Apple as their product is very rarely compromised, as compared to the other offerings in the market. That is the first issue, dealing with bugs not known by the designers, but which perhaps should be.

The other set of bugs are bugs the vendor knows about, but does not fix anyway. Within a company it is hard to say how many of these exist, but I've been told by former employees MS fixes about half of the security bugs that are reported internally. Further, MS has a poor track record fixing bugs that are know publicly as well. Apple has a pretty good track record with public bugs (not perfect, but good) and I don't know about internal bugs.

I much prefer my OS vendor to be proactive, not reactive, to security.

I much prefer my security vendor to be both, in a balanced fashion. It is good to audit code and design securely, but it is also good to react quickly to known, public threats that probably present more risk.

Re:Some thoughts and considerations

[99BottlesOfBeerInMyF]

Because none has been written? How many people have bothered to write something for an OS with ~ 4% of the market share when there is a whole 96% out there waiting to be owned, apparently no one.

This is an unsupported assertion. Logically, just because there are no propagating worms does not imply that no one has tried and failed to create one.

There has been one attempt at a rudimentary Trojan recently, but OS X goes largely unexploited, and for good reasons - too much work with little gain.

If it is "too much work" then you've strongly implied that OS X is fundamentally more secure than Windows, since it is basically no work to make a Windows worm. As for the gain, some worms are still written for reasons of prestige, which the first real OS X worm would create a lot of. For financial gain, some recent worms have begun data mining and Macs have lots of valuable financial data, especially as compared to the average Windows box, many of which are pirated installs running in China or something. Finally, worm authors generally try to spread as much as possible and to new platforms. Adding another exploit to the 6 your worm uses on Windows, will hit those same vulnerable Windows boxes for little return compared to adding one that hits OS X. There have been Linux/Windows cross-platform bugs... why not OS X?

It doesn't help that OS X actually uses a real programming language for the OS - this for the most part helps to keep the script kiddies out.

This is one way, some of OS X is more secure, fundamentally, than Windows.

Here is the thing - when and if, OS X gains a reasonable amount of market share, you can be sure that it, and it's users will become a target.

OS X users are a target for worms now, just not an easy one. More people will try to exploit it as it gains market share, but not just for the reason you imply. One of the reasons OS X is not targeted as much is because malware authors have a fairly limited skill set, much of which is very Windows centric. As more malware authors become mac users, more will also target the mac, in addition to the increased number of potential victims and easier propagation.

What I think many people do not realize is that Microsoft is now trying to deal with protecting users from themselves.

This is a very counter-productive attitude for a security person. Blame is irrelevant to good security, only results matter. You can say that an infection is wholly the user's fault for running an untrusted binary. You can just as logically say the OS failed because it did not provide a good mechanism that let a user safely run an untrusted binary. Since running untrusted binaries is a huge part of what users want/need to do, I think it is unreasonable to blame them for doing this, rather I blame the OS for being designed to accommodate the wrong tasks. I'm not sold on Window's solution to this and I think it has some serious design flaws at present, but in general I think this needs to be addressed.

Most of the malware is now propagated by users themselves.

My personal data and all the presentations at security conferences I saw this year fail to support this assertion. Most malware spreads via user interaction, if you're just counting malware variants. If, however, you're looking at infections, most are the result of malware requires no action from the user. These worms spread faster and more widely than malware that relies upon user interaction.

For example the find a "helpful" toolbar that says: "Download this great new toolbar!" the user clicks OK and they are owned. There is NOTHING to prevent this from happening on OS X, except for the fact that no one has bothered, yet.

There are several things on OS X that mitigate this. First, all the holes that let a download auto execute an arbitrary binary have been quickly plugged. Second, when a user runs a binary for the first time, they are made aware that it is a program and warned and given t

Re:Some thoughts and considerations

[kwerle]

Can you think of any possible reason why...

You have a memory smasher on Intel that either behaves differently or correctly on PPC.

That's the one that jumps first to mind...

In response to these great efforts

I will be posting his credit card numbers at a rate of one a day. I am curious to see how he responds and if he is able to patch his wallet for each.

It is not up to this schmuck to prioritize Apples develoment tasks. If something he publishs goes wild and affects my company, he will find himself in litigation.

Re:In response to these great efforts

It is not up to this schmuck to prioritize Apples develoment tasks.

If Apple chose to not prioritize security issues, what's that got to do with this guy? They should catch the bugs themselves.

If something he publishs goes wild and affects my company, he will find himself in litigation.

Because APPLE screwed up and shipped software with security holes? Why not sue Apple?

(And please, don't tell me that all software has security holes. If that's your attitude you've lost the game already.)

Irresponsible

[Phroggy]

I'm all in favor of taking Apple to task for failing to fix a bunch of bugs, but releasing detailed information to the public without notifying the vendor first is simply irresponsible. The only reason it's being done this way is shameless self-promotion: if Apple fixed all the bugs in advance, then they'd have nothing left to show for their month of Apple bugs, so people wouldn't freak out about it.

In short, their goal isn't really to get these bugs fixed ASAP; their goal is to spread fear and panic. If the bugs get fixed eventually, that's just icing on the cake. The problem with this is that it could cause some real problems for Mac network admins out there, many of whom don't have a lot of extra time to deal with unpatched security holes. If it was just a matter of "sticking it to Apple", that would be one thing, but this will affect a lot of innocent victims.

Yes, I'm a Mac user. No, that isn't why I feel this way; Microsoft should get advance notice too.

Re:Irresponsible

[jellomizer]

No you point to the security updates. To proove there were wholes. And you tell them there is a good chance you will get more. Also if a guy is going around claim that holes don't exist. Just put him in the same group of people who beleave man didn't go to the moon, or Macro-Evolution is a myth. Fixing the bug before it is a problem is better then just trying to proove some wacko wrong.

Re:Irresponsible

So you favour security by obscurity. Personally, I don't and this is the reason - if i'm not aware that an application or OS I administrate is currently open to remote attack, than I can't defend it against attack. If I am aware, then I can take necessary steps to hinder an attack while I wait for the patch - standard procedure. I am not for publishing full exploit script and putting attack tools on the net, but I would like to know details sufficient details to help me in security. Details like which port, what can happen, a helpful segment of code payload, etc.

Publishing data like this isn't to spread fear and panic, maybe they want to do that - i don't know, but publishing info on security risks is standard, as long as they notify the original company or programmers and give them reasonable time, than nothing is happening out of the ordinary. Is there some special reason you want Mac users to be not aware of security holes in their system and drag on the length of time they are at risk from an remote attack? If a researcher can figure out an attack, there are people out there who don't tell anyone what they have discovered except in IRC channels with bad reputations. That's why I believe security through obscurity works so well for the criminal element.

And defending network admins who leave systems unpatched....Lazy isn't a good reason for anything. patching OS's and keeping on top of what's secure and what's not is part of the job. and what's "if Apple fixed all the bugs in advance", I'm sure they tried, I'm sure people believe that phrase, but it's not reality, at all, they didn't, no OS has to date, so I find it a pretty big if...if we all used PSI powers instead of computers we also wouldn't be talking about Apple OS security....so what.

Hint to Apple PR: you can make hay from this

[toby]

Memo to Apple PR:
Work with this guy. Simply ensure that each bug identified is fixed ASAP, and issue a press release about it. This lets you capture and keep the high ground by showing that you care more about security and quality than the competition does. Up for it?

Just remember, where the big bad guys see "little people to be silenced," others see "opportunity."

Re:Hint to Apple PR: you can make hay from this

[tonywong]

That just escalates this guy's standing and position in the 'newsy' community. Why would you want to build his fame and fortune for him? You pander to his fancies of being a security guru and he will hold you hostage with a 'security review' every time he needs a PR boost.

Ignore this guy and keep doing things the way they've been done. It has been responsive and working.

Hmm, January 2007...

[kiltyj]

Isn't something else happening in the OS world... near the end of the month, maybe?

I disapprove

[Sloppy]

I have to admit I sometimes waffle on my opinion regarding disclosing to vendors first, versus disclosing to the whole world simultaneously. Both approaches have some advantage.

This approach does not.

If the goal of disclosing to the whole world is to give users a chance to defend themselves (since it is assume that black hats may already know about these holes, and may already be expoiting them) then why delay until January?! And why dole out the information one bug, one day, at a time?

By delaying, you gain the disadvantage of vendor-only disclosure: today's users aren't getting the information to at least try to protect themselves from exploits that are possible right now.

Best-case, you also may get the advantage of vendor-only disclosure. Maybe Apple has been told about these bugs and has had an opportunity to address them. But the article doesn't say that. We just don't know. So that's a best case, and the worst case is that we'll get the disadvantage of simultaneous public disclosure: the script kiddies get to start exploiting the bugs right away, while the users have to wait for a fix from a big clumsy vendor. And that's not counting the intentional delay, where people might be exploiting the bug between now and the disclosure.

This is a bad idea, no matter which camp you're in (exception: black hats).

Re:I disapprove

[MetaKey]

"Maybe Apple has been told about these bugs and has had an opportunity to address them. But the article doesn't say that. We just don't know."

Actually, yes, we do know.

FTFA: "As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message."

It's a childish and self centered move on the part of "LMH" to NOT inform the vendor. Apparently, he is more concerned about puffing himself up than with security or the well being of the computing community.

Actually, in the short term "LMH" is seriously compromising security. Ethical behavior is to open a dialog with the vendor. If the vendor does not participate in the dialog and demonstrate a good-faith effort to fix the reported vulnerabilities then make the vulnerabilities public.

But, of course, that doesn't get you your 15 minutes of fame..

stipulated to be true

[fermion]

We can accept the following as a given:

• every system has bugs
• Some bugs will result in the creation of security issues
• Bugs that do not result in the creation of security issues or other user problems will be ignored
• If an exploit does not exist in the wild, the developer will claim a fix for the bug can be deferred
• if a developer is secretly altered of a bug, the developer will claim the fix can be deferred because the bug is secret
• If a white hat hacker has found a bug, then someone else probably has as well
• Just because a exploit is not known, does not mean that it does not exist and just waiting for release
• Hackers that release bug lists are just looking for attention and friends

Given all of these varied assumption, there is no simple answer to the reporting of bugs. There is really no reason to keep the bugs secret, as that does a disservice to the customers and allows the manufacturer to postpone a fix. If the issue is serious, then it will get out anyway, and the sooner the fix the better. By making the bug public, the developer can openly discuss the issue and justify the action or inaction.

In the end the only shitty thing to do is sit on a bunch of bugs and then release then in mass. This of course is going to overwhelm the developer, and expose a bunch of issues that cannot be quickly be fixed. It is not only an attack on the developer, but an attack on the innocent users. I have no problem with hackers releasing bugs as they are found, but building up an arsenal is something that only black hats would do.

As far as if a particular OS is secure, this probably has more do with the quality of code rather than error rate. Even quality code will have errors. The difference is that quality code is written in such a way that side effects are minimized by clearly defined interfaces and domains of data. This leads to code that can be easily fixed without the problem of a change effecting many other unrelated systems. Ever since we were told that MS Windows can not function with IE or WMP, and it took 5 years to generate an upgrade, we are all very suspicious about the code quality of MS Windows.

Re:Test of a common theory!

[uhlume]

Vista's security system at least in the betas could be bypassed by changing an entry in the registry. That's secure?

...And *NIX's security system can be bypassed by chmod -R 666'ing /etc, adding all users to wheel/sudoers, and/or...well, really, any number of ways. That's secure?

Oh wait, yeah, it is.

It goes without saying that any administrator knowledgeable enough to change system settings (particularly those which aren't exposed for easy access) has the capability and the potential to change them to something stupid. So long as the defaults are sane for people who wouldn't know from a registry entry or a group file, who cares?

Next up though will be the intelligent ans secure file system. A filesystem that deals with users and permissions on it's own. preventing access to files without authorization.

Now you're just stringing words together for fun without regard to meaning. Do you have even the foggiest notion of how filesystems are actually implemented? What are you trying to describe, and how is it different from EXT3 or NTFS or any even remotely modern kernel-level filesystem?

Of course?

[SuperKendall]

This has nothing to do with whether or not holes will be maliciously exploited by some; of course they will be.

Of course? Why would that be?

Some holes disclosed previously have, for example, included flaws in the OS X SSH daemon. You might think that would make a great target to exploit, except that it doesn't ship enabled by default - so the universe of computers you are going to be able to reach with a remote attack is exceedingly small. Thus, even though there's an exploit you probably would not see one for that hole.

Similarly other exploits previously disclosed have been in areas you can only reach by penetrating the OS in the first place, or gaining admin access. Again this initial effort to reach that position makes writing exploits more trouble than it's worth.

So generically, you cannot say that every hole automatically leads to a malicious exploit. If that were true, there actually would be viruses and malware for OS X today.