Slashdot Mirror

← Back to Stories (view on slashdot.org)

Month of Apple Bugs Debuts in January

Posted by Zonk on from the sure-to-raise-some-eyebrows dept.

An anonymous reader writes "A pair of security researchers has picked January 2007 as the Month of Apple Bugs, a project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it. According to a post over at The Washington Post's Security Fix blog, the project is being put together by researchers Kevin Finisterre and the guy who ran November's Month of Kernel Bugs project." From the post: "It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation."

4 of 171 comments (clear)

  1. Irresponsible by Phroggy · · Score: 5, Insightful

    I'm all in favor of taking Apple to task for failing to fix a bunch of bugs, but releasing detailed information to the public without notifying the vendor first is simply irresponsible. The only reason it's being done this way is shameless self-promotion: if Apple fixed all the bugs in advance, then they'd have nothing left to show for their month of Apple bugs, so people wouldn't freak out about it.

    In short, their goal isn't really to get these bugs fixed ASAP; their goal is to spread fear and panic. If the bugs get fixed eventually, that's just icing on the cake. The problem with this is that it could cause some real problems for Mac network admins out there, many of whom don't have a lot of extra time to deal with unpatched security holes. If it was just a matter of "sticking it to Apple", that would be one thing, but this will affect a lot of innocent victims.

    Yes, I'm a Mac user. No, that isn't why I feel this way; Microsoft should get advance notice too.

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  2. Also by this author... by XxtraLarGe · · Score: 5, Funny

    Month of Homeland Security Vulnerabilities!
    The places where terrorists could to the absolute most damage if they were to strike within the next few hours!

    --
    Taking guns away from the 99% gives the 1% 100% of the power.
  3. Re:Hint to Apple PR: you can make hay from this by Mr.+Underbridge · · Score: 5, Funny

    Memo to Apple PR: Work with this guy. Simply ensure that each bug identified is fixed ASAP, and issue a press release about it. This lets you capture and keep the high ground by showing that you care more about security and quality than the competition does. Up for it?

    Memo to toby: We don't negotiate with terrorists.

    --Steve

  4. Re:Some thoughts and considerations by Trillan · · Score: 5, Insightful

    I don't oppose making the bugs public at all. But I do think this needs to be done in a fair manner.

    Specifically:

    1. Bugs should be in Mac OS X 10.4 (or possibly 10.3).
      Pre-release software is not a fair target. It's under NDA, and is bound to have a bunch of issues. Apple has a system in place for dealing with 10.5 issues.
    2. All bugs should be reported to Apple via Radar.
      Posting without giving Apple advance notice is fine, but forcing Apple to deal with potentially thousands of reports from readers isn't.
    3. The web and Radar report should both include steps to reproduce.
      This really falls under the category of "duh." A bug report that can't be reproduced is simply not worth much (although it isn't entirely worthless).