Mac Developer Mulls Zero-day Security Response

1.6 Beta writes "Landon Fuller, the Mac programmer/Darwin developer behind the 'month of Apple fixes' project, plans to expand the initiative to roll out zero-day patches for issues that put Mac OS X users at risk of code execution attacks. The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches. The article quotes him as saying, 'Perhaps [it could be] the Mac OS equivalent to ZERT,' referring to the Zero-day Emergency Response Team."

Bonzi buddy auto-installer

[User+956]

The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches.

Windows has an auto-updating mechanism for "third-party patches". It's called Internet Explorer.

Arbitrary patch

[MillionthMonkey]

Because the vulnerability allowed the execution of arbitrary code within the JVM via any Java applet, Fuller created a temporary patch for Mac OS X.

Can he write an applet that runs the installer using the vulnerability? That would be really convenient.

Re:Arbitrary patch

[Viceroy+Potatohead]

And that, folks, is the good side of virus writing.

Re:Arbitrary patch

[bendodge]

But - the bad PR would kill his credibility, and cause people distrust third party patches even more.

Re:Arbitrary patch

[Merusdraconis]

Maybe he could get the games company he works for to do it? Their games are in Java.

And it's not like you don't have to spend ages configuring games anyway.

Re:Arbitrary patch

[rbarreira]

Especially if the patch caused any problems for the computer...

Re:Arbitrary patch

[Da+Fokka]

Especially if the patch caused any problems for the computer... Yeah, like breaking the third party auto-update feature.

Quite nice

[yurnotsoeviltwin]

I love the idea of zero day patches, it's very... at the risk of being labeled a fanboi, Apple-ish. I know a lot of people are going to be calling for Microsoft to do something similar, but that's not going to happen just because of the sheer number of patches M$ has to put out. That makes the idea of a zero-day response team even more advantageous to Apple because it would give them yet another advantage over Microsoft that Gates just can't match. Definitely a good move on Apple's part, both for its users and for its marketing.

Re:Quite nice

It's more risky running "zero day patches" than it is waiting a few days for any bugs with said patch to be flushed out.

Re:Quite nice

[AlanS2002]

It shouldn't be a marketing advantage, releasing patches with so little testing onto the general population. Yes patches should be released in a timely manner, but that would just be taking it to opposite extreme.

Re:Quite nice

[loid_void]

What I like is that along with the innovation, Apple continues to think more about the customer than M$, in more ways than one. Fanboy, yup.

Re:Quite nice

[Cysgod]

It's more risky running "zero day patches" than it is waiting a few days for any bugs with said patch to be flushed out. Given that Apple's not exactly famous for being Johnny-on-the-spot with security fixes, I don't quite get where you get "a few days" from.

When days become weeks and weeks become months waiting for the official patch to arrive, the risk equation (such as it is) may very well be worth it for some groups of users. Maybe not you, but it's no use foreclosing everyone who might be interested from that possibility. And even beyond that there's the whole Freedom to Tinker thing. I personally found working on some of the MoAB fixes to be fun mental exercise.

Re:Quite nice

[99BottlesOfBeerInMyF]

Given that Apple's not exactly famous for being Johnny-on-the-spot with security fixes, I don't quite get where you get "a few days" from.

Do tell, how slow is Apple to fix known security issues? My coworkers have submitted two security bugs to Apple that I know about. Both were local rather than remote, thus posed little risk to the average user. Both were fixed within a few weeks and credited the person who found them. In at least one instance of a more serious security issue Apple turned a fix around in 9 days from disclosure, which is bloody fast or a full dev/qa cycle at any real software company. So you do have some reason for believing Apple is slow to respond to real security concerns, don't you? I'm a bit less inclined to just assume you're right and a little more interested in some citations.

Re:Quite nice

[Cysgod]

Well, one obvious example would be that it's now N days into February and only one of the MoAB bugs has a patch, and there is (as usual per Apple policy) no communication about what's being done with respect to the other bugs. Will they ever get fixed? Are they working on them? Who knows? Certainly not the user community and (again per policy) usually not the person that reported the problem either.

My own experience (DHCP remote root a couple years ago) was that it took 2 1/2 months for a fix during which communications was not insanely great, to put it mildly. Even your own examples (9 days, a few weeks) are more than "a few days" which was the original point being refuted here.

Don't get me wrong, it's good that Apple has stepped up their game, from your examples, and are fixing some things in short order. My own experiences lead me to think this is still the exception rather than the rule. It's hard to make an objective judgement though since the data is generally unavailable outside Apple unless you submit things yourself on a regular basis.

However long they're taking, it's not "a few days" and it may make sense for some people to take action to protect themselves in the interim rather than be hanging in the breeze for an indeterminate period of time.

Re:Quite nice

[99BottlesOfBeerInMyF]

Well, one obvious example would be that it's now N days into February and only one of the MoAB bugs has a patch...

I take it you've never done commercial software development in your life? How exactly would you schedule a dev/qa cycle that gets all the bugs fixed and regression tested so that all the bugs at the beginning of the month and end of the month are fixed at the end of the month a day after the last, official bug is announced? Part of the reason the MoAB is so responsible is that spacing out bugs with one serious one every few days makes it impossible to do this with well tested fixes a responsible vendor would release. You either have to commit to fixing a given set at the beginning, or wait till the end of the month to begin your regression testing. I don't know if the MoAB guys were trying to maximize the window of opportunity for malware writers to exploit these, but they picked a great way if that was their intention. Given the comments they've made and the multiple times evidence of their own illegal exploitation of their bugs prior to publication has show up on their Web site, I sure wouldn't put it past them.

My own experience (DHCP remote root a couple years ago) was that it took 2 1/2 months for a fix during which communications was not insanely great, to put it mildly. Even your own examples (9 days, a few weeks) are more than "a few days" which was the original point being refuted here.

Was it a remote root in the DHCP server on OS X? In which case it is a non-critical issue since that service is off by default and rarely enabled by customers. Still 2.5 months is longer than it should take, under normal circumstances. Was that 2.5 months from the time you submitted it to Apple's bug database? Was is marked as a security issue?

As for "a few days" that was the original claim, but your counter claim was overbalanced in the other direction. It certainly takes more than a few days in most cases to fix and test a release for a large commercial environment. This is something people with experience primarily in open source hobby development don't get. "look a fix made it into CVS in only 4 days" and then it was redone 3 times to fix the instability it accidentally introduced and then after a few weeks of real testing it was pulled into the repositories at real companies that have money on the line.

My own experiences lead me to think this is still the exception rather than the rule. It's hard to make an objective judgement though since the data is generally unavailable outside Apple unless you submit things yourself on a regular basis.

This is true enough and I'd like Apple to go a lot further with providing information about security issues, maybe even paying a bounty for responsibly disclosed bugs from the public. There are a lot of technologies Apple might adopt to make this situation a lot better as well. To date, however, I've found their response to be acceptable, measured by the fact that while they are not some super-secure, locked down distro, they have fixed things before they become a problem for a significant number of their customers.

However long they're taking, it's not "a few days" and it may make sense for some people to take action to protect themselves in the interim rather than be hanging in the breeze for an indeterminate period of time.

This is a matter of debate. What are the chances you will experience problems because of the outstanding vulnerabilities? Partly this depends upon your use profile. What are the chances these interim fixes will cause problems of their own? What are the relative levels of damage likely to occur in either scenario? For the average home user, I'm guessing they are just as well waiting for official fixes, unless a worm or widespread Web page based exploit is spotted in the wild.

no trolls?!

[Noxes+Kaj]

quiet night tonight... not one mac fan boy or anti-mac troll has popped up yet, though im sure its just a matter of time

Re:no trolls?!

[Kangburra]

It's 1pm here, so I was eating lunch! ;-)

I guess I would agree though, MS won't be able to match it, or they'll need to fix the fix. :-)

Re:no trolls?!

[Macgrrl]

They are too busy huging iPhone brochures and feeding up their credit cards.

Re:no trolls?!

I think MOAB story is getting stale. I submitted a story on how MOAB website tried to crash Safari using .jp2 vulnerability and include the comment

<!-- Never use the macbook at bed again when browsing the MoAB or you will fry your balls, looper -->

in the HTML code. However, /. didn't bother accepting it.

MOAB includes hack attempt

Re:no trolls?!

For some reason I read "anti-mac" as anti-semitic.
Anyways, your post is a troll in itself, but you knew that didn't you?

Re:no trolls?!

[Cysgod]

quiet night tonight... not one mac fan boy or anti-mac troll has popped up yet, though im sure its just a matter of time Reversing the broken code that people find and figuring out how to patch it can be a great, fun mental exercise if it's something you're interested in. The personal satisfaction from doing that is sometimes offset by all this seemingly inevitable rabblerousing between fanbois and, their complementary particle, anti-fanbois.

When fanbois and anti-fanbois come into contact they emit a special radiation that causes a temporal shift, known informally as "a colossal total waste of time", for anyone who happens to be reading or listening. For example, you're reading a technical thread, then two of these subsentient particles come into contact. They insist on threadjacking your discussion into an us versus them discussion that only tangentially involves the subject at hand and is logically irritating since it represents a false dilemma. As you skip past the messages looking for some meaningful discussion and swearing about the state of technical discourse, you suddenly discover two hours have passed due to the temporal-moronic radiation.

Maybe people could study training Bayesian filters to delete those messages (or just delete the authors).

Re:no trolls?!

[Buelldozer]

I wish I had mod points for you. That was one of the more insightful, and truthful, things I've read all day.

Re:no trolls?!

[Ilgaz]

I guess Slashdot joined some of major IT sites not giving any "advertisement" to MOAB trolls. For example, Slashdot could publicise these idiots having inline jp2 which will make Safari which is a TABBED browser freeze, other script kiddies may link it as their homepage on some zealot fighting sites such as Digg.

BTW it didn't "try" to crash Safari, the default/preinstalled browser of an operating system, a tabbed browser. It actually froze it. It is again, not a security issue but could be a good troll tool.

IMHO if nobody has seen true face of these idiots, they should have seen on day 29.

ps: That JP2 is bad for OS X Finder too, don't keep it in your disk or don't browse that folder with Finder/Path Finder,whatever uses Kakadu jp2 lib.

Re:no trolls?!

They are too busy huging iPhone brochures

When they're done will the brochures be embiggened, then?

This is not a "move on Apple's part"

[daveschroeder]

Apple isn't doing this, and Landon Fuller doesn't have anything to do with Apple, other than having worked there. (And no, conspiracy theorists, he's not doing this at Apple's behest or as part of some coordinated fanboy effort to "make Apple look good".)

What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now. Apple needs to be patching issues in a much more timely manner. Hopefully the outcome of MOAB, things like Fuller's proposal, and other related things will be a real discourse on Apple security response and Mac OS X security.

Re:This is not a "move on Apple's part"

Yeah, because Apple's response to bugs that haven't been reported to them in an intelligent manner TOTALLY sucks.

Re:This is not a "move on Apple's part"

Everything regarding computer security isn't handed over on a silver plate. If the bug is out there and no fix is available Apple needs to react fast. Apple don't seem to offer security advisories for unclosed bugs. Which is troublesome. I don't know Apples official policy but it seems to be "If no fix is available, don't talk about it". Microsoft at least acknowledge bugs and gives it's users advisories on what to do even if it puts the company in bad light (Don't use office). And no, I'm no MS fanboy, haven't used Windows for several years.

Re:This is not a "move on Apple's part"

[Ilgaz]

People who are close to Apple or at least know how company works said they won't rush out untested OS patches/updates just because some idiot file fuzzer (can crash the kernel via broken DMG. http://en.wikipedia.org/wiki/Fuzz_testing

In professional World, people already asks AVID, Adobe, Quark before applying any OS updates or they test it on test machine several days to make sure it won't break their work cycle.

I was only bugged about Quicktime issue (which was exploited at Myspace) and Apple released the update taking the issue serious. http://news.zdnet.co.uk/security/0,1000000189,3928 5593,00.htm

Re:This is not a "move on Apple's part"

Apple response to bugs sucks period.

And the InputManagers hole is *still* open. How long has that been known about?

Re:This is not a "move on Apple's part"

[Chris+whatever]

The problem is, the apple community, meaning the utopian society that thinks they are full proof against viruses, are not making any pressure.

they just cant believe that MAC is not secure so why would the company care, it has been grazing in the field for far too long and has gotten fat and lazy.

Face the fact Job, MAC aint as secure as it was led to believe.

Re:This is not a "move on Apple's part"

[99BottlesOfBeerInMyF]

What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now.

I've heard claims that Apple is not responsive enough before, but never any real support for those claims. They've certainly been fast enough in responding to security bugs we sent them. It would always be nice if they were faster. If they had 1000 people waiting by the phone to instantly work on any security issues that came up, and rolled them out in hours on an unstable branch, well that would be cool. I don't think it is practical though. I'd rather 980 of those people were working full time on new features instead. So how fast is fast enough? I think the measure is, does Apple solve security problems fast enough that the risk to the average user remains negligible. That is to say, do they fix bugs before worms exploiting those vulnerabilities, or widespread viruses are put in the wild? So far, they certainly seem to have done so.

There is another piece to this puzzle as well. In normal practice a researcher finds a bug, reports it to Apple, waits a few weeks, and if they don't hear back or feel Apple is not responding, they publish it to pressure Apple. If Apple is unresponsive regularly, they might shorten that time or disclose immediately. On Apple's part, when they find out about a bug they reproduce it, find the cause, fix it, test the fix, and then publish the fix.

What is the best way to break this process and slow it down, increasing the possibility of a worm without doing anything illegal outright? Well, you can publish bugs immediately, without giving Apple a chance to fix them, then they will be vulnerable for the whole dev/qa cycle. What if, instead of publishing them immediately you intentionally spaced them out and published one every few days? Then a normal dev/QA cycle would have to commit to skipping some of them or wait an entire month before starting the QA cycle. That would be about as good a way to maximize the window for exploitation as possible. Now take a look at the month of Apple bugs, with their lack of prior notification and their intentionally spaced publication. Gee, what a coincidence.

I'm all for Apple improving security and doing more internal audits. I'd be happy if they openly placed a bounty on security related bugs reported to them. I'd be even more happy if they implemented widespread mandatory access controls built into the OS, and open signing framework for trust determination, and a free software repository/registration/update service managed by Apple.

That said, I find their security responses to date, to be perfectly acceptable and I think the MoAB is sensationalist crap, run by very unethical people out to make a name for themselves without regard to the well-being of end users. They are wholly irresponsible and given that they have twice now been caught illegally using vulnerabilities they discovered, prior to publication, I hope they spend 6 months wearing little, electronic, ankle bracelets.

Re:This is not a "move on Apple's part"

You're talking like a true remote hole.

Re:This is not a "move on Apple's part"

[mstone]

Let's drop the cognitive dissonance, shall we?

Vint Cerf recently made a report to the UN committee on internet security. He said that maybe 25% of all computers tied to the internet are infected. We're currently seeing the highest spam levels in the history of the internet, much of which is being sent by botnets that contain thousands or hundreds of thousands of compromised machines. We've gotten to a point in history where 'hundreds of thousands of machines compromised' is no longer a newsworthy fact. It's so freaking common that people just look at it as an unpleasant fact of life.

And right in the middle of that context we have a few tens of millions of Macs that have been running unmolested for years.

I don't give a damn about your abstractions. I don't give a damn about your heuristics. I don't give a damn about your moral indignation that Apple doesn't run its entire business in a way that's consistent with the .3 seconds of what passes for thought that you've put into any given issue. I'm an empericist. I care about what's actually happened.

What's actually happened is that there hasn't been a single large-scale compromise of the Mac platform since the introduction of OS X. What's actually happened is that Apple has been notified of several vulnerabilities over the past few years and has rolled out security updates to address them. In many cases, they've also listed the names of the people who notified them of the problem. What's actually happened is that Apple has continued to develop its security model and has built a whole new set of tools into Leopard that will make OS X even more secure than it is today.

There are exactly three classes of people who try to bang the "Macs are no more secure than Windows, but Mac users are too stupid to care" drum any more:

1. Apple haters
2. Lazy journalists who don't know or care shit about security but know that putting 'Apple' and 'security' in the headlines guarantees sales/page views/etc
3. 'Security researchers' who either have a financial interest in selling AV software or are media-whore wannabees.

Please note that I do not place Landon Fuller in any of those categories. He isn't trying to sell the world the idea that Apple's sky is falling. He's talking about a fairly interesting concept of community involvement in the overall Apple security process.

I happen to disagree with the idea, personally.. IMO the chance of a zero-day patch breaking something is higher than the chance of a Mac getting infected between day zero and the time Apple releases an official patch (and yes, that includes all those issues that have been hanging out there unpatched for years.. show me the number of active exploits in the wild instead of just stuffing another set of panties into the wad currently wedged up your ass). I also see problems with trust and vetting. A MacZERT would presumably do some QA on the patches before distributing them, which leads to the same kinds of delays you get from Apple. And a MacZERT's capacity to look for unwanted side effects would be limited by the fact that outside third parties don't have all the relevant code.

I do see the possibility of large benefits from a community effort to isolate and develop proposed solutions to bugs, since that would help Apple's own security team with some of the heavy lifting. I think Apple could develop a good dialogue with the third-party security community through such a system.

But that has absolutely nothing to do with you. You're just another anti-fanboy out to spew meaningless FUD. The fact that you can't distinguish between "hundreds of thousands of compromised machines in a single botnet" and "no exploit of even a thousand machines over the past five years" means your opinion is too stupid to be taken seriously.

Re:This is not a "move on Apple's part"

[DaggertipX]

While I do find how InputManagers work somewhat troublesome, I have yet to hear of anything actually exploited by this. Because of my concerns I've taken a few precautions (most notably, folder actions to tell me if anything has tried to write to the dir. admittedly, malware could remove those - but I keep an eye on that as a part of normal system maintenance.)
What I wonder, is if it is such a glaring hole, why have I yet to see an exploit target it? Or are there any active in the wild that I just don't know about? If so, please enlighten me...
Beyond that, I personally have found Apple's response to bugs and vulnerabilities to be perfectly reasonable and timely. Faster is always better, but I suppose I would say that they seem "fast enough" with the issues that have been presented thus far.

(My guess is that before it can hook itself in like that, the malware has to find some way to get to my system and execute - which means in order to use this as an attack vector, another exploit would also be required.)

Re:This is not a "move on Apple's part"

[petermgreen]

given how apple seems to encourage use of dmgs for distributing mac files (a mac file is defined here as a file that contains actual information in the resource fork) i'd say a security issue (iirc it was a "crash but potential arbitary code" one) sounds pretty serious to me.

Re:This is not a "move on Apple's part"

Sounds like somebody woke up on the wrong side of the rock.

Re:This is not a "move on Apple's part"

[mstone]

Enh, probably..

But seriously folks, this well has been poisoned. To my mind there are three highlight events associated with the whole, "Mac users need to get off their complacent butts" meme:

1. Symantec published a white paper with essentially that title. Its contents were a bunch of generalizations about complacency being bad and prevention being good.

   About a month later they published another paper that boiled down to, "No, we don't know of any actual Mac exploits in the wild. No, we don't have any signatures for Mac malware in our database. Yes, our software works by looking for signatures of known malware in the database. So yes, our product would be a complete waste of time, money, and computing resources for Mac users as of today. We were speaking generally. Please stop hitting us."

2. David "wants to stab a Mac user in the eye with a cigarette" Maynor.

   I honestly do believe he and Ellch discovered some kind of 802.11b vulnerability in some category of hardware, and only used a Mac in the demostration for the sake of color. I just don't care. The Mac aspect of the issue got hyped so far beyond its legitimate context that they retreated into obfuscation, and to this day we still don't know what actually happened. All that's left is the residue from a cloud of sound and fury that ended up signifying nothing. Plus that one, vastly unprofessional, quote.

3. The Month of Bugs in Third-Party Software That Happens to Run on a Mac, So We'll Blame Them on Apple Anway, Plus the One in Quicktime That Probably Hits More Windows Users than Mac Users.

   Yeah, they found the rtsp:// vulnerability. Bravo. They even found a few more bugs in software Apple actually has some control over. Again, I don't care. Any legitimate security value the project had was outweighed by Finnestere's grandstanding, his decision to take grey-hat disclosure out into the hinterlands between 'charcoal' and 'just plain black', and the ultimately disappointing trickle of actual Apple-as-in-code-written-by-Apple bugs that he managed to stroke out.

Those events have set the context for 'wakeup calls to the Mac fanbois'. Whoever picks up the baton next will either struggle against that heap of bullshit, or will end up adding more. Meanwhile, December's spam level has been estimated at 94% of all email sent for the month, thanks in large part to those hundreds of thousands of infected Windows machines in the botnets. And there are still no widespread exploits against Macs, even in spite of all Finnestere's hard work.

It's time to admit that there's an entire circus parade worth of elephants in the clown car. Preferably before the stupidity gets to the, "yeah, at least 95% of all Windows machines are infected, and no, there hasn't been a single widespread exploit against Macs in the past ten years, but the way you Macs weenies walk around acting like your machines are secure makes me sick," mark.

Re:This is not a "move on Apple's part"

[amagine]

I ... agree...

To much negativety in these boards... Be nice to see some more logical, creative, and/or informed ideas,
instead of the caffeine edged trolling that happens on these boards...

It's a good news piece though, I agree that Apple does need to keep working on security issues.

I am glad to see that there are independant users of Mac OSX that are finding security holes and bringing them to our attention.
This brings strength to any community, fueled of course by contructive communication.

cheers!

Re:Java exploit?

1995 called. They want their joke back.

Unnecessary.

[sakusha]

Almost all of the MOAB bugs have already been patched, including OS fixes by Apple. Some of the application fixes were released within hours of the public announcement of the bug. Yet NONE of those fixes have been linked on the MOAB website.

The normal processes are working. What is NOT working is the MOAB process. If they used the normal procedure of notifying the developers privately, these bugs could have been fixed in days or even hours, before any public disclosure. But that wouldn't achieve what the MOAB hackers wanted. MOAB isn't about security, it's about publicity whoring.

Re:Unnecessary.

[Afecks]

If you think people doing this for publicity is bad, wait until OS X gets enough market share for these vulnerabilities to be bought, sold and used to compromise computers en masse. I don't know about you but I think a worm would be a lot more publicity whoring than disclosing these bugs publicly so they can be fixed. It's a nice wake up call if anything. Mac users need to start taking security seriously before it's too late. Just because you think your operating system is better than (insert other OS here) doesn't mean it's invincible. Apple takes bugs too personally and tries to cover them up quietly to protect their image. Sure the bugs get fixed but which bugs? How do I know they really are fixed? What if they made another mistake? These are reasonable concerns and it shows that Apple is worrying about the bottom line more than the customer. You have to realize that MOAB isn't an unwarranted attack against Apple. It's backlash for years of flaky technical support, deceitful practices and arrogance on the part of the Mac community in general. We really need to get passed blaming how others reveal Apple's mistakes. It's unproductive and harmful to consumers.

Re:Unnecessary.

[landonf]

I wholeheartedly agree with the importance of notifying the vendor -- unfortunately, that's not always done. The point of "0-day" patches is to provide a security option where none currently exists.

Re:Unnecessary.

[Rosyna]

You have to realize that MOAB isn't an unwarranted attack against Apple. It's backlash for years of flaky technical support, deceitful practices and arrogance on the part of the Mac community in general.

Yeah, that's clearly their intention after you look at the non-apple issues such as the ones in OmniWeb, Transmit, VLC, Flip4Mac, Rumpus, et cetera. Clearly, those are an attack against apple's "flaky technical support".

Re:Unnecessary.

[NetCurl]

Your argument is out of context. You can not compare intentionally malicious methods, like worms, with an intentionally educational or informational which is certainly not a malignant one. In this case, the proper method to do what MOAB is doing is to actually work with the developers directly, or Apple regarding OS issues. They can *also* post them to their site, but to just throw them up there as if they were gotchas....its publicity whoring.

Your argument boils down to bad OS karma. That's pretty weak. Apple doesn't cover up the bugs, they go and fix them quickly and accurately. Apple is worrying about the bottom line more than the customer? Have you ever heard of Microsoft?

And how do you figure OS X is a gaping security hole? Have you even paused for a moment to compare the issues that come out regularly for all OS? This is nothing compared to Windows's issues.

Re:Unnecessary.

It's B for Bugs, not Fixes. But I agree with the fact that MOAB are in it for the media exposure. I know alot more people sitting on MacOSX vulnerabilities that are keeping them to themselves.

Re:Unnecessary.

[Afecks]

What does Microsoft have to do with anything?! Is it possible to stick to talking about your own OS for two seconds? Even if MOAB is publicity whoring it doesn't change the fact that these bugs were real. If someone wanted to do something malicious with them, they could have. Imagine if MOAB never existed and someone else found those bugs. Then what? You expect everyone to dutifully submit them to Apple? Not likely. Eventually someone is going to do something malicious and you better not rely on the "honor system" to stop them. Sure MOAB is a slap in the face to Apple and their customers. So what? Don't buy their t-shirts. Complaining about it won't stop it. You better get used to dealing with this. It's only going to get worse.

Re:Unnecessary.

[rahrens]

You have to realize that MOAB isn't an unwarranted attack against Apple. It's backlash...

Oh, yeah, backlash. Is that why they inserted html code into the web page for day 29 that crashes Safari? Complete with a nasty little jibe at "loopers" (whatever that is???)

Complete bullshit.

These guys are only after the same thing Maynor and Ellch were after last summer - notoriety and publicity.

Anything that includes a hidden attack in the code of a web page is unethical, unwarranted, unprofessional and just plain old wrong.

Sure, Apple needs to improve. If I were there, there would be a Zero Day Exploit Team in place and there would have been since the advent of OS X. Even if all they do is mostly sit around with their thumbs in their collective ears, they'd be there to respond at least, if not to actively search for vulnerabilities.

But I'm not and there isn't. But that does NOT excuse childish, unprofessional and unethical pranks.

Re:Unnecessary.

[Ilgaz]

I think it would be also very bad to link to MOAB site to make people's Safari browser freeze with a tab having non submitted webmail waiting?

http://www.isfym.com/site/blog/C65B4D05-6B0F-46AB- 9D15-9B841876FEF1.html

These guys and organised trolls in name of professional developer houses could be one of the worst ones IT industry ever seen.

I don't recall any security "blog" freezing OS default browser to prove their 133t capabilities. I have also heard that jp2 issue is a year old bug which was never publicised for good reasons.

Re:Unnecessary.

I just figured that applied to the "arrogance on the part of the Mac community in general" aspect. Of course, given the nature of multiplatform programs like VLC, I also supposed it was an unspecified and implicit swipe at the open source community in general too.

The whole rationale claimed for MOAB doesn't make much sense when compared to the actual results. They stated lofty principles and justification, but the proof of their claims has been rather weak in implementation.

I think some good will come out of it, but they should have gone through normal channels rather than turning it into a lame stunt that doesn't even apply to Apple half the time. Were this under Windows, it might have been appropriate to call it MOWB (Month of Windows Bugs), but not MOMB (Month of Microsoft Bugs), because people would have quickly pointed out the same thing -- that half the bugs do not apply to the identified vendor, they apply to third parties operating on the same OS platform.

It's stupid to publish bugs in the equivalent of, say, Adobe Acrobat Reader, and then call them "Microsoft bugs".

Re:Unnecessary.

[99BottlesOfBeerInMyF]

These are reasonable concerns and it shows that Apple is worrying about the bottom line more than the customer.

One of the reasons OS X will have better security than any Windows release for the foreseeable future is that Apple's bottom line is directly tied to the satisfaction of their customers. If the average OS X user starts to have problems because of worms, they switch to something else and Apple loses money. There is very little locking people in. You can even just install a new OS on the Mac. Most applications on OS X run on Linux or Windows as well. Most file formats are open and portable. They rely almost entirely on open standards, so the only real incentive to not switch when you buy your next computer, is being happy with the mac you have.

This being the case, if current levels of security become a problem for users, Apple has direct, financial motivation to fix it. Moreover, since Apple can anticipate that could be an issue in the future and since they are not idiots, they already have several security improvements in the works, including MAC and application signing frameworks. Now look at Windows. If security is a problem for users (which it has been for years) what happens? Very little. MS has little motivation as they know most of their customers have no other choice. They are locked in by file formats, applications, closed protocols, and simply by the fact that most users can't get anything else from the local Walmart. As a result, they do very little to actually solve the security problem and instead capitalize upon the market for malware detection. This benefits Apple, in that it provides a big, shiny target to attract malware writers.

You have to realize that MOAB isn't an unwarranted attack against Apple. It's backlash for years of flaky technical support, deceitful practices and arrogance on the part of the Mac community in general.

Bullshit. The MoAB is quite simply an attempt to profit by making a name, from a couple of disreputable and unethical "researchers." It has nothing to do with Apple's "deceitful practices" whatever you think those are. It is a couple of guys trying to cash in on publicity at the expense of both Apple and the the users. In my experience Apple has always been professional and responsive to security issues and bugs, and progressive in mitigating potential malware. They aren't on the cutting edge of security, but they are ahead of the curve.

Re:Unnecessary.

[Lars+T.]

These guys and organised trolls in name of professional developer houses could be one of the worst ones IT industry ever seen. Yeah, they are real security "experts"

This is not the first time that the MoAB team has had its fun at the expense of users. Those who tried to call not yet released advisories by guessing their file names were treated to extremely disgusting pornographic images. When heise Security reported on the matter and refused to retract its criticism, calling the action "childish", LMH accused Heise of being into "illegal, dishonest, malicious" activities.
He apparently just failed to understand that a German version of the English report had been published hours beforehand and obviously misunderstood the activities of heise readers as a denial-of-service and brute-force attack by the editors. The time frame of the log files published starts after the publication of the German report, and no address is from heise. A polite request to correct the published statements received no reaction.

Re:Unnecessary.

[Ash-Fox]

There is very little locking people in.

Except for

• iTunes' movies (DRM)
• iTunes' music (DRM)
• Microsoft Office (platform dependant)
• iLife (doesn't lock me in, but it has 'locked' some people I know in -- even though they hate OS X)
• Hardware (often not fully supported on other OSes)
• Proprietary file formats, that prevent you from migrating things over (e-mail databases? music labellings [couldn't just use id3 with mp3s for storing all the information that is possible]?)

Re:Java exploit?

1937 called. They have patented that joke.

Re: I agree

Hello Mr. Enderle, your analysis is scintillating as always.

bo-oh-oh-oh-oh-gus!

[Gary+W.+Longsine]

wait until OS X gets enough market share for these vulnerabilities to be bought, sold and used to compromise computers en masse.

Apple sells over five million new systems each year. There are probably about 20 or 25 million systems running Mac OS X right now. The financial incentive to exploit Mac OS X has been plenty high enough for a long time. Botnets are rentable, and people peek at the prices now and then and report on it. I've seen numbers like this several times:

going rate for botnets: the going rate is around the USD$1,000 per hour for as many as 30,000 zombie PC's

If crackers could easily take over Mac OS X systems, they could make lots of money. Clearly, they can't easily own Mac OS X. There are plenty of systems to make it worth their while.

Although I agree that a Mac OS X worm would be bad publicity for Apple, and that Apple could improve the way they handle response to reported security defects, I think they have produced a reasonable track record over the past five years regarding the basic security of Mac OS X. Apple's security track record is due much more to the relatively weaker security of Windows systems than to Windows market dominance. Windows is low hanging fruit, crack-wise. If it were harder to own Windows systems, crackers would switch to Mac OS X in a flash. Crackers don't need to own 20 million systems, they really only need a few thousand at a time.

Re:bo-oh-oh-oh-oh-gus!

haha 5 million, wow slow down there you might get 7% market share next year!

please dont quote numbers in the millions when you fail to put that in perspective. mac's market share is about 6% which means the odds of even finding a mac are very slim. you quote prices as incentives yet you fail to realize that botnet owners are going for the easiest source of income. if you rent a botnet you are probably going to want to run your own attack tools. those are going to be written primarily for windows which means mac bots would be basically WORTHLESS.

please stop lying to yourself and saying that the mac is already a target. it's not, many experts have said as much. cut the bullshit, mac hasn't even begun to be tested and it's already been shown to have this many bugs. it's not looking good. :(

Re:bo-oh-oh-oh-oh-gus!

[Keeper]

To put that number in perspective, roughly 228.6 million PCs were sold last year. Alone. The MacOS population represents a rounding error to the botnet "community."

Re:bo-oh-oh-oh-oh-gus!

[Weedlekin]

"many experts have said as much."

For somebody who took another to task for not putting numbers into context, perhaps you should have qualified the assertion above by stating that the linked article quotes two people, so in this case "many" should be read as "a couple".

Re:bo-oh-oh-oh-oh-gus!

[rahrens]

...botnet owners are going for the easiest source of income.

Yeah, and he DID mention Windows as the "low hanging fruit", did he not? That does translate into the "easiest source of income".

Kinda makes our point. Doesn't matter if the Mac OS has vulnerabilities or not. Doesn't matter if his numbers are right or not. (Which, at the rate of sales per Q1 this year, may well be right.)

The point is, that Windows is so vulnerable, due in large part to lazy or uneducated users failing to patch their systems and running older, vulnerable versions of it that constantly get infected. So who in their right mind wants to learn to write software for a new OS when they can stick to the old tried and true that is still as open as a $10 whore? So the relative numbers are really meaningless, it's the relative vulnerability that really matters.

What more Mac users are beginning to try to get across to Apple, (but are being eclipsed by stunts like these) is that while this may be true now, reducing the Mac OS' exposure to real harmful stuff, as it's market share rises (as it is doing) its attractiveness also rises. By 2008, Apple's market share will be much higher than it is today, and by extension, so will that attraction.

So they need to alter their procedures NOW, not later.

But Microsoft's HUGE vulnerabilities aren't helped by Windows users sticking their heads in the sand, either.

Re:bo-oh-oh-oh-oh-gus!

[Paradise+Pete]

The MacOS population represents a rounding error to the botnet "community."

Except that there's a lot of competition for those WIndows machines. There's none for the OS X machines. So if you can "own" the Macs you own a nice, stable, and extremely rentable fleet of bots.

Re:bo-oh-oh-oh-oh-gus!

[Dare+nMc]

Yeah, and he DID mention Windows as the "low hanging fruit", did he not?

You also fail to mention that at least 3/4 of Windows PC's online are also not part of the low hanging fruit either (ie firewalls, fully patched, educated users, not attached to the internet.)
It (currently) appears Mac's are indeed equaly vulnerable to mostly similar issues, IE users running programs they shouldn't, downloading questionable applications, known vulnerabilites not being patched (by users, and by venders)...

But finding those similar 25% of the Mac users which are only 5% of the web browsing community is obviously going to pay less.

that said I don't find myself defending microsoft often, but apple is not in a different league alltogether in support.

Re:bo-oh-oh-oh-oh-gus!

what the hell are you talking about retard? you're responding to the wrong person I think...

Re:bo-oh-oh-oh-oh-gus!

[rahrens]

EQUALLY? I still don't see that.

The Month of Apple Bugs couldn't even find 30 bugs in the OS itself to fill up a typical month, let alone 31 for the chosen month of January. Just how does that stack up to the huge number of vulnerabilities, exploits, viruses, worms and trojans now hitting even the 1/4 of all PCs you cite?

I'm sorry, but your balance seems just a bit skewed.

Re:bo-oh-oh-oh-oh-gus!

Apple Help Viewer, Safari, iMovie and iPhoto are affected by multiple format string vulnerabilities, related to certain functions from AppKit that have been documented in previous releases.

Looks like your 3 main applications direct from Apple got pwnd along with countless other programs that use the same functions. I think that's enough to let the guys have the last day off just for fun.

Doesn't matter, 30 bugs or 31 bugs. You're not invincible. No matter what the Apple ads told you.

Now feel free to talk bad about Windows so you can feel better. Since that's what it's really about. You don't care if you're secure as long as you're better off than with Windows. Way to set the bar high...

Re:bo-oh-oh-oh-oh-gus!

[rahrens]

None of that changes the fact that your balance, like I noted, is skewed.

Nothing I said claimed that the Mac OS is invincible. You can take your Arty McStrawman back to where you drug him out from under some rock. What does matter is that, on balance, the Mac OS IS less vulnerable than the bug riddled mess that is Windows, which, like has been noted before, is much of the reason why malware writers go after Windows, and not the relative numbers.

Nice try at changing the subject...

Re:bo-oh-oh-oh-oh-gus!

[Keeper]

Even if you take "competition" into account, the disproportionate number of PCs vs Mac available still make the Mac a drastically less attractive target.

arrogance

[Gary+W.+Longsine]

The claim that the "Mac community is arrogant" mystified me until I realized that people who make this claim are probably masking an inferiority complex of some sort. Most Macintosh users don't know enough about computers to be arrogant. They are, if anything, rather meek on the whole. I suspect that IT professionals whose experience is limited to Windows (which is, after all, most of them) resent the honestly dumbfounded looks they get from these fawn-eyed Mac users who innocently say things like, "Why is my computer at work so flakey? I've never had a problem like this on my Mac at home."

It seems more likely to me that the professional IT community, which has backed the wrong horse, is resentful.

Re:arrogance

[Afecks]

I realized that people who make this claim are probably masking an inferiority complex of some sort.

I can assure you that is not the case. I consider myself a Linux user above all else. As for the arrogance, I can only speak about those I've come in contact with, which is mainly here on slashdot. It seems that every post about OS X security or Apple's business practices ends with "but-but-but Windows!". That comes off as arrogant to me. I know there are plenty of exceptions. Just don't claim that I feel burned by Microsoft (see what I mean?) and I'm lashing out. I've made a living off a picking Windows security apart. They've been nothing but good for my business.

Re:arrogance

[LKM]

As for the arrogance, I can only speak about those I've come in contact with, which is mainly here on slashdot. It seems that every post about OS X security or Apple's business practices ends with "but-but-but Windows!".

Yeah, well, same applies to posts about Linux, and about Windows. Newsflash: n% of all people are idiots. That applies to Mac users as well as to Linux or Windows users.

Re:arrogance

[Lars+T.]

I realized that people who make this claim are probably masking an inferiority complex of some sort.

I can assure you that is not the case. I consider myself a Linux user above all else. So you can't be arrogant because you use Linux?

Re:arrogance

[Kesh]

As for the arrogance, I can only speak about those I've come in contact with, which is mainly here on slashdot.

If our opinion of humanity was based on comments posted to Slashdot, I think we'd have all shot ourselves by now.

iPhone a public fiasco?

[Gary+W.+Longsine]

Uhm... in case you hadn't noticed, everyone who uses a cell phone in the United States is talking about the Apple iPhone. I'd say the current status of the iPhone is more like: "the most insanely successful publicity coup that has ever been executed by a corporation for a single product."

Yeah, right...

[vought]

The former engineer in Apple's BSD Technology Group

Not sure I'd trust zero-day patches from a guy who couldn't hack it working for Avie.

Just sayin'.

Re:Java exploit?

I don't think too many people got that joke back when it was referring to the future.

Re:Tools

[Ilgaz]

So you claim Rob Malda, CmdrTaco getting "free powerbook" from Apple to post this story.

It is good to see the profile of MOAB supporters on Slashdot considering the fact that MOAB people aren't much different, they have somehow learned how to fuzz files, use gdb or use jp2 to freeze Safari on public pages.

Re:Tools

[rahrens]

I can see by the drivel you spout why you did it while hiding your identity...

Apt-get?

[MECC]

auto-updating mechanism for the third-party patches.

He's going to port apt-get to OS X?

I call BS

[jpellino]

On this and the MOAB claims that Apple doesn't fix bugs that are reported thru the official channels.

Show us specific, documented examples of bug reports sent to Apple that they have refused to address.

If MOAB doesn't like the attitudes of some users, then go kick some tires. But exhaust the official channels with Apple or 3d party developers, be professional, or you're going to be dismissed by professionals as dangerous and immature.

Instead, they've come out swinging at not only the Mac community that apparently makes them upset, but also - and more specifically and personally (some quite sick) at the professionals who have been addressing and provising solutions. They've even denigrated Apple for the time taken to provide fixes for the QT issues. Apple has to certify a fix to an OS and underlying technology - not just put fingers in eyes.

Re:Java exploit?

[Hal_Porter]

If only. I use an unbelievably slow Java application every day. It takes two minutes or so to start, and a 30 seconds to a minute or so each time it needs to do any database access.

The odd thing about the IT industry is that the more obviously flawed an idea, the more likely corporate people will decide to base their in house applications on it. A short list - ActiveX controls in webpages, Java anywhere but a webpage, MFC applications based on Document View architecture, and a host of other technologies that are either flat out horrible or just used way outside their natural habitat. All of them are used in some internally written application in every big company I've worked for. These things never get rewritten.

Whereas good technologies that I read about like Taos, or ACE workstations with MIPS processors or the Roadrunner OS, seemed to disappear without being used by anyone.

I guess it's kind of like trolling - if you come up with a nice sensible idea, no one remembers it. One that has design quirks that encourages flamewars between it's zombie fanboys and the rest of the industry will become famous enough to be adopted. Not to take over the industry mind you, just to get used in a few terrible in house applications.

Whereas vxWorks for example, which is an elegant design implemented efficiently has virtually died out.

Too late!

[LanMan04]

He's going to port apt-get to OS X? He's too late.

Good idea, but needs support it won't get

[ScooterComputer]

I don't see why this shouldn't be done. In fact, it makes a lot of sense for all platforms. Create a third party mechanism by which users/admins can patch Zero day/unpatched flaws that relies on a community effort to provide the patches. Simple. Except it really needs the support of the OS vendor, because at some point, when the vendor releases the patch, you'd want to be able to "turn off" the temporary one. You'd also need an agreed upon "Master List" of vulns, for tracking purposes.

You'd think that this kind of hand-in-hand cooperation would be a no-brainer, but I doubt it. Companies (here's looking right at Apple) still just haven't wrapped their heads around the open exchange of ideas; they are afraid that admitting flaws makes them -look- bad. Ewwww, poor coders. But in reality I think everyone who uses computers by this point in time KNOWS flaws happen...it isn't that they will happen, it has become what are you gonna do about it? And it is pure arrogance by the OS vendors to think that neither the community has the ability to create these patchs nor that the users/admins are interested in them.

Really this is a thing that OS vendors should aspire to, integrating this kind of response mechanism into their existing Software Update suite would be a Good Thing.

Artie strikes again!

[LKM]

It's backlash for years of flaky technical support, deceitful practices and arrogance on the part of the Mac community in general.

Yeah... Although I think it's mostly Artie MacStrawman who's responsible for the Mac community's bad image.

Re:Fuller Fuller Of It

Nobody cares, LMH.

Re:Tools

Nobody cares, LMH.

Welchia - learn from its mistakes

[bill_mcgonigle]

And that, folks, is the good side of virus writing.

If you're going to do this, please put a sleep statement in between your 'attacks'. Welchia worked but made no attempt to throttle network connections, swamping every network segment where it was active, and Microsoft's sites as well. If it had taken on one machine every fifteen minutes on a segment, nobody probably would have noticed.

Re: I agree

Well, let's see. The Apple TV product starts shipping this month. The Apple 802.11n base station with multiple shared network disks and printers connected via USB 2.0 is already shipping. Apple's iPhone is a product known by everyone and it is not even scheduled for release until June. Apple's stock reached an all-time high in Apple's history just a little over 2 weeks ago and is holding steady at a reasonable 15% decline after profit taking. No, I would say you desperately want Apple's stock to do poorly for some reason, but you can't really come up with a compelling scenario.