Mac Developer Mulls Zero-day Security Response

1.6 Beta writes "Landon Fuller, the Mac programmer/Darwin developer behind the 'month of Apple fixes' project, plans to expand the initiative to roll out zero-day patches for issues that put Mac OS X users at risk of code execution attacks. The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches. The article quotes him as saying, 'Perhaps [it could be] the Mac OS equivalent to ZERT,' referring to the Zero-day Emergency Response Team."

This is not a "move on Apple's part"

[daveschroeder]

Apple isn't doing this, and Landon Fuller doesn't have anything to do with Apple, other than having worked there. (And no, conspiracy theorists, he's not doing this at Apple's behest or as part of some coordinated fanboy effort to "make Apple look good".)

What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now. Apple needs to be patching issues in a much more timely manner. Hopefully the outcome of MOAB, things like Fuller's proposal, and other related things will be a real discourse on Apple security response and Mac OS X security.

Re:This is not a "move on Apple's part"

[99BottlesOfBeerInMyF]

What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now.

I've heard claims that Apple is not responsive enough before, but never any real support for those claims. They've certainly been fast enough in responding to security bugs we sent them. It would always be nice if they were faster. If they had 1000 people waiting by the phone to instantly work on any security issues that came up, and rolled them out in hours on an unstable branch, well that would be cool. I don't think it is practical though. I'd rather 980 of those people were working full time on new features instead. So how fast is fast enough? I think the measure is, does Apple solve security problems fast enough that the risk to the average user remains negligible. That is to say, do they fix bugs before worms exploiting those vulnerabilities, or widespread viruses are put in the wild? So far, they certainly seem to have done so.

There is another piece to this puzzle as well. In normal practice a researcher finds a bug, reports it to Apple, waits a few weeks, and if they don't hear back or feel Apple is not responding, they publish it to pressure Apple. If Apple is unresponsive regularly, they might shorten that time or disclose immediately. On Apple's part, when they find out about a bug they reproduce it, find the cause, fix it, test the fix, and then publish the fix.

What is the best way to break this process and slow it down, increasing the possibility of a worm without doing anything illegal outright? Well, you can publish bugs immediately, without giving Apple a chance to fix them, then they will be vulnerable for the whole dev/qa cycle. What if, instead of publishing them immediately you intentionally spaced them out and published one every few days? Then a normal dev/QA cycle would have to commit to skipping some of them or wait an entire month before starting the QA cycle. That would be about as good a way to maximize the window for exploitation as possible. Now take a look at the month of Apple bugs, with their lack of prior notification and their intentionally spaced publication. Gee, what a coincidence.

I'm all for Apple improving security and doing more internal audits. I'd be happy if they openly placed a bounty on security related bugs reported to them. I'd be even more happy if they implemented widespread mandatory access controls built into the OS, and open signing framework for trust determination, and a free software repository/registration/update service managed by Apple.

That said, I find their security responses to date, to be perfectly acceptable and I think the MoAB is sensationalist crap, run by very unethical people out to make a name for themselves without regard to the well-being of end users. They are wholly irresponsible and given that they have twice now been caught illegally using vulnerabilities they discovered, prior to publication, I hope they spend 6 months wearing little, electronic, ankle bracelets.

Re:Quite nice

[AlanS2002]

It shouldn't be a marketing advantage, releasing patches with so little testing onto the general population. Yes patches should be released in a timely manner, but that would just be taking it to opposite extreme.

Re:Quite nice

[Cysgod]

It's more risky running "zero day patches" than it is waiting a few days for any bugs with said patch to be flushed out. Given that Apple's not exactly famous for being Johnny-on-the-spot with security fixes, I don't quite get where you get "a few days" from.

When days become weeks and weeks become months waiting for the official patch to arrive, the risk equation (such as it is) may very well be worth it for some groups of users. Maybe not you, but it's no use foreclosing everyone who might be interested from that possibility. And even beyond that there's the whole Freedom to Tinker thing. I personally found working on some of the MoAB fixes to be fun mental exercise.

Unnecessary.

[sakusha]

Almost all of the MOAB bugs have already been patched, including OS fixes by Apple. Some of the application fixes were released within hours of the public announcement of the bug. Yet NONE of those fixes have been linked on the MOAB website.

The normal processes are working. What is NOT working is the MOAB process. If they used the normal procedure of notifying the developers privately, these bugs could have been fixed in days or even hours, before any public disclosure. But that wouldn't achieve what the MOAB hackers wanted. MOAB isn't about security, it's about publicity whoring.

Re:Unnecessary.

[Rosyna]

You have to realize that MOAB isn't an unwarranted attack against Apple. It's backlash for years of flaky technical support, deceitful practices and arrogance on the part of the Mac community in general.

Yeah, that's clearly their intention after you look at the non-apple issues such as the ones in OmniWeb, Transmit, VLC, Flip4Mac, Rumpus, et cetera. Clearly, those are an attack against apple's "flaky technical support".

arrogance

[Gary+W.+Longsine]

The claim that the "Mac community is arrogant" mystified me until I realized that people who make this claim are probably masking an inferiority complex of some sort. Most Macintosh users don't know enough about computers to be arrogant. They are, if anything, rather meek on the whole. I suspect that IT professionals whose experience is limited to Windows (which is, after all, most of them) resent the honestly dumbfounded looks they get from these fawn-eyed Mac users who innocently say things like, "Why is my computer at work so flakey? I've never had a problem like this on my Mac at home."

It seems more likely to me that the professional IT community, which has backed the wrong horse, is resentful.

Re:Quite nice

[99BottlesOfBeerInMyF]

Given that Apple's not exactly famous for being Johnny-on-the-spot with security fixes, I don't quite get where you get "a few days" from.

Do tell, how slow is Apple to fix known security issues? My coworkers have submitted two security bugs to Apple that I know about. Both were local rather than remote, thus posed little risk to the average user. Both were fixed within a few weeks and credited the person who found them. In at least one instance of a more serious security issue Apple turned a fix around in 9 days from disclosure, which is bloody fast or a full dev/qa cycle at any real software company. So you do have some reason for believing Apple is slow to respond to real security concerns, don't you? I'm a bit less inclined to just assume you're right and a little more interested in some citations.