Mac Developer Mulls Zero-day Security Response

1.6 Beta writes "Landon Fuller, the Mac programmer/Darwin developer behind the 'month of Apple fixes' project, plans to expand the initiative to roll out zero-day patches for issues that put Mac OS X users at risk of code execution attacks. The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches. The article quotes him as saying, 'Perhaps [it could be] the Mac OS equivalent to ZERT,' referring to the Zero-day Emergency Response Team."

Bonzi buddy auto-installer

[User+956]

The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches.

Windows has an auto-updating mechanism for "third-party patches". It's called Internet Explorer.

Arbitrary patch

[MillionthMonkey]

Because the vulnerability allowed the execution of arbitrary code within the JVM via any Java applet, Fuller created a temporary patch for Mac OS X.

Can he write an applet that runs the installer using the vulnerability? That would be really convenient.

This is not a "move on Apple's part"

[daveschroeder]

Apple isn't doing this, and Landon Fuller doesn't have anything to do with Apple, other than having worked there. (And no, conspiracy theorists, he's not doing this at Apple's behest or as part of some coordinated fanboy effort to "make Apple look good".)

What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now. Apple needs to be patching issues in a much more timely manner. Hopefully the outcome of MOAB, things like Fuller's proposal, and other related things will be a real discourse on Apple security response and Mac OS X security.

Re:This is not a "move on Apple's part"

[99BottlesOfBeerInMyF]

What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now.

I've heard claims that Apple is not responsive enough before, but never any real support for those claims. They've certainly been fast enough in responding to security bugs we sent them. It would always be nice if they were faster. If they had 1000 people waiting by the phone to instantly work on any security issues that came up, and rolled them out in hours on an unstable branch, well that would be cool. I don't think it is practical though. I'd rather 980 of those people were working full time on new features instead. So how fast is fast enough? I think the measure is, does Apple solve security problems fast enough that the risk to the average user remains negligible. That is to say, do they fix bugs before worms exploiting those vulnerabilities, or widespread viruses are put in the wild? So far, they certainly seem to have done so.

There is another piece to this puzzle as well. In normal practice a researcher finds a bug, reports it to Apple, waits a few weeks, and if they don't hear back or feel Apple is not responding, they publish it to pressure Apple. If Apple is unresponsive regularly, they might shorten that time or disclose immediately. On Apple's part, when they find out about a bug they reproduce it, find the cause, fix it, test the fix, and then publish the fix.

What is the best way to break this process and slow it down, increasing the possibility of a worm without doing anything illegal outright? Well, you can publish bugs immediately, without giving Apple a chance to fix them, then they will be vulnerable for the whole dev/qa cycle. What if, instead of publishing them immediately you intentionally spaced them out and published one every few days? Then a normal dev/QA cycle would have to commit to skipping some of them or wait an entire month before starting the QA cycle. That would be about as good a way to maximize the window for exploitation as possible. Now take a look at the month of Apple bugs, with their lack of prior notification and their intentionally spaced publication. Gee, what a coincidence.

I'm all for Apple improving security and doing more internal audits. I'd be happy if they openly placed a bounty on security related bugs reported to them. I'd be even more happy if they implemented widespread mandatory access controls built into the OS, and open signing framework for trust determination, and a free software repository/registration/update service managed by Apple.

That said, I find their security responses to date, to be perfectly acceptable and I think the MoAB is sensationalist crap, run by very unethical people out to make a name for themselves without regard to the well-being of end users. They are wholly irresponsible and given that they have twice now been caught illegally using vulnerabilities they discovered, prior to publication, I hope they spend 6 months wearing little, electronic, ankle bracelets.

Re:This is not a "move on Apple's part"

[mstone]

Let's drop the cognitive dissonance, shall we?

Vint Cerf recently made a report to the UN committee on internet security. He said that maybe 25% of all computers tied to the internet are infected. We're currently seeing the highest spam levels in the history of the internet, much of which is being sent by botnets that contain thousands or hundreds of thousands of compromised machines. We've gotten to a point in history where 'hundreds of thousands of machines compromised' is no longer a newsworthy fact. It's so freaking common that people just look at it as an unpleasant fact of life.

And right in the middle of that context we have a few tens of millions of Macs that have been running unmolested for years.

I don't give a damn about your abstractions. I don't give a damn about your heuristics. I don't give a damn about your moral indignation that Apple doesn't run its entire business in a way that's consistent with the .3 seconds of what passes for thought that you've put into any given issue. I'm an empericist. I care about what's actually happened.

What's actually happened is that there hasn't been a single large-scale compromise of the Mac platform since the introduction of OS X. What's actually happened is that Apple has been notified of several vulnerabilities over the past few years and has rolled out security updates to address them. In many cases, they've also listed the names of the people who notified them of the problem. What's actually happened is that Apple has continued to develop its security model and has built a whole new set of tools into Leopard that will make OS X even more secure than it is today.

There are exactly three classes of people who try to bang the "Macs are no more secure than Windows, but Mac users are too stupid to care" drum any more:

1. Apple haters
2. Lazy journalists who don't know or care shit about security but know that putting 'Apple' and 'security' in the headlines guarantees sales/page views/etc
3. 'Security researchers' who either have a financial interest in selling AV software or are media-whore wannabees.

Please note that I do not place Landon Fuller in any of those categories. He isn't trying to sell the world the idea that Apple's sky is falling. He's talking about a fairly interesting concept of community involvement in the overall Apple security process.

I happen to disagree with the idea, personally.. IMO the chance of a zero-day patch breaking something is higher than the chance of a Mac getting infected between day zero and the time Apple releases an official patch (and yes, that includes all those issues that have been hanging out there unpatched for years.. show me the number of active exploits in the wild instead of just stuffing another set of panties into the wad currently wedged up your ass). I also see problems with trust and vetting. A MacZERT would presumably do some QA on the patches before distributing them, which leads to the same kinds of delays you get from Apple. And a MacZERT's capacity to look for unwanted side effects would be limited by the fact that outside third parties don't have all the relevant code.

I do see the possibility of large benefits from a community effort to isolate and develop proposed solutions to bugs, since that would help Apple's own security team with some of the heavy lifting. I think Apple could develop a good dialogue with the third-party security community through such a system.

But that has absolutely nothing to do with you. You're just another anti-fanboy out to spew meaningless FUD. The fact that you can't distinguish between "hundreds of thousands of compromised machines in a single botnet" and "no exploit of even a thousand machines over the past five years" means your opinion is too stupid to be taken seriously.

Re:Quite nice

[AlanS2002]

It shouldn't be a marketing advantage, releasing patches with so little testing onto the general population. Yes patches should be released in a timely manner, but that would just be taking it to opposite extreme.

Re:Quite nice

[Cysgod]

It's more risky running "zero day patches" than it is waiting a few days for any bugs with said patch to be flushed out. Given that Apple's not exactly famous for being Johnny-on-the-spot with security fixes, I don't quite get where you get "a few days" from.

When days become weeks and weeks become months waiting for the official patch to arrive, the risk equation (such as it is) may very well be worth it for some groups of users. Maybe not you, but it's no use foreclosing everyone who might be interested from that possibility. And even beyond that there's the whole Freedom to Tinker thing. I personally found working on some of the MoAB fixes to be fun mental exercise.

Re:no trolls?!

I think MOAB story is getting stale. I submitted a story on how MOAB website tried to crash Safari using .jp2 vulnerability and include the comment

<!-- Never use the macbook at bed again when browsing the MoAB or you will fry your balls, looper -->

in the HTML code. However, /. didn't bother accepting it.

MOAB includes hack attempt

Unnecessary.

[sakusha]

Almost all of the MOAB bugs have already been patched, including OS fixes by Apple. Some of the application fixes were released within hours of the public announcement of the bug. Yet NONE of those fixes have been linked on the MOAB website.

The normal processes are working. What is NOT working is the MOAB process. If they used the normal procedure of notifying the developers privately, these bugs could have been fixed in days or even hours, before any public disclosure. But that wouldn't achieve what the MOAB hackers wanted. MOAB isn't about security, it's about publicity whoring.

Re:Unnecessary.

[landonf]

I wholeheartedly agree with the importance of notifying the vendor -- unfortunately, that's not always done. The point of "0-day" patches is to provide a security option where none currently exists.

Re:Unnecessary.

[Rosyna]

You have to realize that MOAB isn't an unwarranted attack against Apple. It's backlash for years of flaky technical support, deceitful practices and arrogance on the part of the Mac community in general.

Yeah, that's clearly their intention after you look at the non-apple issues such as the ones in OmniWeb, Transmit, VLC, Flip4Mac, Rumpus, et cetera. Clearly, those are an attack against apple's "flaky technical support".

Re:no trolls?!

[Cysgod]

quiet night tonight... not one mac fan boy or anti-mac troll has popped up yet, though im sure its just a matter of time Reversing the broken code that people find and figuring out how to patch it can be a great, fun mental exercise if it's something you're interested in. The personal satisfaction from doing that is sometimes offset by all this seemingly inevitable rabblerousing between fanbois and, their complementary particle, anti-fanbois.

When fanbois and anti-fanbois come into contact they emit a special radiation that causes a temporal shift, known informally as "a colossal total waste of time", for anyone who happens to be reading or listening. For example, you're reading a technical thread, then two of these subsentient particles come into contact. They insist on threadjacking your discussion into an us versus them discussion that only tangentially involves the subject at hand and is logically irritating since it represents a false dilemma. As you skip past the messages looking for some meaningful discussion and swearing about the state of technical discourse, you suddenly discover two hours have passed due to the temporal-moronic radiation.

Maybe people could study training Bayesian filters to delete those messages (or just delete the authors).

bo-oh-oh-oh-oh-gus!

[Gary+W.+Longsine]

wait until OS X gets enough market share for these vulnerabilities to be bought, sold and used to compromise computers en masse.

Apple sells over five million new systems each year. There are probably about 20 or 25 million systems running Mac OS X right now. The financial incentive to exploit Mac OS X has been plenty high enough for a long time. Botnets are rentable, and people peek at the prices now and then and report on it. I've seen numbers like this several times:

going rate for botnets: the going rate is around the USD$1,000 per hour for as many as 30,000 zombie PC's

If crackers could easily take over Mac OS X systems, they could make lots of money. Clearly, they can't easily own Mac OS X. There are plenty of systems to make it worth their while.

Although I agree that a Mac OS X worm would be bad publicity for Apple, and that Apple could improve the way they handle response to reported security defects, I think they have produced a reasonable track record over the past five years regarding the basic security of Mac OS X. Apple's security track record is due much more to the relatively weaker security of Windows systems than to Windows market dominance. Windows is low hanging fruit, crack-wise. If it were harder to own Windows systems, crackers would switch to Mac OS X in a flash. Crackers don't need to own 20 million systems, they really only need a few thousand at a time.

arrogance

[Gary+W.+Longsine]

The claim that the "Mac community is arrogant" mystified me until I realized that people who make this claim are probably masking an inferiority complex of some sort. Most Macintosh users don't know enough about computers to be arrogant. They are, if anything, rather meek on the whole. I suspect that IT professionals whose experience is limited to Windows (which is, after all, most of them) resent the honestly dumbfounded looks they get from these fawn-eyed Mac users who innocently say things like, "Why is my computer at work so flakey? I've never had a problem like this on my Mac at home."

It seems more likely to me that the professional IT community, which has backed the wrong horse, is resentful.

Re:arrogance

[Afecks]

I realized that people who make this claim are probably masking an inferiority complex of some sort.

I can assure you that is not the case. I consider myself a Linux user above all else. As for the arrogance, I can only speak about those I've come in contact with, which is mainly here on slashdot. It seems that every post about OS X security or Apple's business practices ends with "but-but-but Windows!". That comes off as arrogant to me. I know there are plenty of exceptions. Just don't claim that I feel burned by Microsoft (see what I mean?) and I'm lashing out. I've made a living off a picking Windows security apart. They've been nothing but good for my business.

Re:no trolls?!

[Ilgaz]

I guess Slashdot joined some of major IT sites not giving any "advertisement" to MOAB trolls. For example, Slashdot could publicise these idiots having inline jp2 which will make Safari which is a TABBED browser freeze, other script kiddies may link it as their homepage on some zealot fighting sites such as Digg.

BTW it didn't "try" to crash Safari, the default/preinstalled browser of an operating system, a tabbed browser. It actually froze it. It is again, not a security issue but could be a good troll tool.

IMHO if nobody has seen true face of these idiots, they should have seen on day 29.

ps: That JP2 is bad for OS X Finder too, don't keep it in your disk or don't browse that folder with Finder/Path Finder,whatever uses Kakadu jp2 lib.

Apt-get?

[MECC]

auto-updating mechanism for the third-party patches.

He's going to port apt-get to OS X?

Too late!

[LanMan04]

He's going to port apt-get to OS X? He's too late.

Good idea, but needs support it won't get

[ScooterComputer]

I don't see why this shouldn't be done. In fact, it makes a lot of sense for all platforms. Create a third party mechanism by which users/admins can patch Zero day/unpatched flaws that relies on a community effort to provide the patches. Simple. Except it really needs the support of the OS vendor, because at some point, when the vendor releases the patch, you'd want to be able to "turn off" the temporary one. You'd also need an agreed upon "Master List" of vulns, for tracking purposes.

You'd think that this kind of hand-in-hand cooperation would be a no-brainer, but I doubt it. Companies (here's looking right at Apple) still just haven't wrapped their heads around the open exchange of ideas; they are afraid that admitting flaws makes them -look- bad. Ewwww, poor coders. But in reality I think everyone who uses computers by this point in time KNOWS flaws happen...it isn't that they will happen, it has become what are you gonna do about it? And it is pure arrogance by the OS vendors to think that neither the community has the ability to create these patchs nor that the users/admins are interested in them.

Really this is a thing that OS vendors should aspire to, integrating this kind of response mechanism into their existing Software Update suite would be a Good Thing.

Re:Quite nice

[99BottlesOfBeerInMyF]

Given that Apple's not exactly famous for being Johnny-on-the-spot with security fixes, I don't quite get where you get "a few days" from.

Do tell, how slow is Apple to fix known security issues? My coworkers have submitted two security bugs to Apple that I know about. Both were local rather than remote, thus posed little risk to the average user. Both were fixed within a few weeks and credited the person who found them. In at least one instance of a more serious security issue Apple turned a fix around in 9 days from disclosure, which is bloody fast or a full dev/qa cycle at any real software company. So you do have some reason for believing Apple is slow to respond to real security concerns, don't you? I'm a bit less inclined to just assume you're right and a little more interested in some citations.