A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple's OS X or in Apple applications that run on top of it. The 'Month of Apple Bugs' project, currently slated to begin on Jan. 1, is being orchestrated in part by a security researcher who asked to be identified only by his online alias 'LMH'. This is the same researcher who in November ran the 'Month of Kernel Bugs' project. LMH's partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said.
To read all comments associated with this story, please click here.
Member since:2006-04-03
Or is the Mighty Microsoft Marketing Machine throwing some dollars around to try to help out Vista? I just find the timing of this "project" - to coincide with the public release of Vista - very interesting.
And I agree 100% with the view that by not providing Apple with prior notice this is just a moronic stunt that puts end users at potentially serious risk.
Good on you idiot - may the bugs of a thousand Windows infest your PC...
Member since:2006-06-19
Member since:2005-11-10
Ad-revenue? Meh, at best it'll pay for the bandwidth. If they wanted to make money, they could use any of these 30/1 exploits, put together the first effective Mac malware and sell it underground / use it to pharm.
Nope, this 'exercise' is entirely to massage an ego, nothing less.
Member since:2005-12-15
Member since:2005-07-06
Well the point is to educate people who think the bugs patched are the only ones.More likely every piece of software has bugs,flaws and vulnerabillities.
Patching is nice but not enough.It's running behind the facts all the time.More important are the roles of advanced security mechanisms such as SELinux,Grsec,RSBAC and the like to mitigate the effect of a potential exploit.
Edited 2006-12-20 12:43
Member since:2005-12-15
I guess it'd depend on whom you're trying to educate. If it's the end user, then it's a really selfish way about it as you're exposing them to potential risks. If it's the vendor, like I said there are other ways to go about it. In this instance Apple isn't getting any notice prior.
Member since:2005-04-01
*Everyone* ought to be **hating** these people. Bringing a bug to light without notifying the manufacturer puts everyone *using* the system at risk. It costs Apple itself nothing, it costs users their security.
I'm my mind, this is tantamount to hacking, and I can't see any value of it other than ego.
Member since:2006-10-16
Have you guys taken a look at the other "month of". These are great projects to raise security awareness.
Hopefully this will lead apple to actually have a patch cycle. Often security holes will go as long as or longer than MS's. With no cycle, how can mac admin expect to implement an effective update strategy?
Member since:2005-07-30
Feel free to feel pissed off, I think this is a fair reaction to the BS marketing employed by Apple about how windows has a million viruses, while Apple has none.
While you recognize the Apple has its own share of security issues, most Apple fanboys do not. They still consider Apple to be somehow magically secure.
Member since:2005-07-24
"""
I think this is a fair reaction to the BS marketing employed by Apple about how windows has a million viruses, while Apple has none
"""
In a practical sense, that "marketing" is true. (Well, maybe not a million viruses. Maybe just in the hundreds of thousands.) Why do you have a problem with it?
I'm not a Mac fanboy. The last Apple I owned was a II+.
And I can see the huge difference in Windows' and MacOS' relative security. Why can't you?
Edited 2006-12-20 19:52
Member since:2005-11-16
"Feel free to feel pissed off, I think this is a fair reaction to the BS marketing employed by Apple about how windows has a million viruses, while Apple has none.
While you recognize the Apple has its own share of security issues, most Apple fanboys do not. They still consider Apple to be somehow magically secure."
I am sorry but i don't think that you can deny the fact that OS X is virus free. Do you deny that? That's a matter of fact so far. Of course i would agree if you say that it may change, nobody knows!
Now, what the point to say that it is a BS marketing? What Apple says is true, it is true, there is no virus on OS X, again you can't deny it yourself.
Also i really don't think that all mac users think that their OS is 100% sure. I mean there is a very few people who really think so. I guess that this image of mac users being not aware of security come from the fact that people think that mac users are saying that OS X is bulley proof, a 100% percent secure OS. That't not true, mac users are saying that OS X is more secure, again this has not the same meaning as to say that OS X is 100% secure. Being more secure does not imply to be 100% secure.
A lot of people like to change what is really about to use it as trolling arguments. You will really find a few mac users saying that OS X is an absolute secure OS, what they say is that it is more secure than Windows. And it is true, whatever the reason you put behind this matter of fact, this is true!!!!
Well, why it is more secure? Smaller market share? Maybe, it could be one of the reasons.
It is difficult to create virus on mac? Well it is also true. Remember the story of this concept of malware on OS X, Macarena, a few months ago.
The source code of the virus has been distibuted, so we could read things lie this:
"However, in the source code, Ducklin said the author had expressed what appears to be frustration at trying to make the virus effective on Apple's platform.
Ducklin said: "In the source code, which is a mishmash of stuff, there is a comment where the author says 'so many problems for so little code'. So it does look as though virus writers, fortunately, still have a way to go before they are able to write Mac viruses with the proficiency and fluidity that they can for Windows.
"It doesn't have any of the characteristics of a modern effective or dangerous Windows worm or Trojan, it is a simple appending parasitic infector."
He also revealed Macarena will only affect Intel-based Macs: "This is an Intel specific thing - not Power PC."
However, Ducklin warned the Apple community not to be complacent because although writing malware for the Mac is more difficult than it is for Windows, the users' common sense can be a weak point.
"
This story seems to show us that OS X is more secure (notice again, i said more secure) when it comes to virus, this is a perfect real situation diffcult to deny.
(
http://software.silicon.com/malware/0,3800003100,39163844,00.htm?r=...)
Of course more secure does not mean that OS X does not have any code flaws, any software as complex as OS X has holes. Finding holes can only make the software more secure as long as the software editor makes a good job at fixing them. Here Apple is also making rather good job comparing to Microsoft, just compare the nunber of unpatched flaws in Apple software compared to Microsoft at the secunia web site. 9 unpatched flaws in OS X compared to 29 in WinXp pro. Any reasonnable person will conclude that OS is more secure.
That's just good sense, again i don't say 100% secure (it is obvouisly not if i look at the secunia numbers) but it is more secure. Less known unpatched flaws makes a given software more secure than another software which has more known unpatched flaws. This is just logical!!!!
So again i really don't think that mac users has saying that OS X is absolutly secure, but they do say that it is more secure, and so far it seems to be true.
Member since:2005-07-06
Perhaps it might be a bit of a wakeup call for those who are blindly advocating "switch to OS X" as a cure-all for contemporary security problems. Not that a wakeup call should be needed for a suggestion that amounts to "Hey, the boat is leaning dangerously to port - let's everyone run over to the starboard side instead, that will fix it."
Member since:
2005-12-15
I'm having trouble seeing value in this "project". Is the point to demonstrate that Apple products have security vulnerabilities? We already know they do. Is the point to show that Apple doesn't patch them? We already know they're not entirely up to date on this. Is the point to try and make Apple step up a gear in security? Maybe.
In the end, the means I don't believe justify the end. Why should innocent end users be potentially exposed to risks just because one individual feels the need to take an entire month to drag out releasing these problems, particular when Apple are not being given prior notice?
It's not like these things just fall on your lap ready for projects like these. They take time and research. By the time the final one is obtained to total the number of days for the month, how long was the first one sitting with the project organiser? Isn't this exposing people to risks by keeping them to one's self? Doesn't this action in itself constitute a lack of concern for security?
I wonder how much will be "earnt" through website ads as people visit each day to see what's next?
This smells of grand standing and ego power tripping. If one is seriously interested in improving the security of a product there are far more prudent methods.
Edited 2006-12-20 10:50