Patch/Configuration Management, Vulnerability Management

Hacker: Month of Apple Bugs project good for security

The hacker responsible for the upcoming "Month of Apple Bugs" project (MoAB), in which one Mac OS X flaw will be publicly posted each day during January, today defended his undertaking to SCMagazine.com.

L.M.H., the online alias used by the hacker also behind the "Month of Kernel Bugs" campaign in November, said in an email that the new project is aimed at attracting much improved security collaboration to the Mac platform.

"Few people (have) done significant work around it, and many innovations have been added and features have changed, thus there's a lot to be done now," he said. "Many things (need) to be reviewed, checked, and worked on. And with the new version coming soon, there will be even more ground for further research."

Mac OS X v.10.5, codenamed "Leopard," is due out in spring 2007, published reports have said.

L.M.H. added that Mac's commercial campaign, which portrays Macs as superior to PCs in terms of security, may have "discouraged" vulnerability research.

Apple did not return telephone calls seeking comment today.

L.M.H.'s remarks follow McAfee's chief security architect telling SCMagazine.com on Tuesday that he believed MoAB is not fair to Apple and its customers.

"It's important to emphasize that something like this is irresponsible disclosure," John Viega, McAfee's vice president and chief security architect, said. "Apple is not being given a chance to address (these bugs). I think that's a huge detriment to their customers."

Microsoft voiced a similar outcry in July, when security researcher H.D. Moore launched his "Month of Browser Bugs" project, which exposed many Internet Explorer vulnerabilities.

But L.M.H., being joined on the new project by Kevin Finisterre, the former head of research and development at SNOSoft and the publisher of several Mac bugs, believes too many vendors and developers get away with silent fixes.

"Irresponsible disclosure is a rather flawed term," he said. "What's responsible disclosure? Letting a random vendor cheat over you and your work and then pretend it's meaningless or not worth their time, or not a problem, covering it with a bunch of euphemisms?"

As an example, he referred to the recently patched Apple QuickTime vulnerability running on social networking site MySpace that led users to a pornographic website containing spyware.

Click here to email Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.