Patch/Configuration Management, Vulnerability Management

New Year’s resolution? Publish a month of Mac bugs

Mac OS X will be the focus of the next month-of-bugs project, scheduled to kick off Jan. 1, a leading security blog reported today.

According to Brian Krebs' Security Fix blog in The Washington Post, the "Month of Apple Bugs" project is aimed at exposing and creating awareness around security holes in Mac OS X that will lead to better future security. The project is being conducted by a researcher who uses the handle LMH and Kevin Finisterre, the former head of research and development at SNOSoft and the publisher of several Mac bugs.

Gartner analyst John Pescatore told today that the project may force enterprises to demand better patching processes for platforms other than Windows. In addition, it proves that all operating systems - regardless of their market share - are subject to vulnerabilities and should be patched as soon as possible.

"There's nothing about Macintosh that says their code has fewer vulnerabilities than Windows," he said. "It's just that nobody has pounded on it, because even if you did and launched an attack, you wouldn't make any noise."

Researchers' attention is obviously turning to alternative platforms, as evidenced by numerous Apple security updates this year. In November, Apple fixed 31 vulnerabilities, including a fix for a dangerous wireless driver flaw that was reported by security researcher H.D. Moore in November's "Month of Kernel Bugs" project, which also included reports from LHM.

January's initiative also follows the "Month of Browser Bugs" project, led by Moore in July.

An Argentine security firm's plans to launch "The Week of Oracle Database Bugs" were scrapped over fears the database giant might cut off ties with the firm's customers.

Vendors have been critical of the projects when they are not first notified of the vulnerabilities.

"It's important to emphasize that something like this is irresponsible disclosure," John Viega, McAfee's vice president and chief security architect, told today. "Apple is not being given a chance to address (these bugs). I think that's a huge detriment to their customers."

An Apple spokesperson could not be reached for comment today.

Click here to email reporter Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.