Slashdot Log In
Month of Apple Bugs - First Bug Unveiled
Posted by
Zonk
on Tue Jan 02, 2007 09:45 AM
from the apple-must-be-so-proud dept.
from the apple-must-be-so-proud dept.
ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"
Related Stories
[+]
IT: Month of Apple Bugs Debuts in January 171 comments
An anonymous reader writes "A pair of security researchers has picked January 2007 as the Month of Apple Bugs, a project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it. According to a post over at The Washington Post's Security Fix blog, the project is being put together by researchers Kevin Finisterre and the guy who ran November's Month of Kernel Bugs project." From the post: "It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation."
[+]
Month of Apple Fixes 177 comments
das writes "On the same day as the launch of the Month of Apple Bugs (MOAB) (blog), Landon Fuller, a programmer, Darwin developer, and former engineer in Apple's BSD Technology Group, has launched an effort to provide runtime fixes for each MOAB issue as they are released. A fix has already been posted for the first MOAB issue."
[+]
Flaw Found in Apple Bug-Fix Tool 168 comments
eldavojohn writes "The Month of Apple Bugs (MOAB) is well under way with a startling bug released Monday. From the description: 'Application Enhancer (APE) is affected by a local privilege escalation vulnerability which allows local users to gain root privileges.' APE is the same software used to deploy fixes during 'The Month of Apple Fixes' (MOAF). I know it's confusing but MOAB came first and MOAF was a developer's answer to the bugs — after all, the purpose of posting bugs is to have them identified, confirmed and eradicated. The article talks about potential remote root access by an intruder. Note that this is third party software that all of the bugs seem to be stemming from. I guess Apple has made a fairly secure system but they can't expect all third party developers to follow the same rigorous standards."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
removed, but... (Score:3, Informative)
No problem! (Score:4, Funny)
Please, try the veal.
Re:No problem! (Score:4, Informative)
Parent
Re:No problem! (Score:5, Insightful)
That was not a virus - that was a trojan (pretty huge difference if you know what the differences are!) And read through the final analysis of the work [ambrosiasw.com] the user actually had to do to contract it.
Also, we are talking about OS X viruses not "legacy" viruses that in practice no-one will be catching since almost no-one uses Classic anymore. It's been years since OS X even shipped with OS 9.
Not really. Have you forgotten things like auto-installing widgets?
Which they fixed pretty quickly, as noted....
Apple being behind other BSD systems in patching old exploits?
Apple being behind in patching SSH, Apache?
Which don't matter as much since they come turned off by default (and still didn't see any exploits for OS X in the wild)...
Uh... You need to know stuff to write a windows virus too.
Not really, there is a lot more template material online on how to do so, and a number of Windows viruses in the past have been simple variants of existing worms and viruses.
Not according to Norton, F-secure and McAfee.
You're wrong. Care to provide any links as to why you think you're right?
Uh, again no. Give me some decent examples at least.
IE. Forgot about the elephant in the room again?
I don't know... Most of the security techniques Apple uses were developed back in the early 90s...
Oh, they were developed way before that - which is why it is so tragic Microsoft could not even be bothered to do that much until now.
However, the OS in my opinion is far from being a 21st century mind set in general. I mean, look at some of the stupid stuff we have todo.
Where we have to open a console and type
defaults write com.apple.finder AppleShowAllFiles TRUE
True there is no UI to modify some defaults like that. But anyone who wants to see ALL files in Finder is probably also going to be pretty familiar with the shell and not really mind editing XML files. Frankly I have never enabled Finder in that manner as if I want to be messing with files Finder cannot see by default, I greatly prefer to be using Terminal anyway.
What makes it an advanced OS is that you have a layer that is easily configurable by most users, and then a more advanced layer that is easily adjustable through a few means. The situation is still better than what Windows offered, where you had to basically write TweakUI to get at some settings that could not simply be activated in a text file at least OS X comes with means to modify every setting in the system, even if some are not behind GUI's.
Heh, or we could the simple things that have always worked well... Exploits against the user. Just send them a e-mail with a
Yes that would work - but Mail would warn the user about running it, and the default security level most people run at would prevent it from getting as far into the system as most rootkits are. That is the reason OS X is more security, because of the very old concept of defense in depth applied across the OS, not because any one layer is invulnerable to attack!
Writing viri for any platform is dead simple if you are going to rely on the user to propagate it. But Windows has a million examples of stuff that needs no user even clicking on OK to run off and do its thing. That is another difference. That and of course, the fact that today there are no OS X viruses in the wild. Not just a few, but zero - despite many people such as yourself who think it would be easy to write one and would like to see one just to show up Mac users.
Parent
Is this true? (Score:4, Insightful)
Is Apple as bad as MS when it comes to fixing security flaws? Is there really a need to show how "insecure" OS X is? Or is this more a "your going to start listening to security experts when they have something to say or else..." type situation. I did read the FAQ but they really don't show any evidence to prove why this is a good thing, how this will improve OS X security, or how Apple has been unwilling to fix flaws in the past.
They could be 1000% right, but on the surface I just don't see anything which either confirms or denies their theory. It would be nice to at least read some sort of history of how Apple has interacted with Security researchers in the past.
Re:Apple Vs. Security Researchers (Score:5, Insightful)
Apple has had poor relations with security researchers for years.
Actually, Apple has had pretty good interactions with security researchers in general, in my experience. Being a huge PR magnet, however, they also manage to attract showboaters trying to capitalize on the popularity they can get by behaving in a less than reasonable manner. The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state, but Apple responded to it even though they were never contacted with the details of the supposed exploit and did fix several issues they found during a review of the wireless drivers they ship. Apple has done a pretty reasonable job of patching easily exploitable/wormable problems very quickly and they don't seem to be ignoring problems reported to them. One of my coworkers found a local exploit (low risk) and reported it through Apple's Website. The fix was in the next security update and even credited him. It seems like pretty good relations with the security researcher community to me.
As for the month of Apple bugs. It is more of the same. Sure these guys could report Apple bugs to the normal channels and they'd be fixed fairly quickly and overall security would benefit. That, however, won't make the news. So instead of reporting bugs when found, these guys are intentionally delaying releasing that info to both Apple and the public. Apple isn't pressured to quickly fix bugs if they don't even now what those bugs are. The public isn't served by bugs being fixed more quickly. Users aren't served by bugs being released to the public for possible mass exploitation without Apple ever being given a chance to patch their machines. The end result is decreasing the overall security or computing. It serves no one except the researchers who are showboating and being irresponsible.
Parent
Re:I'm afraid you are incorrect, sir. (Score:5, Informative)
The wireless exploit did apply to Airport cards;
It is my understanding that the vulnerability you reference as well as the other two they fixed were both the result of an internal audit of their wireless drivers and not the result of the exploit that was publicized. The issue is more than a little muddy, however, and I'd be grateful if you could provide a reference to show either way.
Parent
Re:I'm afraid you are incorrect, sir. (Score:5, Insightful)
I really don't see how you can paint apple in to a bad place with this, secureworks created a lot of hype while disclosing nothing to anyone, Apple took the initiative and at their own expense researched the issue and fixed potential problems they found, none of which has a known exploit. None of this validates what secureworks did, it is possible it's the bug they supposedly found but it's also possible they faked the whole thing.
Parent
Re:Do you feel better now? (Score:4, Insightful)
And I think you're mistaken if you believe that marketshare directly reflects the security of a platform. The number of users has little to do with the number of exploitable bugs in it or architectural flaws. More existing bugs might be found in more popular platforms but that doesn't prove that more exist that just aren't found in other platforms. Windows is less secure because it simply wasn't a design factor when most of it was built, that and MS went out of their way to do things differently than how existing systems like UNIX did.
Parent
Re:and now Apple (Score:5, Insightful)
Microsoft is not performing due diligence and is quite frankly not giving customers what they want. They routinely sit on publicly announced bugs for long periods of time and according to people I know who have worked there less than half of the security holes they find internally are prioritized high enough to be fixed. No one is happy worms are destroying computers, but some people are happy to see MS getting bad publicity because of their actions.
Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?
Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA. OS's can be evaluated based upon the nature of the vulnerability, risk, and duration of exposure. For something like this, if it is easily reproducible, under normal circumstances, a couple of weeks seems reasonable. If they are constantly getting new vulnerabilities once a day, it may be longer since they might need to prioritize based upon those. Think of this from the developer's standpoint. If these guys are trying to make OS X less secure, they picked a good way. Thanks jackasses.
They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with.
What do you mean? Apple has lots of novice users including the very young and very old attracted by their reputation for ease of use. How many people on this forum do you suppose convinced their grandparents or parents to get a mac?
When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want.
There is plenty of motivation for hackers to attack OS X right now. The reason it does not happen is not the lack of motivation, but the difficulty/convenience of so doing. Smaller market share makes propagation more complex. Increased scrutiny makes exposures shorter. Many worm authors have a very windows-centric knowledge base. All of these factors may mean as OS X's market share goes up, worms become more common, but to attribute this to motivation is a mistake.
Do not under estimate the creativity and capability of the hackers out there.
I know people on both ends of the security spectrum. I'm not too worried about OS X becoming bug ridden as market share increases. In fact, I think both Windows and OS X security will increase as OS X's market share increases. The problem of security is one of motivation, but not of the motivation of malware authors, but of OS vendors. Apple needs to keep customers happy to maintain market share. Thus, if malware becomes a problem for their users they will fix it or lose money. Right now Microsoft has no such motivation, so their attention to security has been spotty at best. They don't significantly lose money when users suffer from security problems. Increasing OS X's market share might motivate them to improve security. Anyone who argues that MS or Apple is doing all they can has not been paying attention.
Parent
Explain the logic... (Score:4, Interesting)
Huh? Apple's users are to blame for Apple's work with security researchers?
Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."
Parent
Doesn't work for me (Score:5, Interesting)
These people read their own press releases (Score:3, Insightful)
Sorta works on a macbook pro (Score:4, Interesting)
Snips from my crash log:
OS Version: 10.4.8 (Build 8N1051)
Report Version: 4
Command: QuickTime Player
Path:
Parent: WindowServer [57]
Version: 7.1.3 (7.1.3)
Build Version: 65
Project Name: QuickTime
Source Version: 4650000
PID: 9548
Thread: Unknown
Exception: EXC_BAD_INSTRUCTION (0x0002)
Code[0]: 0x00000001
Code[1]: 0x00000000
Unknown thread crashed with X86 Thread State (32-bit):
eax: 0xffffffff ebx: 0x41414141 ecx: 0x900012f8 edx: 0xffffffff
edi: 0x41414141 esi: 0x41414141 ebp: 0xdeadbabe esp: 0xbfffd628 (hello deadbabe!)
ss: 0x0000001f efl: 0x00010286 eip: 0x918bef3a cs: 0x00000017
ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037
Not so good.
Re:QuickTime runs on Windows too... (Score:5, Informative)
Parent
Re:QuickTime runs on Windows too... (Score:5, Informative)
-Eric
Parent
Re:And a negative side effect? (Score:4, Interesting)
Parent
Re:good thought but I wonder (Score:5, Informative)
Parent
Re:good thought but I wonder (Score:5, Insightful)
It's more like finding a bank vault open and shouting out, "Hey, everyone, this bank has left its vault open with your money in it."
Parent
Re:good thought but I wonder (Score:5, Insightful)
-Eric
Parent
Re:good thought but I wonder (Score:5, Insightful)
Next a Bad guy may not have the key, but once he knows the key is missing he will start looking around for the guy who found the key and take it away from him. It is more like the key is hidden under the welcome mat. And the guy found it one day then blabbed about it to everyone even outside the apartment.
As a land lord myself I know, some jobs can't be done right away. Some things espectially changing all the locks takes time including finding the residence and giving them the new key before they leave. so you can change their locks. Also the time to fix all the locks, dealing with people who think there lock should be replaced first, others who love their lock so much they don't want to change it. Some people creek in fear when the land lord knocks figuring they will evict them with a blink of an eye. (even though it is expensive to leave a room vacent)
Parent
Re: (Score:3, Interesting)
Gray Hat hacking is like discreetly telling the guy that his car door is open, waiting for a while to give him a chance to lock his door, then yelling "Hey This Car Door is Open and all the valuables are inside". The most hotly debated item is how long the waiting part of "waiting for a while to give him a chance" should be because there is no clear consensus on how long it should
Re:good thought but I wonder (Score:4, Interesting)
Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't.
I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.
They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile.
No, these guys want publicity for themselves. Apple has been quite responsive to security researchers and most that I know think Apple has been doing a pretty reasonable job. If you're going to argue that bugs need to be publicly released because Apple won't fix them otherwise, you need to support that assertion. Even then, what is your justification for not releasing it immediately, but doling them out more slowly? That doesn't benefit anyone but these researchers for whom it provides prolonged media exposure they hope to gain from financially.
So they're out to raise the profile of each problem.
Raising the profile of a problem makes sense, if it is being exploited in the wild or if you've contacted the vendor and they're dragging their heels while people are at risk. Otherwise, it is simply harmful to everyone involved.
Much better than using the vulnerabilities to build Mac-based botnets...
Ahh, the classic "we're not as bad as China" argument. Doing something unethical isn't made any less unethical by the fact that someone else is doing something even more unethical. These guys obviously are interested in one thing, getting themselves in the news to make themselves money.
Parent
Re:At this rate (Score:5, Insightful)
Parent
Re:I have a dumb question..... (Score:4, Insightful)
The reality distortion field you cite is warping your perspective. Apple is actually not particularly litigious compared to most companies their size. To my knowledge they've never sued anyone for publicizing bugs. They don't even normally go after publications that intentionally publicize their trade secrets unless they admit having obtained those secrets from an insider Apple does not know the identity of, and in the one case of that, they sued only for the name of the informant, not for any damages against the publication. The thing is, the litigation they do enegage in, is often highly publicized, making it seem as though they are very litigious.
So to answer your question, if they have a reasonable grasp on reality, no they aren't worried about being sued.
Parent