- Related Stories
-
Apple guru combats month of bugs
January 3, 2007 -
QuickTime zero-day bug threatens Macs, PCs
January 2, 2007 -
Broadcom flaw could allow Wi-Fi hijacks
November 13, 2006 -
Flaw finders to software makers: It's payback time
August 17, 2006 -
Attack code out for Apple flaw
June 29, 2006 -
Tribble on Apple's security troubles
March 15, 2006 -
Is Mac OS as safe as ever?
February 27, 2006 -
Bug hunters, software firms in uneasy alliance
September 6, 2005
Two bug hunters, Kevin Finisterre and the pseudonymous LMH, say that each day in January, they will detail a security hole in Apple Computer's Mac OS X or applications for that operating system. Like previous efforts, which focused on Web browser and kernel vulnerabilities, the "Month of Apple Bugs" is meant to improve security, the pair state on their Web site. Flaws that are publicly disclosed will get fixed quickly, they argue.
"Some of us use OS X on a daily basis. Getting problems solved makes that use a bit safer each day," LMH and Finisterre wrote on the project Web site. "A positive side effect, probably, will be a more concerned user base and better practices from the management side of Apple."
While the researchers argue that the public airing of flaws is for the greater good, not everyone agrees. After all, broadcasting details of a bug in software without informing its maker and without a patch being available puts users at risk, critics say. It goes squarely against the "responsible disclosure" practices advocated by software companies.
For example, the Month of Apple Bugs includes detailed exploit code that could provide ammunition to cybercrooks for use in attacks. Software makers are sent scrambling to address the flaws.
That's exactly what the people behind the campaigns want. The approach was inspired by July 2006's "Month of Browser Bugs," dreamed up by HD Moore, a well-known security researcher and developer of the popular Metasploit security tool. That effort was followed in November by the "Month of Kernel Bugs" project, run by LMH.
"My experience has shown that the fastest way to secure a piece of software is to release a working exploit for it," Moore said in an e-mail interview Wednesday. "Users will get software patched in a much timelier manner. They can also take precautions they didn't know to do before."
Ego trip?
The bug releases rekindle the responsible disclosure debate. Software makers want bug hunters to report vulnerabilities privately to them and to give them time to fix the problems. Researchers have complained that software companies ignore them and take much too long to address the reported problems.
"Responsible disclosure can't work. People do whatever they want," said Pete Lindstrom, an analyst with Burton Group. Still, a parade of zero-day bug releases obviously doesn't serve the Net public, he added. "These initiatives are always more about the egos of the bug finders than anything else," Lindstrom said.
Nick Frollini, a business consultant and Mac user from Pittsburgh, Pa., agreed. "All these campaigns accomplish is driving traffic to the sites of the security researchers," he said. "The better approach is to work with the vendors to address flaws and to only publicize them if the vendor is completely unresponsive. Why unleash more zero-day exploits?"
But LMH disputes that he and Finisterre are in it for personal glory. "We aren't receiving any kind of reward," LMH said in an interview via instant messaging service. "We are releasing information and code that could represent a significant benefit when sold to certain parties. Thus, we are losing money with this."
Double-edged sword
Efforts such as the Month of Apple Bugs are a double-edged sword, said Dave Marcus, security research and communications manager at software maker McAfee. "The posting of a flaw does make it get patched. It is an effective way of getting security vulnerabilities fixed in a lot of instances. It just puts user at risk at the same time, which I am not a fan of," he said.
Marcus believes in the good intentions of the hackers behind the bug releases. "These guys were superstars in computer security before they were doing the months of the bugs. I think they honestly do it in the thought of serving the community," he said.
In the short term, Net users will be at risk because of the Month of Apple Bugs, but in the longer term, the products featured in the project will be more secure, said Jon "Johnny Cache" Ellch, a security researcher who has contributed to the Month of the Kernel Bugs project.
"When this is over, though, you've got to realize there will be 30 fewer ways to break into Macs. Who could think that is a bad thing?" he said.
Already, one developer has stepped up to the plate to provide third-party fixes for flaws released as part of the Month of the Apple Bugs.
Apple has said that it is aware of the project, but has chosen not to comment beyond saying in an e-mail message to CNET News.com that it takes security very seriously and has "a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
Another purpose of the Apple-focused month could be that it serves as a wakeup call for Mac users, Lindstrom said.
Malicious software that targets Mac OS X systems is rare and has been limited largely to proof-of-concept code, instead of actual attacks. However, there are indications that hackers are increasingly targeting the Mac.
"Mac addicts are a different breed; they are one of the few groups that, by and large, think their operating system is somehow impervious to attack. It may be beneficial to security to actually prove that weaknesses exist," he said.
That's a good point, said several participants in CNET News.com's Mac Views panel of readers.
"I am a fanatical Apple user and am certain that OS X is one of the most stable and secure operating systems in the market, but there is no such thing as a perfect piece of technology," said Bay McLaughlin, chief executive of iMago Productions. "Therefore, I do believe that it is worth exploring the shortcomings of OS X."
However, it would have been better if Apple or the applicable software maker had been given at least some time to address the issue. "There is something to be said for both sides, but I would rather hear about the findings after Apple released a new Security Update," McLaughlin said.
See more CNET content tagged:
parade,
disclosure,
Apple Computer,
flaw,
researcher
Whether it be Apple, Microsoft or any other vendor for that matter.
Responsible Security Response Time Norms are:
24 hours for Critical Flaws
72 hours for Non Critical Flaws
If operating system vendors wait weeks or months prior to offering patches... then going public with the exploit is the ONLY way to get them to move responsibily following the NORM in security patching!
Making "the Norm"... "The NORM". If such operating vendors met the Norm standards... opening such exploits to the general public AFTER MORE than the NORM reasonable timing, then I say... let it be made public.
Otherwise, the operating system manufacturers will continue to sit on certain patches!!!
The security concious will survive... those not so concious will struggle and may collapse if they don't patch within the NORM!!! (At least before the exploit is made public knowledge.)
Walt
http://news.com.com/Apple+guru+combats+month+of+bugs/2100-1002_3-6146886.html
However I would like to comment on this story as well.
I am even more ANGRY now at this Apple saga because they've said doing this month of bugs gets bugs patched quicker.
No, it gets YOUR bugs patched quicker. WHAT makes you more important than all the other researchers who post vulnerabilites in private to Apple?
Why should you jump the queue with your month of bugs? Everyone could have a month of bugs.
Of course the legacy of H D Moore, LMH is they want to look to the public as elite hackers who are the only ones who have enough vulnerabilites for a month of bug campaigns.
So untrue and that is why i'm so against whats going on.
If you're in the hyper market queue getting your shopping scanned and checked out before you go home after work, would you be happy if folks skipped the normal queue of people?
Of course not, everyone would complain and stop the people rushing to the front of the queue, and that is exactly whats going on here.
I still say the FBI should do something here, or law should be brought in to stop this kind of thing continuing.
It is not always needed for there to be a law to say something is wrong, like mentioned in the other discussion (see my link at the top), there is a thing called morals.
There isn't a hyper market law saying, don't queue jump is there? But everyone knows its wrong, and people stop someone jumping a queue, because the others know its wrong, that someone else can think they have more right than other shoppers.
H D Moore and LMH would argue, we have more shopping than you, we deserve to rush to the front of the queue for shopping.
We don't care if people get upset, we're doing this because we want to show the hyper market how difficult it is if we bring a month of fruit to your checkout and demand it be scanned and paid for.
We're doing this so the hyper market gets a red face and they will open extra checkouts to make the queue shorter, we want more checkouts open, so we get served quickier in future and don't need to queue jump.
Infact, we think everyone will benefit from demanding our shopping is scanned before everyone elses.
It doesn't work does it? Not from n3td3v's point of view and many others in the security community.
H D Moore, LMH etc are looking like dickheads here not anything to be respected for.
Enjoy your five minutes of fame (LMH) jumping an Apple bug queue and to **** with all other researchers who prefer responsible disclosure, or maybe something you've forgotten about NO-DISCLOSURE bug reporting to vendors.
n3td3v-hackers queue up and wait our turn, maybe you should learn some manners, idiots.
the good, the bad of cyber terrorism campaigns
the good, the bad of cyber terrorism campaigns
Which is better, Mr. Moore? The software maker having the time to write a fix and test it before a flaw is known to the hackers (fixed before exploited) or releasing the flaw to hackers and watching the software maker scramble to fix it before the hackers can exploit it (good chance they will)? You're only doing this for the publicity as you certainly don't give a d@mn about ethics.
didn't give Apple ANY preliminary information on these bugs!
They could have given Apple the 30 exploits at the end of
November or beginning of December, and then told them they
will release these to the public in January, giving Apple 30 days
to react. Apple would probably have had fixes around the time
the exploits were publicized and those who discovered these
exploits would have succeeded in their spoken goal: more
secure system, more awareness in the community.
They way they are doing it is heightening the risk users may
become affected as well as heightening the egos of the "security
experts" who discovered and are publicizing the exploits!
Bad form in my opinion.
i dare cnet to break the barrier and call them cyber terrorists, its all they deserve to be called.
i think cnet should strip them of their "researcher" status.
And the Network stack MUST be decoupled from the OS (it really ticks me off that even if I have no network plugged in and no network devices active, that I still have to have several network processes active on the M$ OS, I wonder why????). Have you ever had your computer stall or run slow, when it said it was 98% idle????
I suspect the only reason for the holes is either incompetence, or more likely intention. There is a huge industry created around adware, spam, spyware, and security software and the OS vendors play both sides of the fence.
I have said it many times, the internet used to be secure, it was a network for the DOD! You could not get on anything with any destructive permissions without proper authentication. No Application or E-Mail client executed instruction code of an arbitrary subject document without specific user invocation, and that user had to have permissions set accordingly to do so. This was all before M$, mettled with the HTML spec, and various other protocols.
Its been a long time since I was a regular Mac user but I remember that about the most problematic issue with Macs was proper Init driver sequences at bootup, thats about the only thing that would cause a Mac to hang. I remember the scores virus, being a MBR type, not too hard to protect against....but for the most part secure. By ensuring every application go through the resources of the OS, rather than having direct access to hardware made it so. Due to the lack of bugs reported on Mac systems I would think any that do exist are honest mistakes, as for the PC side not only do I suspect M$, but also compiler software. For a long time there was a specific backdoor written into the C compilers of most major Unix systems that was virtually undectable, even if you recompiled the compiler from source code the backdoor would reintroduce itself in the compilation.
Honestly I think they need to go back and scrutinize every compiler that produces production code first, then scrutinize every bit of source code, to ensure all of the items mentioned above are addressed and handled. BIOS should also be examined. I think there should be a standards body like ISO that certifies this compliance, with independant evaluation.
A truely secure system is possible, and if anyone achieves it, it will be secure until someone does something stupid like giving admin priveledges to an active guest account, or loads a malicous kernel level device driver, runs a trojan, etc. Basically no virus or other malware should be able to propogate without an admin or console user performing some physical action on the machine in question (of which we hope there are none stupid enough to do so). Even if a machine was infected it could not spread to another machine without a specific user action.
Perhaps if they were not outsourcing their code developement to some foriegn country......
Report the bugs, force the fixes, and maybe someday they will put security first like the DOD did. There really is no excuse for these security holes, I see most of the reports (for all OS's and Applications) before they are released to the general public and most of them are the same type of bug: buffer over or under runs, improper trapping of invalid input parameters, and unhandled errors. No excuse at all, a first year programmer knows to do all these things!!!
- Where do they find the time?
-
by purpleshorts
January 5, 2007 6:13 AM PST
- Most of us are simply too busy to write malicious code. We have
-
Reply to this comment
-
-
1 | 2 | Next 10 Comments >>lives. Any wall can be breached, any lock can be broken, but who
has the time?
I would be interested to know how and why people have the time
to pay endless attention to possible vulnerabilities of an OS. It
seems odd to me. I use an OS every day, just as I open my door
every day; it would not occur to me to make a full time job of
picking my lock to "show up" the folks at Schlage, nor create
quicktime buffer overflows that would allow me to break into a
Mac.
If you follow the money, the one who profits from all this is
people who benefit from insecurity: Anti-virus software
companies and security firms.
I wonder who these guys work for, or if this is just a free service.