January 4, 2007 4:00 AM PST

The good and the bad of bug campaigns

A third monthlong parade of security flaw releases has kicked off, this time focused on Macs. But some are questioning the purpose of such campaigns.

Two bug hunters, Kevin Finisterre and the pseudonymous LMH, say that each day in January, they will detail a security hole in Apple Computer's Mac OS X or applications for that operating system. Like previous efforts, which focused on Web browser and kernel vulnerabilities, the " Month of Apple Bugs" is meant to improve security, the pair state on their Web site. Flaws that are publicly disclosed will get fixed quickly, they argue.

"Some of us use OS X on a daily basis. Getting problems solved makes that use a bit safer each day," LMH and Finisterre wrote on the project Web site. "A positive side effect, probably, will be a more concerned user base and better practices from the management side of Apple."

While the researchers argue that the public airing of flaws is for the greater good, not everyone agrees. After all, broadcasting details of a bug in software without informing its maker and without a patch being available puts users at risk, critics say. It goes squarely against the "responsible disclosure" practices advocated by software companies.

For example, the Month of Apple Bugs includes detailed exploit code that could provide ammunition to cybercrooks for use in attacks. Software makers are sent scrambling to address the flaws.

That's exactly what the people behind the campaigns want. The approach was inspired by July 2006's "Month of Browser Bugs," dreamed up by HD Moore, a well-known security researcher and developer of the popular Metasploit security tool. That effort was followed in November by the "Month of Kernel Bugs" project, run by LMH.

"My experience has shown that the fastest way to secure a piece of software is to release a working exploit for it," Moore said in an e-mail interview Wednesday. "Users will get software patched in a much timelier manner. They can also take precautions they didn't know to do before."

Ego trip?
The bug releases rekindle the responsible disclosure debate. Software makers want bug hunters to report vulnerabilities privately to them and to give them time to fix the problems. Researchers have complained that software companies ignore them and take much too long to address the reported problems.

"Responsible disclosure can't work. People do whatever they want," said Pete Lindstrom, an analyst with Burton Group. Still, a parade of zero-day bug releases obviously doesn't serve the Net public, he added. "These initiatives are always more about the egos of the bug finders than anything else," Lindstrom said.

Nick Frollini, a business consultant and Mac user from Pittsburgh, Pa., agreed. "All these campaigns accomplish is driving traffic to the sites of the security researchers," he said. "The better approach is to work with the vendors to address flaws and to only publicize them if the vendor is completely unresponsive. Why unleash more zero-day exploits?"

But LMH disputes that he and Finisterre are in it for personal glory. "We aren't receiving any kind of reward," LMH said in an interview via instant messaging service. "We are releasing information and code that could represent a significant benefit when sold to certain parties. Thus, we are losing money with this."

Double-edged sword
Efforts such as the Month of Apple Bugs are a double-edged sword, said Dave Marcus, security research and communications manager at software maker McAfee. "The posting of a flaw does make it get patched. It is an effective way of getting security vulnerabilities fixed in a lot of instances. It just puts user at risk at the same time, which I am not a fan of," he said.

Marcus believes in the good intentions of the hackers behind the bug releases. "These guys were superstars in computer security before they were doing the months of the bugs. I think they honestly do it in the thought of serving the community," he said.

In the short term, Net users will be at risk because of the Month of Apple Bugs, but in the longer term, the products featured in the project will be more secure, said Jon "Johnny Cache" Ellch, a security researcher who has contributed to the Month of the Kernel Bugs project.

"When this is over, though, you've got to realize there will be 30 fewer ways to break into Macs. Who could think that is a bad thing?" he said.

Already, one developer has stepped up to the plate to provide third-party fixes for flaws released as part of the Month of the Apple Bugs.

Apple has said that it is aware of the project, but has chosen not to comment beyond saying in an e-mail message to CNET News.com that it takes security very seriously and has "a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

Another purpose of the Apple-focused month could be that it serves as a wakeup call for Mac users, Lindstrom said.

Malicious software that targets Mac OS X systems is rare and has been limited largely to proof-of-concept code, instead of actual attacks. However, there are indications that hackers are increasingly targeting the Mac.

"Mac addicts are a different breed; they are one of the few groups that, by and large, think their operating system is somehow impervious to attack. It may be beneficial to security to actually prove that weaknesses exist," he said.

That's a good point, said several participants in CNET News.com's Mac Views panel of readers.

"I am a fanatical Apple user and am certain that OS X is one of the most stable and secure operating systems in the market, but there is no such thing as a perfect piece of technology," said Bay McLaughlin, chief executive of iMago Productions. "Therefore, I do believe that it is worth exploring the shortcomings of OS X."

However, it would have been better if Apple or the applicable software maker had been given at least some time to address the issue. "There is something to be said for both sides, but I would rather hear about the findings after Apple released a new Security Update," McLaughlin said.

See more CNET content tagged:
parade, disclosure, flaw, researcher, software company

18 comments

Join the conversation!
Add your comment
Making "the Norm"... "The NORM"!!!
If operating system manufacturers have been sleeping and not fixing bugs which have been made known to them in a reasonable time... then going public is the only way to force them.

Whether it be Apple, Microsoft or any other vendor for that matter.

Responsible Security Response Time Norms are:

24 hours for Critical Flaws
72 hours for Non Critical Flaws

If operating system vendors wait weeks or months prior to offering patches... then going public with the exploit is the ONLY way to get them to move responsibily following the NORM in security patching!

Making "the Norm"... "The NORM". If such operating vendors met the Norm standards... opening such exploits to the general public AFTER MORE than the NORM reasonable timing, then I say... let it be made public.

Otherwise, the operating system manufacturers will continue to sit on certain patches!!!

The security concious will survive... those not so concious will struggle and may collapse if they don't patch within the NORM!!! (At least before the exploit is made public knowledge.)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Your timeline is unrealistic
It often takes 24 hours or more just to verify the nature and extent of the bug/exploit. You should note that a flaw can have broader implications to the overall code than is reported by the person/group that found it. I'm sure you would expect the S/W vendor check this out properly.

To demand that a fix be out in 24 hours for a "Critical Flaw" is just plain asinine. Requiring 72 hours response for "Non Critical Flaws" is just a silly.

If a company like Microsoft is presented with a "Critical Flaw" it takes them time to find out just how it affects the OS or Application and how that flaw affects and interacts with other pieces of software. Rarely are flaws just a matter of changing a few lines of code and recompiling!

Just testing all the major variations of installations of a particular version of Windows (e.g., XP or Vista) can take several weeks. If Microsoft rushes out a patch for a "Critical Flaw" without proper testing it can have significantly more negative impacts than the flaw itself. The same can be said to a lesser extent (because they have fewer variants on which to test) of Apple or any other S/W vendor.
Posted by shadowself (202 comments )
Link Flag
And I thought Mac OS was bullet proof..
..actually I never thought that, I am not that silly ;-)
Posted by FutureGuy (742 comments )
Reply Link Flag
It is.
OS X is bullet proof, these guys are straight up superhuman. They found 30 holes in MacOS X but they have released probbly thousands in Windows now..

Apples share everything mentality is what makes it insecure. Thats the wrong approach to security.
Posted by Solaris_User (267 comments )
Link Flag
Well the old Mac Laptop was bulletproof
The old Mac Laptops (think iBook) were actually made of bulletproof plastic.
Posted by pm3d (3 comments )
Reply Link Flag
Not a good enough reason
""My experience has shown that the fastest way to secure a piece of software is to release a working exploit for it," Moore said in an e-mail interview Wednesday."

Which is better, Mr. Moore? The software maker having the time to write a fix and test it before a flaw is known to the hackers (fixed before exploited) or releasing the flaw to hackers and watching the software maker scramble to fix it before the hackers can exploit it (good chance they will)? You're only doing this for the publicity as you certainly don't give a d@mn about ethics.
Posted by Seaspray0 (9714 comments )
Reply Link Flag
If they didn't have ego issues...
Proof that some of this is egotistical on their part is that they
didn't give Apple ANY preliminary information on these bugs!

They could have given Apple the 30 exploits at the end of
November or beginning of December, and then told them they
will release these to the public in January, giving Apple 30 days
to react. Apple would probably have had fixes around the time
the exploits were publicized and those who discovered these
exploits would have succeeded in their spoken goal: more
secure system, more awareness in the community.

They way they are doing it is heightening the risk users may
become affected as well as heightening the egos of the "security
experts" who discovered and are publicizing the exploits!

Bad form in my opinion.
Posted by ssmiroldo (53 comments )
Reply Link Flag
Security should come first
If OS Software OEM's were more diligent in addressing security first, rather than an after thought there would not be a problem. Software has no moving parts, it does not wear out, it does not break. It was either correct from the start or it was flawed. Networked code should always check buffer boundries, instead of short cutting for performance. Every error condition must be handled without exception. Every critical security setting should be set by default. Every user should be authenticated, or very restricted in permissions, etc. Process, driver and service security permissions architectures should be implemented, in addition to user permissions.
And the Network stack MUST be decoupled from the OS (it really ticks me off that even if I have no network plugged in and no network devices active, that I still have to have several network processes active on the M$ OS, I wonder why????). Have you ever had your computer stall or run slow, when it said it was 98% idle????

I suspect the only reason for the holes is either incompetence, or more likely intention. There is a huge industry created around adware, spam, spyware, and security software and the OS vendors play both sides of the fence.
I have said it many times, the internet used to be secure, it was a network for the DOD! You could not get on anything with any destructive permissions without proper authentication. No Application or E-Mail client executed instruction code of an arbitrary subject document without specific user invocation, and that user had to have permissions set accordingly to do so. This was all before M$, mettled with the HTML spec, and various other protocols.

Its been a long time since I was a regular Mac user but I remember that about the most problematic issue with Macs was proper Init driver sequences at bootup, thats about the only thing that would cause a Mac to hang. I remember the scores virus, being a MBR type, not too hard to protect against....but for the most part secure. By ensuring every application go through the resources of the OS, rather than having direct access to hardware made it so. Due to the lack of bugs reported on Mac systems I would think any that do exist are honest mistakes, as for the PC side not only do I suspect M$, but also compiler software. For a long time there was a specific backdoor written into the C compilers of most major Unix systems that was virtually undectable, even if you recompiled the compiler from source code the backdoor would reintroduce itself in the compilation.
Honestly I think they need to go back and scrutinize every compiler that produces production code first, then scrutinize every bit of source code, to ensure all of the items mentioned above are addressed and handled. BIOS should also be examined. I think there should be a standards body like ISO that certifies this compliance, with independant evaluation.
A truely secure system is possible, and if anyone achieves it, it will be secure until someone does something stupid like giving admin priveledges to an active guest account, or loads a malicous kernel level device driver, runs a trojan, etc. Basically no virus or other malware should be able to propogate without an admin or console user performing some physical action on the machine in question (of which we hope there are none stupid enough to do so). Even if a machine was infected it could not spread to another machine without a specific user action.

Perhaps if they were not outsourcing their code developement to some foriegn country......

Report the bugs, force the fixes, and maybe someday they will put security first like the DOD did. There really is no excuse for these security holes, I see most of the reports (for all OS's and Applications) before they are released to the general public and most of them are the same type of bug: buffer over or under runs, improper trapping of invalid input parameters, and unhandled errors. No excuse at all, a first year programmer knows to do all these things!!!
Posted by chash360 (394 comments )
Reply Link Flag
Where do they find the time?
Most of us are simply too busy to write malicious code. We have
lives. Any wall can be breached, any lock can be broken, but who
has the time?

I would be interested to know how and why people have the time
to pay endless attention to possible vulnerabilities of an OS. It
seems odd to me. I use an OS every day, just as I open my door
every day; it would not occur to me to make a full time job of
picking my lock to "show up" the folks at Schlage, nor create
quicktime buffer overflows that would allow me to break into a
Mac.

If you follow the money, the one who profits from all this is
people who benefit from insecurity: Anti-virus software
companies and security firms.

I wonder who these guys work for, or if this is just a free service.
Posted by purpleshorts (7 comments )
Reply Link Flag
Hypocritical
Funny... now they look at bugs on Mac and people raise concerns... it does not seem to be the case when bugs/vulnerabilities on Windows are released... ;-)
Posted by fapp (1 comment )
Reply Link Flag
Then you aren't paying attention
These same issues were brought up during the MOKB and after
other zero day releases. Just 'cause you are ignorant does not make
someone hypocritical.
Posted by DeusExMachina (516 comments )
Link Flag
The good, the bad...
Why not inform Mac of the bugs, then allow 24-48 hours to release a patch? That would be the ethical thing to do..do these guys have no ethics?

If they are concerned about Apple not making timely patches, then this would force them to fix known exploits immedietly and help the OSX users remain secure. What these guys are doing sets a very bad precident for future "concerned" hackers.
Posted by dollpenguin (9 comments )
Reply Link Flag
an ad on their website
they have an ad that states if you support them they will recieve a
free mac mini ... so it isn't for the money or the free equipment. I
would like a free computer for "testing"
Posted by hobbesca (4 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.