Mac OS X Developers Watch Month of Apple BugsBy Daniel Drew Turner | Posted 2007-01-06 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Mac OS X developers say they are watching the Month of Apple Bugs project closely, but some question the organizers' method of publicly disclosing newly discovered security flaws before first alerting Apple.Developers of applications for Apple's Mac OS X have been watching the Month of Apple Bugs project closely, and are generally in favor of the project's goal of uncovering OS flaws.
But they, and security companies, have questions about the MOAB group's method, which involves making their findings public immediately, instead of first alerting Apple Computer.
The MOAB project was organized by Kevin Finisterre and a hacker who goes by the handle LMH. Their progress, and links to previous Month of Kernel Bugs and Month of Browser Bugs campaigns, can be traced on their project Web site. The stated goal of MOAB is to uncover one bug a day for the month of January 2007.
To date, they have kept their pace, revealing two vulnerabilities in Apple's QuickTime media layer, one in iPhoto and another in a third-party application, the VLC media player. One of the QuickTime bugs was shown to leave open the possibility of an attacker executing code on a victim's computer.
Landon Fuller, a programmer unaffiliated with Finisterre and LMH, is coordinating or creating fixes to the vulnerabilities found by MOAB and making them available on his own site.
"In the long term, this project is making OS X more secure," said Gus Mueller, a developer who sells his software through his company Flying Meat. "However, in the short term, these bugs, once shown, can be used destructively," he added.
"I think the correct way to handle the exploits would have been to inform Apple, and give them something like four to six weeks to get a fix out," Mueller said, noting that this has been the standard method of OS bug reporting. "If nothing comes out of Apple at that point, then I'd publish the exploit. This way earns you credibility and respect," he said.
"Usually, and the way it seems you should do it," said Mueller," is that you should let the software's owner know when you have discovered a bug."
Wil Shipley, the CEO of Delicious Monster Software, said he agreed that there is a greater good in reporting OS bugs. "First off, I'll say, as Apple does, that finding bugs in Mac OS X is really good for all of usApple, third-party developers, Mac usersand so, you know, bully for those guys," he said.
But Shipley said he also questions how the MOAB project is going about its goals.
"The only unsavory bit in all this is that originally, when I read about MOAB, it was positioned as a response to Apple being 'smug' about security, which is childish and inane," said Shipley.
"Apple has a right to be 'smug' about an area in which they are better then their competition, even if they are not totally perfect."
Read the full story on eWEEK.com: Mac OS X Developers Watch Month of Apple Bugs.