Starting January 1st: “Month of Apple Bugs”

“A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple’s OS X operating system or in Apple applications that run on top of it,” Brian Krebs, yes, that Brian Krebs, reports for The Washington Post.

“The ‘Month of Apple Bugs’ project, currently slated to begin on Jan. 1, is being orchestrated in part by a security researcher who asked to be identified only by his online alias ‘LMH.’ This is the same researcher who in November ran the ‘Month of Kernel Bugs’ project. LMH’s partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years,” Krebs reports.

Krebs reports, “To the chagrin of some security experts, however, LMH declined to give affected vendors advance noticed before posting evidence of kernel bugs on his Web site last month. Eleven of those kernel bugs were related to Apple software and applications, including a serious security hole that prompted a software update from Apple just two weeks later. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message.”

Krebs reports, “LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security. ‘Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way,’ LMH said.”

Full article here.

MacDailyNews Take: Which Mac OS X users think their systems are bulletproof? No one we know. Most of us simply know for a fact that Mac OS X is vastly more secure than Windows. Hopefully, “LMH” finds something of value with which Apple can work and his irresponsible method of posting them before notifying Apple doesn’t cause any damage. Judging from past performances, we’re sure Krebs is fairly drooling over the possibilities, real or imagined.

Related article:
Re: Brian Krebs’ reporting on supposed MacBook Wi-Fi exploit – August 04, 2006


  1. On the last OS security story, Brian Krebs proved to be a hack writer who doesn’t know technology and can’t be bothered with little things like accuracy or research.

    Let’s see how he handles this next piece.

  2. Irresponsible, gutless coward. LMH have the nuts to use your real name if you’re going to do something that lays open the vulnerabilities for many people, no matter the OS. Your methods are wretched, the means do not justify the ends. Unless the end you’re intending is to cause undue harm to others. To you it may seem a trifle inconvience, but if a serious problem were to happen to someone’s sytem due to your irresponsible action it may lead to more than a broken computer system. Sensitive information lays within our computers. Have you ever heard of identity theft, it’s whole possible through our systems. I’d rather be shot.

    Fucking asshole.

    Now does anyone know how to contact him so I can forward this to him.

  3. If Krebs has any journalistic integrity and competency, he should publish a comparison of Microsoft versus Apple OS exploits, failures, and hazards and quantify them. A rigorous and detailed comparison of Microsoft and Apple should provide the public with more useful information and help people make a truly informed decision.

  4. Hopefully Krebbs will have learned from the mistakes he made with the MacBook airport security issue when he failed miserably to check out what he was reporting on…

    Anyway, this kind of activity is pointless. Why don’t they just report the issues they discover to Apple? Or have they something to sell and need the ‘WOW GEE LOOK OSX SECURITY HOLES’ press…

    And by the way, look at the fscking inane comments from WinTrolls on that blog…

  5. LMH, like so many others in the security business feel they have the right to force companies to fix bugs by exposing them without notice, putting the rest of the public at risk.

    Whether they like or not bugs happen and private companies should be given the chance to fix them in their own time. I’m a software engineer and I know It can take some time to do a fix correctly not just a bodge job (Microsoft take note).

    LMH may be a great programmer and thinks he knows everything but the fact is he has no idea what it will really take to fix the bug. Any idiot can find a bug, fixing it without any knock on’s is the real business (Microsoft take note).

    Apple is one of those companies that does not communicate their security status unless they have to. The fact that LMH may not get a response in the time he expects doesn’t mean Apple haven’t taken onboard what he has said and that they are not working on a fix. I suppose he feels rejected when he see’s that empty mail box.

    For god sake if you’re gonna contribute do so, don’t demand! otherwise go get a real job!

    Rant over… Sorry. : )

    p.s. I also hate the fact that they rate companies based on how quickly it takes to fix bugs. It takes as long as it takes!

  6. If all these reported security holes are plugged with 10.5, what then? Apple sells more copies of Leopard. When Microsoft’s Vista suffers zero-day exploits this will be dismissed as Windows funtioning normally and as expected. People generaly expect more from Apple and less from microsoft. Same ol’ dance.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.