“A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple’s OS X operating system or in Apple applications that run on top of it,” Brian Krebs, yes, that Brian Krebs, reports for The Washington Post.
“The ‘Month of Apple Bugs’ project, currently slated to begin on Jan. 1, is being orchestrated in part by a security researcher who asked to be identified only by his online alias ‘LMH.’ This is the same researcher who in November ran the ‘Month of Kernel Bugs’ project. LMH’s partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years,” Krebs reports.
Krebs reports, “To the chagrin of some security experts, however, LMH declined to give affected vendors advance noticed before posting evidence of kernel bugs on his Web site last month. Eleven of those kernel bugs were related to Apple software and applications, including a serious security hole that prompted a software update from Apple just two weeks later. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message.”
Krebs reports, “LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security. ‘Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way,’ LMH said.”
Full article here.
MacDailyNews Take: Which Mac OS X users think their systems are bulletproof? No one we know. Most of us simply know for a fact that Mac OS X is vastly more secure than Windows. Hopefully, “LMH” finds something of value with which Apple can work and his irresponsible method of posting them before notifying Apple doesn’t cause any damage. Judging from past performances, we’re sure Krebs is fairly drooling over the possibilities, real or imagined.
Related article:
Re: Brian Krebs’ reporting on supposed MacBook Wi-Fi exploit – August 04, 2006
Lame FUD
By posting information about these security holes before telling Apple and giving them a chance to fix them, this irresponsible SOB is actually making us, the Mac using community, more insecure. I wonder if he could be vulnerable to a lawsuit if it were proven that his “leak” of this information led directly to a hacker causing some real harm.
I followed the MOKB (Month of Kernal Bugs) with some interest because LMH (Little Mac Hater?) threatened to disclose some “zero day” Mac vulnerabilities. He/She/It did, but none were really of any consequence. Most of them were only exploitable for local users of the system, so they are more of a PITA for Mac system admins than for the average user.
I actually think its a good thing that these bugs be identified and fixed, but it is clear that this LMH person really has a chip on he/she/its shoulder about the Mac and Mac users. Also, this person is pretty juvenile about it. If they really wanted to help, they would report the bugs to Apple first, instead of potentially putting users at risk. Maybe his father used to beat him/her/it?
Devils Advocate – Many have tried to tell Apple of problems only to be mistreated by Apple. The alternative was to go public and let the masses decide, unfortunately that is now the first step instead of the last step.
I’ll wager that this little stunt will make Apple security look better, as not one of the bugs found will be exploitable remotely. People who count security updates as proof that Mac OS X has “holes” don’t understand that almost all of said “holes” require the attacker to have access to the machine. In short, I don’t think there has been one single vulnerability found in OS X that would allow a remote, automated attack, of the kind so common in Windows.
I’ve shot my iMac at least three times and it deflected every bullet, so yes, I think Macs are bulletproof. Should I not use anecdotal evidence to form my opinion of all things of a particular class or category?
Apple credited ‘LMH’ as the reporting source for one of the patches in its most recent Security Update.
So apparently you can’t really honestly say that Apple has “mistreated” LMH or ignored him and his bug reports. In fact, it proves that they are paying attention, because they regularly credit bug contributions on the Security Update Notices they publish.
So what is the chip on your shoulder, LMH?
You didn’t like the way some Mac users treated Brian Krebs? Or George Ou? Or the Maynor/Ellch guys? You didn’t like the way some people behaved, so you decided to start the Month of Kernel Bugs to announce Zero-Day flaws and force everyone to pay attention.
So let’s look at the logic here – despite any protest you might put up, you cannot defend these actions.
So if I don’t like the way some bloggers (like LMH) publish zero-day exploits, I think I’ll start a “Month of Blog Bugs” campaign that will point out flaws in the various blog sites allowing people to hack in and delete accounts or compromise their passwords.
And this would be ok, because your stance is that it’s fine to put EVERYONE in a class of people at risk in order to punish the smug or crass behavior of a few. What an incredibly shallow, short-sighted, emotional and illogical process of thinking you have there, LMH.
It almost makes one hope that LMH’s Mac Bugs cause someone, somewhere a serious financial loss, and that said individual (or business) decides to ascertain LMH’s identity and sue his pants off.
Interesting. MDN, and others, have gone from – “Macs are completely free from bugs, viruses, malware, etc., etc.” to
“… vastly more secure than Windows…”
Could it be that the decline in Mac security and quality is running full speed into total decline and ultimately, exactly like Windows?
Whatever… it’s inevitable so get ready, my friends.
I shot at my Mac 20 times but it seemed to move at incredible speeds to avoid it.
But then, I infiltrated it through my portal through a Parallel universe.
I’m in and it’s only a matter of time…
effwerd…. you half to use hollow-point bullets against the iMac. Simeple 38’s won’t do it.
*simple
MDN word is READ, as in I should actually read my post before submitting it.
LMH is a coward hiding in the shadows. But I guarantee that if he causes me, as a Mac user, to be damaged my attorney will be sending a subpoena to Krebs demanding the identity of his sources so that we can sue. Are Krebs and his cowardly buddy ready for a few thousand such lawsuits?
Don’t these folks have anything better to do in January…like pay their holiday credit card bills or something?
Yawn. Slow news day i guess.
Zeke:
I never thought of that. Could they be held liable in a court of law? Has a precedent been set?
m
This guy is a pu$$y. This should be far from legal.
Lets see someone post all the security flaws this guy has in his house and well see who can break in and kill him first.
1.) upstairs window does not close all the way
2.) garage door code is 1928
3.) basement window will crack under 10lbs of pressure to left side
This guy is a pu$$y. This should be far from legal.
Lets see someone post all the security flaws this guy has in his house and well see who can break in and kill him first.
1.) upstairs window does not close all the way
2.) garage door code is 1928
3.) basement window will crack under 10lbs of pressure to left side
4.) his credit cards are in the kitchen cabinet on the right side of the fridge.
If people posted stuff like this on the internet, or anywhere I am sure they would be arrested, or a law would eventually be created to make it illegal, is software and electronics any different?
the answer is no.
*sorry for the double post, MDN blew up in the middle of writing this.
They’ll probably be pointing out security risks such as “giving someone your admin password and unrestricted access to your computer could lead to data loss” or “there’s a bug in 10.2 that has STILL not been patched by Apple”
No, I don’t think that OSX is iron clad secure, ANY computer that is “used” for anything is by it’s very nature less secure than one sitting in a box unopened. BUT, if they’re going to rile up everyone, I’d rather it be for “new vile adware that installs while OSX is SHUT DOWN” and not “under the exact right conditions with my ear close enough to the wall and you’re yelling out your ip address and password, i can break into your wireless network…if you have security turned off… and give me that password too…
Why doesn’t this guy use his brain and work out a contract to show his stuff to Apple and make some money for doing it.
Doh!!
“Many have tried to tell Apple of problems only to be mistreated by Apple.”
Mistreated by Apple in this case may mean,”didn’t get my anus lubed orally”, or “claimed to had found the bug internally so the bastards won’t give me credit”
I’ve submitted bugs to Apple and when they come back “Duplicate” it’s not an attack on my character and I’m not so full of myself as to believe I’m the god of bug-finding. These guys on the other hand…
Seriously, how can Apple MISTREAT a bug reporter?
“I reported a possible security risk in the way Keynote handles URL’s and Apple came to my job, cuffed me with a sqid, stripped my clothes on the way to the elevator, and then, in plain view of shocked riders berated my haircut! Soon, I was whisked away to my home, (which had already been ramshackled) to force me to watch as they ramshakled it some more for good measure. Then, they urinated down my chimney, propped my front door open with a ceiling fan and drew vulgar caricatures on the doorjambs with green ketcup using an oxo spatula.”
Was it something like that?
Who funds this guy.? MS? Or Symantec?
Wrong Again–you are just that.
“(which had already been ramshackled)”
SB – ransacked.
Vulnerability does not equal exploit.
Exploit does not equal dangerous compromise.
Windows security does not equal Mac OS X security.
Mac OS X is more secure because of its superior design. It is less vulnerable to whatever “holes” do exist because it is a multi-user system by design, and what a hacker can do with such a hole is very limited. Mac OS X will not be overly targeted for even the lame and harmless “concept” malware threats, because Windows is an infinitely easier target for hackers. All of this attention just makes me feel MORE secure using Mac OS X, because apparently, this is the best all of these pseudo- “security experts” can do. TALK about security vulnerabilities instead of demonstrating how one might work as a exploit. In the rare case when it is demonstrated, it ends up being something like that wireless “card” exploit that did not use Apple’s built-in wireless or its driver.
Wish it were so,
You do realize that if this second month of ‘please buy my Mac OS X anti-virus software’ bullshit creates one malware exploit in the wild, these stupid bastards would have to find 120,000 more holes to catch up to the Windows horror story?
Keep wishing, it’s not going to happen.
just looking for attention and popularity.