Mac OS X developers say they are watching the Month of Apple Bugs project closely, but some question the organizers' method of publicly disclosing newly discovered security flaws before first alerting Apple.
Developers of applications for Apples Mac OS X have been watching the Month of Apple Bugs
project closely, and are generally in favor of the projects goal of uncovering OS flaws.
But they, and security companies, have questions about the MOAB groups method, which involves making their findings public immediately, instead of first alerting Apple Computer.
The MOAB project was organized by Kevin Finisterre and a hacker who goes by the handle LMH. Their progress, and links to previous Month of Kernel Bugs and Month of Browser Bugs campaigns, can be traced on their project Web site.
The stated goal of MOAB is to uncover one bug a day for the month of January 2007.
To date, they have kept their pace, revealing two vulnerabilities in Apples QuickTime media layer, one in iPhoto and another in a third-party application, the VLC media player. One of the QuickTime bugs was shown to leave open the possibility of an attacker executing code on a victims computer.
Landon Fuller, a programmer unaffiliated with Finisterre and LMH, is coordinating or creating fixes to the vulnerabilities found by MOAB and making them available on his own site.
"In the long term, this project is making OS X more secure," said Gus Mueller, a developer who sells his software through his company Flying Meat.
"However, in the short term, these bugs, once shown, can be used destructively," he added.
"I think the correct way to handle the exploits would have been to inform Apple, and give them something like four to six weeks to get a fix out," Mueller said, noting that this has been the standard method of OS bug reporting. "If nothing comes out of Apple at that point, then Id publish the exploit. This way earns you credibility and respect," he said.
Click here to read about the monthlong hunt for kernel bugs launched last November.
"Usually, and the way it seems you should do it," said Mueller," is that you should let the softwares owner know when you have discovered a bug."
Wil Shipley, the CEO of Delicious Monster Software,
said he agreed that there is a greater good in reporting OS bugs. "First off, Ill say, as Apple does, that finding bugs in Mac OS X is really good for all of usApple, third-party developers, Mac usersand so, you know, bully for those guys," he said.
But Shipley said he also questions how the MOAB project is going about its goals.
"The only unsavory bit in all this is that originally, when I read about MOAB, it was positioned as a response to Apple being smug about security, which is childish and inane," said Shipley.
"Apple has a right to be smug about an area in which they are better then their competition, even if they are not totally perfect."
Next Page: In search of "show-stoppers."