News Analysis: The Month of Apple Bugs has opened old wounds in the vulnerability disclosure debate and renewed calls for a security czar to soothe Apple's relationship with hackers.
A pair of renegade hackers has launched a project aimed at embarrassing Apple Computer into fixing software vulnerabilities in a timelier manner, prompting new calls for the Cupertino, Calif. company to hire a security czar to head off a growing crisis.
The MoAB (Month of Apple Bugs) launched
on New Years day with technical details and attack code for serious holes in the way media files are played on Apples Mac OS X and the two researchersa hacker known only as L.M.H.
and Kevin Finisterrepromise to expose similar insecurities every day throughout the month of January.
The project follows L.M.H.s MoKB (Month of Kernel Bugs) project in late 2006 that also took aim at the Mac OS X and sends a clear signal that members of the hacking community are aggressively looking to debunk the general feeling that Apples flagship operating system is immune to virus and worm attacks.
The latest anti-Apple sentiment is driven mostly by what is perceived as a smug attitude towards legitimate flaws by the companys uncompromising fan base, but some security analysts believe the blame should fall entirely on Apples doorstep.
"Those Mac commercials really rubbed the security guys the wrong way. It was like a dare to break into the Mac," says Thor Larholm, an independent researcher based in Denmark.
"With Apple, it always seems like the marketing message is more important than the actual building of the software and the hackers feel they have to provide a dose of reality," Larholm said in an interview with eWEEK.
Finisterre, a hacker renowned for his work on exploiting Mac OS X vulnerabilities, says Apples tardy approach to releasing fixes for known flaws is more dangerous than any exploit released during the bug-a-day project.
"A good start would be for Apple to communicate better with those folks that do the actual reporting [of vulnerabilities]," Finisterre said in response to critics of his project.
"Perhaps more timely fixes would be nice as well. Ive got one bug that has been reported to Apple for more than three months," he added, stressing that its normal to have to chase down the companys product security team to get updates on fixes. "They should be the ones following up with us on a routine basis," Finisterre argued.
Click here to read more about Month of Apple Bugs.
Indeed, a 2006 study by the Washington Post found that Apple took about 91 days on average to issue patches for flaws that could have been used in code execution attacks.
The study found that, almost without exception, open-source Linux vendors were months ahead of Apple in fixing the same vulnerabilities.
The company does not have a patch release schedule and it is very common for a security researcher to wait through two software updates to see a reported flaw get fixed.
Apples security advisories have been criticized
for being too vague, lacking severity risk ratings and missing workarounds for users who must test patches before deployment.
In addition, the companys formal policy of refusing to "discuss or confirm" security issues until patches are released also rub researchers the wrong way.
Is Apple confusing reality with marketing?