Developers of applications for Apples Mac OS X have been watching the Month of Apple Bugs project closely, and are generally in favor of the projects goal of uncovering OS flaws.
But they, and security companies, have questions about the MOAB groups method, which involves making their findings public immediately, instead of first alerting Apple Computer.
The MOAB project was organized by Kevin Finisterre and a hacker who goes by the handle LMH. Their progress, and links to previous Month of Kernel Bugs and Month of Browser Bugs campaigns, can be traced on their project Web site. The stated goal of MOAB is to uncover one bug a day for the month of January 2007.
To date, they have kept their pace, revealing two vulnerabilities in Apples QuickTime media layer, one in iPhoto and another in a third-party application, the VLC media player. One of the QuickTime bugs was shown to leave open the possibility of an attacker executing code on a victims computer.
Landon Fuller, a programmer unaffiliated with Finisterre and LMH, is coordinating or creating fixes to the vulnerabilities found by MOAB and making them available on his own site.
“In the long term, this project is making OS X more secure,” said Gus Mueller, a developer who sells his software through his company Flying Meat. “However, in the short term, these bugs, once shown, can be used destructively,” he added.
“I think the correct way to handle the exploits would have been to inform Apple, and give them something like four to six weeks to get a fix out,” Mueller said, noting that this has been the standard method of OS bug reporting. “If nothing comes out of Apple at that point, then Id publish the exploit. This way earns you credibility and respect,” he said.
“Usually, and the way it seems you should do it,” said Mueller,” is that you should let the softwares owner know when you have discovered a bug.”
Wil Shipley, the CEO of Delicious Monster Software, said he agreed that there is a greater good in reporting OS bugs. “First off, Ill say, as Apple does, that finding bugs in Mac OS X is really good for all of us—Apple, third-party developers, Mac users—and so, you know, bully for those guys,” he said.
But Shipley said he also questions how the MOAB project is going about its goals.
“The only unsavory bit in all this is that originally, when I read about MOAB, it was positioned as a response to Apple being smug about security, which is childish and inane,” said Shipley.
“Apple has a right to be smug about an area in which they are better then their competition, even if they are not totally perfect.”
Hunting the Doozies
Brent Simmons, the owner of Ranchero Software, said that he once uncovered a bug that “turned out to be a security risk.” He reported it to Apple first and was later even credited when the company released an update that fixed the bug.
Security companies say that this is their procedure.
“The computer security industry came up with the term responsible disclosure,” said Fred Doyle, the director of iDefense Labs, to denote the process of reporting bugs to software manufacturers.
“This is much different from the MOAB process,” he said. “We give notice to the vendor and give them a responsible amount of time before going public.”
Doyle noted that they will go public with a security issue if a vendor is unresponsive. “However,” he said, “this has not been the case with Apple.”
“From our perspective,” he said, “theyre missing an important step.”
Dave Marcus, security research and communications manager for McAfee Avert Labs, concurred.
The timing of releasing information on a security vulnerability is “an area of contention for most security companies,” he said. But, he added, “While all security vendors think patching vulnerabilities is a good idea, disclosing them in this manner puts users at risk, and thats never a good process.”
Still, Mueller said, the bug tracking is a vital service. “The QuickTime bug in my eyes is a doozy,” he said.
“I took the work they did to expose the bug, and then made my own version of it where if you visited a particular Web page in Safari, it would download an application and run it automatically,” Mueller said. He has posted a sample of this on his blog.
“Thats real bad. Granted, there have to be a number of things that are just right for it to happen, but the Intel iMac sitting on my desk fit the mold perfectly, and I got to see it happen first hand.”
McAfees Marcus said he agreed on the severity of the flaw. “So far, the bugs are not show-stoppers, but thats not to make them trivial. Anything that results in code execution or privilege escalation should be taken seriously, but so far nothing is a show-stopper,” he said.
That security flaws exist in Apple products shouldnt be surprising, said iDefenses Doyle. “Theres no such thing as a perfectly secure software product of any type,” he said.
“If it were like the old Windows case of a new and major vulnerability each day for a month, then people might have a different perception of OS X,” said Mueller, “but thats not whats happening here.”
A spokesperson for Apple said that “Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac.”