Month of Bugs Targets Apple

Hackers say the vendor needs to be more responsive to software threats.

A pair of renegade hackers has launched a project aimed at embarrassing Apple Computer into fixing software vulnerabilities in a timelier manner, prompting new calls for the company to hire a security czar to head off a growing crisis.

The MOAB (Month of Apple Bugs) project was launched Jan. 1 with technical details and attack code for serious holes in the way media files are played on Apples Mac OS X, and the two researchers—a hacker known only as L.M.H. and Kevin Finisterre—promise to expose similar insecurities every day in January.

The project follows L.M.H.s MOKB (Month of Kernel Bugs) project in late 2006 that also took aim at Mac OS X and sends a clear signal that members of the hacking community are aggressively looking to debunk the general belief that Apples flagship operating system is safe from virus and worm attacks.

The latest anti-Apple sentiment is driven mostly by what is perceived as a smug attitude toward legitimate flaws by the Cupertino, Calif., companys uncompromising fan base, but some security analysts say the blame should fall entirely on Apples doorstep.

"Those Mac commercials really rubbed the security guys the wrong way. It was like a dare to break into the Mac," said Thor Larholm, an independent researcher based in Copenhagen, Denmark. "With Apple, it always seems like the marketing message is more important than the actual building of the software, and the hackers feel they have to provide a dose of reality."

Apple officials did not respond to a request for an interview. In a statement sent to eWeek when the MOAB project was launched, spokesperson Anuj Nayar said Apple "takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users."

Finisterre, a hacker renowned for his work on exploiting Mac OS X vulnerabilities, said Apples tardy approach to releasing fixes for known flaws is more dangerous than any exploit released during the bug-a-day project. "A good start would be for Apple to communicate better with those folks that do the actual reporting [of vulnerabilities]," Finisterre said. "Perhaps more timely fixes would be nice as well. Ive got one bug that has been reported to Apple for more than three months."

Finisterre said its become the norm to have to chase down Apples product security team to get updates on fixes. "They should be the ones following up with us on a routine basis," he said.

Indeed, a 2006 study by The Washington Post found that Apple took about 91 days on average to issue patches for flaws that could have been used in code execution attacks. The study found that most open-source Linux vendors were months ahead of Apple in fixing the same vulnerabilities.

The company does not have a patch release schedule, and its common for a security researcher to wait through two software updates to see a reported flaw get fixed. Apples security advisories have been criticized as being too vague, lacking severity risk ratings and missing workarounds for users who must test patches before deployment. In addition, the companys formal policy of refusing to "discuss or confirm" security issues until patches are released also rubs researchers the wrong way.

Mark Loveless, a veteran hacker who now works as a senior security researcher at Vernier Networks, in Mountain View, Calif., said dealing with Apple on product flaws can be "like pulling teeth."

"They dont have a lot of people there who understand what motivates researchers. Theyre drinking the same Kool-Aid that their marketing people have put into those TV ads," said Loveless, known in security circles as "Simple Nomad." "Say what you want about the Month of Apple Bugs, it will push Apple to change. We went through that with Microsoft a few years ago. No one thought Microsoft would change, but look at them now. They set the standard for how it should be done."

Thomas Ptacek, a researcher at New York-based penetration-testing company Matasano Security, agreed that Apples inability to ship timely patches is a problem, but he criticized L.M.H. and Finisterre for releasing exploits without advance notice to the vendor. "The story should be about a vendor shipping products that put customers at risk. Instead, theyre making Apple into a victim," Ptacek said.

Ross Brown, CEO at eEye Digital Security, in Aliso Viejo, Calif., said his research team has found Apples engineers "very responsive" to flaw warnings. eEye has been credited with discovering several gaping holes in Apples QuickTime and iTunes applications, and at every stage of the disclosure process, Brown said, Apples process worked very well. When Apple—or any other vendor—is slow to patch, eEye uses a color-coded system on its Upcoming Alerts page to display the overdue nature of the fix. "I like what eEye does. They document how recalcitrant a vendor is without all the month-of-bugs grandstanding," said Matasanos Ptacek.

Rich Mogull, an analyst with Gartner, was equally dismissive of the MOAB approach. "This Month of stuff is getting out of hand," Mogull said. "As messed up as the industrys disclosure approaches may be, dumping code isnt the answer. [While] there is sometimes a time and place for releasing code, this clearly isnt it." Mogull said the project was the "cyber-equivalent of a self-declared vigilante smashing everyones doors down while theyre away on vacation, leaving them as burglar bait, to prove to them how weak their lock vendor is."

Despite the disagreements, Verniers Loveless said the negative publicity will force Apple to heed calls to hire a security czar. "They need someone with real authority to drive decisions and that might actually force a change there," he said. "They have to change this smug, feisty approach to dealing with security. The notion that the Mac is secure is ridiculous. They need someone there to separate marketing from reality."