A pair of renegade hackers has launched a project aimed at embarrassing Apple Computer into fixing software vulnerabilities in a timelier manner, prompting new calls for the Cupertino, Calif. company to hire a security czar to head off a growing crisis.
The MoAB (Month of Apple Bugs) launched on New Years day with technical details and attack code for serious holes in the way media files are played on Apples Mac OS X and the two researchers—a hacker known only as L.M.H. and Kevin Finisterre—promise to expose similar insecurities every day throughout the month of January.
The project follows L.M.H.s MoKB (Month of Kernel Bugs) project in late 2006 that also took aim at the Mac OS X and sends a clear signal that members of the hacking community are aggressively looking to debunk the general feeling that Apples flagship operating system is immune to virus and worm attacks.
The latest anti-Apple sentiment is driven mostly by what is perceived as a smug attitude towards legitimate flaws by the companys uncompromising fan base, but some security analysts believe the blame should fall entirely on Apples doorstep.
“Those Mac commercials really rubbed the security guys the wrong way. It was like a dare to break into the Mac,” says Thor Larholm, an independent researcher based in Denmark.
“With Apple, it always seems like the marketing message is more important than the actual building of the software and the hackers feel they have to provide a dose of reality,” Larholm said in an interview with eWEEK.
Finisterre, a hacker renowned for his work on exploiting Mac OS X vulnerabilities, says Apples tardy approach to releasing fixes for known flaws is more dangerous than any exploit released during the bug-a-day project.
“A good start would be for Apple to communicate better with those folks that do the actual reporting [of vulnerabilities],” Finisterre said in response to critics of his project.
“Perhaps more timely fixes would be nice as well. Ive got one bug that has been reported to Apple for more than three months,” he added, stressing that its normal to have to chase down the companys product security team to get updates on fixes. “They should be the ones following up with us on a routine basis,” Finisterre argued.
Indeed, a 2006 study by the Washington Post found that Apple took about 91 days on average to issue patches for flaws that could have been used in code execution attacks.
The study found that, almost without exception, open-source Linux vendors were months ahead of Apple in fixing the same vulnerabilities.
The company does not have a patch release schedule and it is very common for a security researcher to wait through two software updates to see a reported flaw get fixed.
Apples security advisories have been criticized for being too vague, lacking severity risk ratings and missing workarounds for users who must test patches before deployment.
In addition, the companys formal policy of refusing to “discuss or confirm” security issues until patches are released also rub researchers the wrong way.
Is Apple Confusing Reality
Mark Loveless, a veteran hacker who now works as a senior security researcher at Vernier Networks, in Mountain View, Calif., says dealing with Apple on product flaws could be “like pulling teeth.”
“They dont have a lot of people there who understand what motivates researchers. Theyre drinking the same cool-aid that their marketing people have put into those TV ads,” said Loveless, who is known in security circles as “Simple Nomad.”
“Say what you want about the Month of Apple Bugs, it will push Apple to change. We went through it with Microsoft a few years ago. No one thought Microsoft would change but look at them now. They set the standard for how it should be done,” Loveless added.
Thomas Ptacek, a researcher at New York-based pen-testing outfit Matasano Security, agrees that Apples inability to ship timely patches is a big problem, but he is critical of L.M.H. and Finisterre for releasing exploits without giving advance notice to the vendor.
“The story should be about a vendor shipping products that put customers at risk. Instead, theyre making Apple into the victim,” Ptacek said, arguing that theres no justification for stockpiling flaws and exploits for the specific purpose of releasing them as part of a bug-a-day project. “Whats the purpose of that?” he asked.
Ross Brown, CEO at eEye Digital Security, in Aliso Viejo, Calif., says his research team has found Apples engineers “very responsive” to flaw warnings. eEye has been credited with the discovery of several gaping holes in Apples QuickTime and iTunes applications and, at every stage of the disclosure process, Brown said Apples process worked very well.
“They do have a problem with the time they take to provide a fix and the fact that theres no scheduled time for patches, but I dont think its fair to blame Apple for being unresponsive,” Brown said in an interview with eWEEK.
When Apple—or any other vendor—is slow to patch, eEye uses a color-coded system on its upcoming advisories page to display the overdue nature of the fix.
“I like what eEye does. They document how recalcitrant a vendor is without all the month-of-bugs grandstanding,” said Matasanos Ptacek.
Rich Mogull, a VP of research in Gartners Information Security and Risk practice, was equally dismissive of the MoAB approach.
“This Month of stuff is getting out of hand. As messed up as the industrys disclosure approaches may be, dumping code isnt the answer. [While] there is sometimes a time and place for releasing code, this clearly isnt it,” Mogull said.
He described the project as the “cyber-equivalent of a self declared vigilante smashing everyones doors down while theyre away on vacation, leaving them as burglar-bait, to prove to them how weak their lock vendor is.”
Mogull warned that the daily release of exploit code “is only going to make us end users less secure, and make it even harder to deal with vendors.”
Despite the disagreements—L.M.H. and Finisterre are considered heroes in the hacking community—Verniers Loveless believes the fallout from the negative publicity will force Apple to heed calls for the hiring of a security czar with clout to implement the necessary changes.
“They need someone with real authority to drive decisions and that might actually force a change there. They have to change this smug, feisty approach to dealing with security. The notion that the Mac is secure is ridiculous. They need someone there to separate marketing from reality,” Loveless said.
Apple did not respond to a request for an interview. In a statement sent to eWEEK when the MoAB was launched, company spokesman Anuj Nayar said Apple, “takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.