Michael Gracie

This is where the whole security by obscurity thing really comes into play…

MacWorld is starting, and concurrent with it is comes a beautiful step-child - the Month of Apple Bugs. People are finding bugs in OS X, and others are busy fixing them. That’s great, but you can never make everyone happy - some are questioning the concept of telling the world about the security issues before notifying Apple.

“In the long term, this project is making OS X more secure,” said Gus Mueller, a developer who sells his software through his company Flying Meat. “However, in the short term, these bugs, once shown, can be used destructively.”

So hackers are going to run out and build new exploits, then co-opt their zombie networks for the purpose of capitalizing? Is that what someone is suggesting?

First, that process would be like trying to find a needle in a haystack - Apple computers still make up a small percentage of installs worldwide. Then, you have to target a handful of slightly obscure exploits. If you’re the malcreant, you get started, but have to race Landon Fuller & Co. while they are fixing the exploits. All the while, you are hoping every Apple employee is at MacWorld (i.e nobody at Apple is paying attention to the finds or the fixes).

An unlikely scenario.

Meanwhile, I don’t hear anyone at Apple bitching about this. For those in their security department (if they have one), it should be a party. They’ve got others doing their job for them!

Once you run them, you will realize that you have 2 million cross-site scripting vulnerabilities on your site that were supposedly fixed months ago by open-source hackers, and the firewall you just paid three grand for will resemble swiss cheese because your junior sys-admin is still trying to get it configured.

Nevertheless, check out the review. (h/t to Slashdot).

As a result of the “Month of Apple Bugs” initiative, the first pest has been found (h/t to Slashdot). It is a buffer overflow issue that when applied very carefully, could lead to an “exploitable remote arbitrary code execution condition.”

I won’t opine on exactly what “exploitable remote arbitrary code execution condition” Mac users might face, because I simply don’t know (and the find doesn’t mention any proofs of concept in action). I’ll just take their word for it.

UPDATE: Sounds like the bugs started a while ago.

UPDATE 2: Next, please.

UPDATE 3: The quick fix is deemed a counter-attack. The Month of Apple Bugs is not really an attack, so lets just call all this by an infrequently used term….cooperation.

SANS has named its top hacker targets for 2006, and surprisingly, Internet Explorer and other Windows components are on the list ;-).

Also included, Mac OS X, including its Safari browser, the image input/output framework, wireless networking, and the ubiquitous “other.” Most of this stuff is either patched with significant speed, or was someone else’s fault to begin with (think wireless) - the real risk to OS X is that the resurgence of UNIX-like operating systems will prompt hackers to look for vulnerabilities that will pass over.

As for the Windows stuff, including IE, the Libraries, MS Office, the Services, and configuration issues…well their numbers are beyond the scope of this post (or my limited attention span, while typing from 10.4.8).

And people writing internet news need to pay attention to details.

In the last twelve hours, I have noted roughly fifty online articles touting the latest US-CERT Security Bulletin, and how UNIX/Linuxes have three times as many vulnerabilities as Windows.

Pay attention, and do your homework! There are a number of popular flavors of UNIX, including HP-UX, Solaris, and AIX. On the Linux front, there are at least a hundred different flavors. At last count, Microsoft Windows basically came in TWO flavors, the first consisting of Windows 95, 98, and Me, and the second being NT, 2000, and XP. So, UNIX/Linux variants outnumber Windows by a factor of more than 100 to 1, making these upfront statements more than a bit suspect.

If we dig a little deeper into the government sponsored list, we note that it also includes every application generally bundled with *NIX systems, including things like Apache Web Server, the MySQL database, and even the Ethereal Packet Analyzer. Those bundled items’ open source nature presumes that vulnerabilites will get reported promptly and publically. But those three, and many others ARE ALSO AVAILABLE FOR WINDOWS, yet no vulnerabilities related to them are in the Windows list. Is US-CERT trying to say that vulnerabilities don’t exist for those products on the Windows platform, or are said issues just not being reported because they are fairly obscure? Additionally, I noted on the Windows list that SQL Server 2000 occupied a single line, with a link to a statement suggesting “multiple vulnerabilities” and a link to Microsoft’s patch download area. I don’t get it.

Someone needs to do a more thorough analysis of this list, otherwise I am considering its headlined conclusions nothing more than general bunk.