Michael Gracie

Apple’s month it is, but controversy remains

This is where the whole security by obscurity thing really comes into play…

MacWorld is starting, and concurrent with it is comes a beautiful step-child – the Month of Apple Bugs. People are finding bugs in OS X, and others are busy fixing them. That’s great, but you can never make everyone happy – some are questioning the concept of telling the world about the security issues before notifying Apple.

“In the long term, this project is making OS X more secure,” said Gus Mueller, a developer who sells his software through his company Flying Meat. “However, in the short term, these bugs, once shown, can be used destructively.”

So hackers are going to run out and build new exploits, then co-opt their zombie networks for the purpose of capitalizing? Is that what someone is suggesting?

First, that process would be like trying to find a needle in a haystack – Apple computers still make up a small percentage of installs worldwide. Then, you have to target a handful of slightly obscure exploits. If you’re the malcreant, you get started, but have to race Landon Fuller & Co. while they are fixing the exploits. All the while, you are hoping every Apple employee is at MacWorld (i.e nobody at Apple is paying attention to the finds or the fixes).

An unlikely scenario.

Meanwhile, I don’t hear anyone at Apple bitching about this. For those in their security department (if they have one), it should be a party. They’ve got others doing their job for them!

Month of Apple Bugs gets it’s first swat

As a result of the “Month of Apple Bugs” initiative, the first pest has been found (h/t to Slashdot). It is a buffer overflow issue that when applied very carefully, could lead to an “exploitable remote arbitrary code execution condition.”

I won’t opine on exactly what “exploitable remote arbitrary code execution condition” Mac users might face, because I simply don’t know (and the find doesn’t mention any proofs of concept in action). I’ll just take their word for it.

UPDATE: Sounds like the bugs started a while ago.

UPDATE 2: Next, please.

UPDATE 3: The quick fix is deemed a counter-attack. The Month of Apple Bugs is not really an attack, so lets just call all this by an infrequently used term….cooperation.