Apple to get a month of security bugs
Apple Computer Inc. will soon be a member of the "month of bugs" club.
On Jan. 1, two security researchers will begin publishing details of a flood of security vulnerabilities in Apple's products. Their plan is to disclose one bug per day for the entire month, they said Tuesday.
The project is being launched by an independent security researcher, Kevin Finisterre, and a hacker known as LMH, who declined to reveal his identity.
Some of the bugs "might represent a significant risk," LMH said in an e-mail interview. "Others have a lower impact on security. We are trying to develop working exploits for every issue we find."
The two hackers plan to disclose bugs in the Mac OS X kernel as well as in software such as Safari, iTunes, iPhoto and QuickTime, LMH said. Some of the bugs will also affect versions of Apple's software designed to run on Microsoft Corp.'s Windows operating system, he added.
LMH was one of the brains behind the recent Month of Kernel Bugs project, which exposed flaws at the core of several different operating systems. It was inspired by an earlier effort, called the Month of Browser Bugs, which was kicked off in July.
This latest Apple project is being launched to raise awareness of security vulnerabilities in Apple's products and to "stomp smugness," Finisterre said via e-mail.
While the Macintosh is generally considered to be more secure than the Windows PC, many security researchers believe that this reputation is not attributable to any superior security practices on the part of Apple. They say attackers have been deterred by the Mac OS X's more secure Unix kernel and the product's less widespread adoption.
Apple enthusiasts and security researchers have been at odds since last August, when David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple's wireless device drivers. They played a video at the Black Hat conference demonstrating how this flaw could be used to run unauthorized code on a MacBook. However, their claims have been slammed because the demonstration used a third-party wireless card rather than the one that ships with the MacBook, and because the two hackers still have not published the code used in their attack.
LMH said the Apple community's negative response to Maynor and Ellch's claims played a role in the decision to launch the Month of Apple bugs.
"I was shocked with the reaction of some so-called 'Apple fans,'" he said. "I can't understand why some people react badly to disclosure of issues in their system of choice. ... That helps to improve its security."
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
