Microsoft may not be the only software company that uses secret techniques
to make its own applications work better with its operating system - a Mozilla
Firefox developer has discovered similar practices at Apple.
While looking for ways of speeding up the performance of the upcoming Firefox
3 browser, developer Vladimir Vukicevic said this week that he came across dozens
of secret tweaks built into WebKit - the software at the core of Apple's own
Safari browser.
Separately, security researchers said this week they have found a way of locally
bypassing the security of Mac OS X's Keychain password system.
Vukicevic was able to use a publicly documented technique to get the efficiency
gain he wanted, but noticed that WebKit has its own, undocumented way of getting
around the problem.
"Apparently, there is a way to do this programmatically, along with some
other interesting things like enabling window update display throttling - but
only if you're Apple," he wrote in a blog post. "All these WebKit
methods are undocumented, and they appear in binary blobs shipped along with
the WebKit source."
He said there are more than 100 such undocumented techniques in the WebKit
library. "Would any other apps like to take advantage of some of that functionality?
I'm pretty sure the answer there is yes, but they can't," he wrote.
Safari is based on open source software, but the concealments are a demonstration
that Apple isn't fully committed to open source, Vukicevic argued.
"Despite my frustrations with Linux, this type of hiding isn't really
possible in a real open source environment," he wrote. "I don't think
this is malicious, it's just an unfortunate cutting of corners that is way too
easy for a company that's not fully open to do."
David Hyatt, a WebKit developer, responded that the undocumented parts of Safari
are kept hidden for a reason.
"Many of the private methods that WebKit uses are private for a reason.
Either they expose internal structures that can't be depended on, or they are
part of something inside a framework that may not be fully formed," he
wrote on Vukicevic's blog. "As you yourself blogged, there was a totally
acceptable public way of doing what you needed to do."
Separately, Apple confirmed a security bug that could allow local users to
get access to a Mac OS X user's passwords.
The problem was discovered by programmer Jacob Appelbaum, one of the researchers
who last week published methods for cracking hard disk encryption systems.
The password problem, which is specific to Mac OS X, is down to a programming
error that stores the user account password in the computer's physical memory
even after it's no longer needed.
