×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Month of Apple Bugs - First Bug Unveiled

Zonk posted more than 7 years ago | from the apple-must-be-so-proud dept.

Apple 240

ens0niq writes "The first bug (a Quicktime rtsp URL Handler Stack-based Buffer Overflow) of the Month of Apple Bugs has been unveiled — as previously promised — by LMH and Kevin Finisterre. From the FAQ: 'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

240 comments

QuickTime runs on Windows too... (0, Redundant)

ClaraBow (212734) | more than 7 years ago | (#17430992)

so doesn't this effect it also?

Re:QuickTime runs on Windows too... (4, Informative)

antime (739998) | more than 7 years ago | (#17431014)

RTFA:
Affected versions

This issue has been successfully exploited in QuickTime(TM) Version 7.1.3, Player Version 7.1.3. Previous versions should be vulnerable as well. Both Microsoft Windows and Mac OS X versions are affected.

Re:QuickTime runs on Windows too... (4, Informative)

elrous0 (869638) | more than 7 years ago | (#17431176)

You'll note that it's the "Month of *APPLE* Bugs," not the month of OS X bugs.

-Eric

Re:QuickTime runs on Windows too... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17431662)

I'd be willing to be that a large percentage of these are holes in QuickTime. It's not really a shock to anyone to suggest that it's a buggy, badly coded pile of shit.

I'd be interested to see what they define as "Apple". Do they mean just Apple software, or software that's bundled by Apple? For example, an update last year added in the Macromedia Flash player. I would imagine that that is riddled with security holes.

There's a reason I browse with all plugins disabled, you know...

Re:QuickTime runs on Windows too... (1, Redundant)

ClaraBow (212734) | more than 7 years ago | (#17431028)

Okay, since I jumped the gun, I will answer my own questions: RTFA, yes it does!

good thought but I wonder (0)

Anonymous Coward | more than 7 years ago | (#17430998)

though I applaud efforts to improve apple products in general. Is this communicated to Apple first before posting? If so, what is the level of interaction?

Re:good thought but I wonder (5, Informative)

jellomizer (103300) | more than 7 years ago | (#17431052)

These people are doing Gray Hat hacking. Where like the White Hats their goal is not to do damage to others people computers, but like the black hats feel that people need to feel a little pain before anything can get done and just reporting the problems to the company is not effective enough to get it done. It falls in the range of legal hacking, But it may not be the most moral way of doing it though. It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.

Re:good thought but I wonder (4, Insightful)

aj50 (789101) | more than 7 years ago | (#17431232)

It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked. Or just locking the door yourself.
Not really.

It's more like finding a bank vault open and shouting out, "Hey, everyone, this bank has left its vault open with your money in it."

Re:good thought but I wonder (4, Insightful)

elrous0 (869638) | more than 7 years ago | (#17431242)

A poor analogy, methinks. It's more like discovering that an apartment building master key has gotten into criminal hands. First you go to the building manager and ask him to change the locks. If he refuses to do so promptly, you go to the residents and inform them. The problem comes when the master key gets out a lot and the building manager consistently drags his heals on changing the locks each time it does. At a certain point, you realize that the only way to really get his attention is to go directly to the residents.

-Eric

Re:good thought but I wonder (4, Insightful)

jellomizer (103300) | more than 7 years ago | (#17431336)

Not exactly first in this case they are not going to the manager first they are going to the public about it first.

Next a Bad guy may not have the key, but once he knows the key is missing he will start looking around for the guy who found the key and take it away from him. It is more like the key is hidden under the welcome mat. And the guy found it one day then blabbed about it to everyone even outside the apartment.

As a land lord myself I know, some jobs can't be done right away. Some things espectially changing all the locks takes time including finding the residence and giving them the new key before they leave. so you can change their locks. Also the time to fix all the locks, dealing with people who think there lock should be replaced first, others who love their lock so much they don't want to change it. Some people creek in fear when the land lord knocks figuring they will evict them with a blink of an eye. (even though it is expensive to leave a room vacent)

Re:good thought but I wonder (0)

Anonymous Coward | more than 7 years ago | (#17431292)

Yes, good for them.

Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't. They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile. So they're out to raise the profile of each problem. Much better than using the vulnerabilities to build Mac-based botnets, which is the other way that a vulnerability might become notorious (see every version of Internet Explorer, ever).

Re:good thought but I wonder (3, Interesting)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17431508)

Black hats are interested in profiting from their knowledge of vulnerabilities. These guys aren't.

I disagree. Black hats are interested in illegally profiting from vulnerabilities. White hats are interested in legally and ethically benefiting from vulnerabilities. Grey hats are interested in benefitting from security exploits in ways that are unethical and questionably legal.

They want them to be fixed and know that even the deified Apple won't allocate resources to fixing problems that have a low profile.

No, these guys want publicity for themselves. Apple has been quite responsive to security researchers and most that I know think Apple has been doing a pretty reasonable job. If you're going to argue that bugs need to be publicly released because Apple won't fix them otherwise, you need to support that assertion. Even then, what is your justification for not releasing it immediately, but doling them out more slowly? That doesn't benefit anyone but these researchers for whom it provides prolonged media exposure they hope to gain from financially.

So they're out to raise the profile of each problem.

Raising the profile of a problem makes sense, if it is being exploited in the wild or if you've contacted the vendor and they're dragging their heels while people are at risk. Otherwise, it is simply harmful to everyone involved.

Much better than using the vulnerabilities to build Mac-based botnets...

Ahh, the classic "we're not as bad as China" argument. Doing something unethical isn't made any less unethical by the fact that someone else is doing something even more unethical. These guys obviously are interested in one thing, getting themselves in the news to make themselves money.

Re:good thought but I wonder (2, Interesting)

Secrity (742221) | more than 7 years ago | (#17431294)

This analogy sucks because a guy leaving his door unlocked doesn't normally affect others and there is no need to publicize it.

Gray Hat hacking is like discreetly telling the guy that his car door is open, waiting for a while to give him a chance to lock his door, then yelling "Hey This Car Door is Open and all the valuables are inside". The most hotly debated item is how long the waiting part of "waiting for a while to give him a chance" should be because there is no clear consensus on how long it should be. Vendors believe that the waiting time should be until the vendor announces the vulnerability, which may be 'never'. Some Gray Hats believe that a vulnerability should be publicized as soon as it is discovered.

The biggest issue is that vendors rarely say how to report security vulnerabilities in a way that the vendor will acknowledge that it has been made aware of the potential vulnerability. This lack of acknowledgment is the primary reason for Gray Hats having to publicize the vulnerability. Another big issue is that security engineers live and die by being the first to report a vulnerability -- and vendors don't usually give credit to the engineer who reported the vulnerability to them. Even if a patch for a serious vulnerability is released the vendor may not even acknowledge that a serious vulnerability has been patched.

Re:good thought but I wonder (1)

Giloo (1008735) | more than 7 years ago | (#17431312)

Or just locking the door yourself.
Well, hopefully will the keys not be inside if you do so ;)

--
I can't search. I uninstalled Google - P. Ducler

Re:good thought but I wonder (1)

sacrilicious (316896) | more than 7 years ago | (#17431388)

Or just locking the door yourself.

This particular option isn't really available in this case, is it? They don't control the OSX source code, Apple does.

It is like finding a car door open and yelling out "Hey This Car Door is Open and all the valuables are inside someone should lock it!" vs. Finding the person who owns the car and descretly telling him to that is is unlocked.

Bit of a problem with this analogy too. The "door" in question is controlled/lockable only by the person who owns the house (as pointed out above), yet leaving it unlocked affects not the residents of that "controlling" house but instead millions of other residents of other houses. The pivotal question is whether the owner of the controlling house can be sufficiently motivated to act on behalf of these other folks. I couldn't tell from reading the faq whether they've approached apple privately or not. I spose I'd guess they haven't or else they'd probably mention it... but that doesn't necessarily render their current approach less moral.

A Fine Plan (1)

PopeRatzo (965947) | more than 7 years ago | (#17431670)

All in all, this "Month of Bugs" thing is good approach to proactive OS support behavior by a user community. The only problem is, that such an approach requires a fair amount of Good Will towards the product from those users. This effectively rules out similar plans working for Microsoft Windows.

There really is a long-term benefit from good behavior on the part of corporations: your customers will actually go out of their way to help you.

Unlike macobserver, who seems to think things like security holes are better left unmentioned, I salute LMH and Kevin Finisterre for doing this.

At this rate (-1, Troll)

jellomizer (103300) | more than 7 years ago | (#17431022)

At this rate 30 bugs will be found. Or I could use the Linux Cop Out... Explaining that Quicktime is actually a third party application that is bundled with the OS not the OS itself. Actually this could be rather serious quicktime likes to load automaticly on Macs, and it is rather tightly integrated with the OS. So an email virus could be made that will work via webmail just as Mail.app because Quicktime files are considered to be low security item. Still being a buffer overflow I am not sure how Platform Independant the hacks can be. Infecting Intel Only or PPC Only. If intel only could the hole be in quicktime for windows too, and a possible Duel OS Virus?

Re:At this rate (4, Insightful)

Rob T Firefly (844560) | more than 7 years ago | (#17431070)

Or I could use the Linux Cop Out... Explaining that Quicktime is actually a third party application that is bundled with the OS not the OS itself.
Actually, since Apple makes both Quicktime and MacOS, it's more like the MSIE/Office copout.

Re:At this rate (0)

Anonymous Coward | more than 7 years ago | (#17431074)

Now, which way do you want it? Is it "... actually a third party application" or does it "... load automaticly [sic] on Macs, and it is rather tightly integrated with the OS"? Decide and stop blabbering about "cop outs".

Re:At this rate (1)

SNR monkey (1021747) | more than 7 years ago | (#17431078)

I don't know what you mean by the "Linux Cop Out" because it seems like you're confusing Apple and Mac OS X. Remember, this is the month of Apple bugs, not necessarily the month of OS X bugs. Also, how is quicktime a third party application if it is developed by Apple?

Re:At this rate (1)

jellomizer (103300) | more than 7 years ago | (#17431178)

Well it is a stab at the Linux user comunity on their views about security. If there is a problem it is rairly a Linux (Kernel) problem but with some other application that is running Apache, Sendmail, su, sudo... Stating these are 3rd party tools not part of Linux per say. Yes I mistakes a Month of Apple bugs with a month OS X Bugs my mistake.

Re:At this rate (0)

Anonymous Coward | more than 7 years ago | (#17431664)

Lame people shouldn't even try stabbing, they'll usually just end up hurting themselves. You sir, are a moron. Willfully ignoring facts and posting flame bait doesn't change anything. And guess what, the girls will still laugh at that small squishy thing you've got.

Re:At this rate (1, Redundant)

jokell82 (536447) | more than 7 years ago | (#17431126)

Explaining that Quicktime is actually a third party application that is bundled with the OS not the OS itself.
Actually that's (partially) true. It's not third party since it's developed by Apple, but the fact that it also affects Windows shows that it's not an OS X bug, but a Quicktime bug.

But as another comment has pointed out, this is a month of Apple bugs, not OS X bugs.

Re:At this rate (1, Funny)

Anonymous Coward | more than 7 years ago | (#17431238)

If intel only could the hole be in quicktime for windows too, and a possible Duel OS Virus


Sun to the rescue...to make it cross platform just write the virus in Java!

Re:At this rate (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17431258)

Oh Ohhh. He made fun of Linux. It must be a troll! Despite the rest of the useful information about the post. Tisk Tisk Tisk.

Re:At this rate... IE cop out (1)

klubar (591384) | more than 7 years ago | (#17432324)

The same argument could be made about many of the Microsoft bugs... IE is a third party application taht is bundled with the OS and not the OS itself. Same argument... on the otherhand QT is an Apple product so if there are security risks associated with it, the company should patch it--and not just for the most recent version of the OS.

Re:At this rate... IE cop out (2, Insightful)

UnknowingFool (672806) | more than 7 years ago | (#17433106)

IE is a third party application taht is bundled with the OS and not the OS itself.

I guess that depends on your defenition of third party. To me, neither IE nor Quicktime are not third party applications as they are made by the same company. The differentiation that you may be looking for is whether these are core system applications or optional (secondary) applications. While both bundled are with the OS, MS has constantly said that IE is a part of the OS and cannot be removed. Quicktime and Safari can be uninstalled on a Mac. The question whether IE should be tied to the OS is another debate.

And a negative side effect? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#17431030)

"A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple"

Or instead of learning from their mistakes and working to better their product line, they could just sue the guy into the ground and cover it all up like they usually do.

Re:And a negative side effect? (4, Interesting)

Anonymous Coward | more than 7 years ago | (#17431044)

Could you give some examples of Apple suing people to cover up security holes then?

Re:And a negative side effect? (1, Funny)

Scoria (264473) | more than 7 years ago | (#17431084)

He would, but they were all absorbed by Steve Jobs and his reality distortion field. Sorry.

Re:And a negative side effect? (1)

soft_guy (534437) | more than 7 years ago | (#17433492)

Could you give some examples of Apple suing people to cover up security holes then?
I could easily picture Apple contacting this guy and asking him not to continue to go public with these and agreeing to fix them.

Re:And a negative side effect? (2)

Henriok (6762) | more than 7 years ago | (#17431298)

Have Apple sued a whistleblower or someone who have reported a security issue. EVER?

Or is the parent just full of lies, FUD and other unpleasant and damaging stuff?

removed, but... (3, Informative)

ens0niq (883308) | more than 7 years ago | (#17431036)

Credit line removed by the editor, but i found this report on HUP [hup.hu].

Re:removed, but... (0, Offtopic)

FirienFirien (857374) | more than 7 years ago | (#17431060)

The article you link to is in hungarian - an unreadable language to most slashdotters - and the link inside it points back to the link in the /. summary. Why did you post it?

Re:removed, but... (1)

FirienFirien (857374) | more than 7 years ago | (#17431090)

My bad, only just realised you were the article submitter. Well, at least hopefully I explained why the .hu link wasn't included...

No problem! (4, Funny)

fo0bar (261207) | more than 7 years ago | (#17431054)

This isn't a problem because it has been proven that only Windows can get viruses. Therefore, because it's not possible for viruses to spread with MacOS, security threats are irrelevant.

Please, try the veal.

Re:No problem! (1, Interesting)

jellomizer (103300) | more than 7 years ago | (#17431152)

What?
Macs had viruses in the past. OS X hasn't had any yet. OS X has had security holes, which could have allowed viruses threw it but Apple patches them rather quickly before any can actually spread. Plus unlike Windows virus it actually takes a person who actually knows stuff to make an OS X virus. Most Windows virus take advantage of easy to make Active X controls, VB Scripts in applications, and a bunch of other crap that Microsoft put in their OS During the 90's because they wanted to make sure their products could do more then their competitors and because no one cared about security (well not everyone I am on record stating that Active X controls when they were released would open a nasty can of worms becuse trust base security will not work... And I was right) So they all got Outlook so people can fill out forms on their email and submit them, they had word and excel that could do anything under the sun. Now it is biting back for MS. Now Apple OS X was redesigned with a 21 centrery mindset on security. But as times goes on Apple is putting more and more features to the OS many of them are scary in security terms such as integration of iChat and and the other iApps the Automater and other things which could lead to security problems in the future.

Re:No problem! (3, Informative)

Jeff DeMaagd (2015) | more than 7 years ago | (#17431314)

I've seen several instances where Apple was aware of a bug but waited months to fix it. Heck, the Quicktime bug that permitted the MySpace virus still runs free according to the last security thread at AppleInsider.

Re:No problem! (2, Informative)

Ash-Fox (726320) | more than 7 years ago | (#17432502)

Macs had viruses in the past. OS X hasn't had any yet.
Yes it has. The first one written specifically for OS X came in the form of a trojan [macrumors.com]. I've also seen Mac classic viruses work fine on PPC OS X systems.

OS X has had security holes, which could have allowed viruses threw it but Apple patches them rather quickly before any can actually spread.
Not really. Have you forgotten things like auto-installing widgets?
Apple being behind other BSD systems in patching old exploits?
Apple being behind in patching SSH, Apache?
Plus unlike Windows virus it actually takes a person who actually knows stuff to make an OS X virus.
Uh... You need to know stuff to write a windows virus too.
Most Windows virus take advantage of easy to make Active X controls
Not according to Norton, F-secure and McAfee.
VB Scripts in applications
Not according to Norton, F-secure and McAfee.
and a bunch of other crap that Microsoft put in their OS During the 90's because they wanted to make sure their products could do more then their competitors and because no one cared about security
Uh, again no. Give me some decent examples at least.

All I can think of from the 90s in particular that's causing vulnerability issues, is how current Microsoft office documents are still mostly just memory dumps of the programs themselves.
Now Apple OS X was redesigned with a 21 centrery mindset on security.
I don't know... Most of the security techniques Apple uses were developed back in the early 90s...

However, the OS in my opinion is far from being a 21st century mind set in general. I mean, look at some of the stupid stuff we have todo.
Where we have to open a console and type
defaults write com.apple.finder AppleShowAllFiles TRUE
Or where we have to open XML files and change a bunch of values to enable/disable various GUI settings that should be in the GUI preferences pane?
Or where the OS is purposely locked into using hardware from a specific vendor? (We've had this long ago, then we kind of evolved with x86, to no longer get locked in... But here comes Apple)

But as times goes on Apple is putting more and more features to the OS many of them are scary in security terms such as integration of iChat and and the other iApps the Automater and other things which could lead to security problems in the future.
Heh, or we could the simple things that have always worked well... Exploits against the user. Just send them a e-mail with a .pkg file that contains a rootkit (there are feasible methods to-do this on OS X), said hidden process scans the address books of users on Mac (Useful, since many Mac users actually do use the mail client on the system), then starts sending copies of that .pkg to those people.

We can even expand it further get it to 'infect' any .dmg files downloaded with it's own files, (hidden files are wonderful for this), so on the off chance a infected machine sends said dmg somewhere, it will infect the other user, who thinks he's only installing (either by .pkg or drag dropping the 'application directory' file) the program he thinks.

Hell, we can even make blah.jpg.app files, which appear to most users as 'blah.jpg', hasn't Apple learned anything from Microsoft?

My point is, coming up with methods to make virii on Mac isn't that hard.

Re:No problem! (1)

jb.hl.com (782137) | more than 7 years ago | (#17433150)

You may think that whooshing noise just above your head is a plane, perhaps a helicopter, but you'll be surprised to hear it's something entirely different.

Re:No problem! (1, Insightful)

daveschroeder (516195) | more than 7 years ago | (#17432208)

In all seriousness, no reasonable person thinks that "only" Windows can get viruses.

One comment I have had (which I doubt will be approved as a comment on the blog, since - other than technical posts - lmh only seems to accept congratulatory comments), and which I am curious to have feedback on is this, below, which was in response to lmh saying:

It's a matter of time to see this getting abused in the wild. Hopefully, due to exploits being released for every critical issue, the usual 'not a problem' claims will vanish (unless the guy is a total retard).

lmh,

Of course there will be exploitable issues. It's only a matter of time to see *any* issue being "abused" in the wild. What's curious to me is you're speaking of, for instance, this rtsp issue like it's something manifestly new or unique (I know it's a "new" issue itself; that's not what I'm saying). We've seen issues to date that have allowed arbitrary code execution by a user just, for example, visiting a malicious web page. And then, Apple fixes the issue. What more do we want or expect?

I know you and others are on this kick of wanting to "prove" that Mac OS X is "insecure". But I don't know what it proves, exactly. That all large software projects and operating systems have bugs? No reasonable person says that Mac OS X is invulnerable or has no bugs. That would be absolutely ludicrous. And ordinary users don't understand anyway, even when you show them something like this.

What people do understand is machines getting hit with malware on a routine basis, or getting owned completely from remote in an automated fashion, with no user interaction whatsoever, which, as I'm sure you're aware, has happened numerous times, often with far-reaching consequences of downtime, data loss, cleanup and remediation, and recovery, on the "other" desktop platform.

The real bottom line today and ever since Mac OS X was released is this: has the Mac OS X userbase to date, or will it realistically in the future based on past performance, be affected either:

1.) in absolute numbers, or
2.) as a percentage of the total userbase

on a greater scale (or anywhere NEAR) anything we've seen affect the Windows platform?

I guess I'm curious with what your exact beef is: is it ordinary users (correctly) thinking that Mac OS X is [insert some amount here] more secure, from a practical perspective, than Windows?

Is it Apple's type/speed/thoroughness of response to security issues, once reported or revealed?

Is it Apple (again, correctly, from a practical perspective) insinuating the level of security on comparison to Windows in its commercials?

Is it Apple's legacy code, which is rife with various opportunities for exploits?

What would possibly be more productive here, and what you also didn't answer in the FAQ, is what precise actions you think Apple should be taking to remedy, for example, bugs that it is not aware of.

Should it create new teams specifically to do code audits and find vulnerabilities proactively?

Should it make public comment on security issues before it has provided a patch or fix?

Should it provide more granular separate fixes and workarounds more quickly for individual issues, instead of waiting to roll them into the next security or OS update?

Also helpful would be some kind of outline of what you believe Apple is doing *wrong*, right now, on the security front.

And yes, I could make my own list. But I'm more curious about what you think. I'm also curious whether you recognize that, while there is still a long way to go, Apple has indeed greatly improved its response to security issues in direct response to complaints and feedback it has received from the enterprise/institutional community (e.g., via Apple University Executive Forum and MacEnterprise.org)? As a direct result, Apple started making detailed reports (at last far more detailed than they were before) of each issue addressed or fixed, links to (or creates) advisories where available (e.g., US-CERT, Secunia, MITRE), has made security updates more granular than they were in the past, and so on. As I said, yes, a long way to go.

So is this effort aimed at improving Apple's response, or at "shutting up" people who you would characterize as "fanboys"?

Regards,

Dave Schroeder
University of Wisconsin - Madison
das@doit.wisc.edu
http://das.doit.wisc.edu/ [wisc.edu]

Is this true? (3, Insightful)

bogie (31020) | more than 7 years ago | (#17431112)

"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial."

Is Apple as bad as MS when it comes to fixing security flaws? Is there really a need to show how "insecure" OS X is? Or is this more a "your going to start listening to security experts when they have something to say or else..." type situation. I did read the FAQ but they really don't show any evidence to prove why this is a good thing, how this will improve OS X security, or how Apple has been unwilling to fix flaws in the past.

They could be 1000% right, but on the surface I just don't see anything which either confirms or denies their theory. It would be nice to at least read some sort of history of how Apple has interacted with Security researchers in the past.

Apple Vs. Security Researchers (1, Flamebait)

porkchop_d_clown (39923) | more than 7 years ago | (#17431226)

Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure; but part is also the researchers themselves.

The flame wars over the airport card exploits is a good example - first, the researchers used a 3rd party card which meant it had little to do with OS X problems, which created a number of he-said-she-said arguments. As I understand it, the airport exploit was (is still?) real, but the arguments created a lot of ill-will on both sides.

Re:Apple Vs. Security Researchers (4, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17431430)

Apple has had poor relations with security researchers for years.

Actually, Apple has had pretty good interactions with security researchers in general, in my experience. Being a huge PR magnet, however, they also manage to attract showboaters trying to capitalize on the popularity they can get by behaving in a less than reasonable manner. The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state, but Apple responded to it even though they were never contacted with the details of the supposed exploit and did fix several issues they found during a review of the wireless drivers they ship. Apple has done a pretty reasonable job of patching easily exploitable/wormable problems very quickly and they don't seem to be ignoring problems reported to them. One of my coworkers found a local exploit (low risk) and reported it through Apple's Website. The fix was in the next security update and even credited him. It seems like pretty good relations with the security researcher community to me.

As for the month of Apple bugs. It is more of the same. Sure these guys could report Apple bugs to the normal channels and they'd be fixed fairly quickly and overall security would benefit. That, however, won't make the news. So instead of reporting bugs when found, these guys are intentionally delaying releasing that info to both Apple and the public. Apple isn't pressured to quickly fix bugs if they don't even now what those bugs are. The public isn't served by bugs being fixed more quickly. Users aren't served by bugs being released to the public for possible mass exploitation without Apple ever being given a chance to patch their machines. The end result is decreasing the overall security or computing. It serves no one except the researchers who are showboating and being irresponsible.

I'm afraid you are incorrect, sir. (2, Informative)

porkchop_d_clown (39923) | more than 7 years ago | (#17431654)

The wireless exploit you cite, for example, turned out to be hype about a problem that affected no mac in its default state...

The wireless exploit did [cert.org] apply to Airport cards; but you are correct that researchers mishandled the disclosure - which, as I said, resulted in a lot of hard feelings on both sides.

Re:I'm afraid you are incorrect, sir. (4, Informative)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17431850)

The wireless exploit did apply to Airport cards;

It is my understanding that the vulnerability you reference as well as the other two they fixed were both the result of an internal audit of their wireless drivers and not the result of the exploit that was publicized. The issue is more than a little muddy, however, and I'd be grateful if you could provide a reference to show either way.

Re:I'm afraid you are incorrect, sir. (4, Insightful)

Nelson (1275) | more than 7 years ago | (#17431910)

Yeah but you see, that's against entirely different software and hardware than what secureworks supposedly demonstrated.


I really don't see how you can paint apple in to a bad place with this, secureworks created a lot of hype while disclosing nothing to anyone, Apple took the initiative and at their own expense researched the issue and fixed potential problems they found, none of which has a known exploit. None of this validates what secureworks did, it is possible it's the bug they supposedly found but it's also possible they faked the whole thing.

Sigh. Where did I paint apple badly? (1)

porkchop_d_clown (39923) | more than 7 years ago | (#17433350)

I said that the incident contributed to bad feelings between Apple and security researchers. You contrived that to mean that I blame Apple for the problem.

I'm beginning to understand why so many researchers find Apple users annoying.

Re:Apple Vs. Security Researchers (1)

noidentity (188756) | more than 7 years ago | (#17431660)

Here here! So why the hell is Slashdot participating with these dorks and posting their announcements? "Don't feed the trolls."

Re:Apple Vs. Security Researchers (0)

Anonymous Coward | more than 7 years ago | (#17431812)

So your preferred approach would be to stick your head in the sand and imagine the bugs don't exist? This event is designed for people like you.

Re:Apple Vs. Security Researchers (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17431960)

So why the hell is Slashdot participating with these dorks and posting their announcements? "Don't feed the trolls."

This is different from trolling in that it is a real problem. The bugs are real, the disclosure is real and we have to manage the situation. If terrorists did not get publicity for their acts, they would not be spreading terror and would thus be ineffective. That doesn't mean the media should not let you know the airport has been taken over. It is a real problem. These people are intentionally reducing the security of everyone using OS X. The reaction should be that LHM and Mr. Finisterre are regarded by the industry as irresponsible and shunned by responsible security people. They are the bad guys. They may not be breaking the law, but they are behaving unethically for their own profit.

and now Apple (1)

Shivetya (243324) | more than 7 years ago | (#17431860)

can see what its like to be noticed.

when Microsoft gets treated to the same very few care, in fact some seem to relish in it.

Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?

I look at it this way, Apple still is well off. They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with. When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want. Do not under estimate the creativity and capability of the hackers out there.

That old adage about a bunch of monkeys is apt

Re:and now Apple (4, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17432198)

...when Microsoft gets treated to the same very few care, in fact some seem to relish in it.

Microsoft is not performing due diligence and is quite frankly not giving customers what they want. They routinely sit on publicly announced bugs for long periods of time and according to people I know who have worked there less than half of the security holes they find internally are prioritized high enough to be fixed. No one is happy worms are destroying computers, but some people are happy to see MS getting bad publicity because of their actions.

Now comes the fun, if a bug is reported to Apple how long do they get to fix it? Who will determine when enough time has passed?

Well, I believe the last serious security hole reported to them was fixed in 10 days, which is pretty good turn around for development and QA. OS's can be evaluated based upon the nature of the vulnerability, risk, and duration of exposure. For something like this, if it is easily reproducible, under normal circumstances, a couple of weeks seems reasonable. If they are constantly getting new vulnerabilities once a day, it may be longer since they might need to prioritize based upon those. Think of this from the developer's standpoint. If these guys are trying to make OS X less secure, they picked a good way. Thanks jackasses.

They haven't a big enough installed base to get the "Average user" which Microsoft has to both sell to and suffer with.

What do you mean? Apple has lots of novice users including the very young and very old attracted by their reputation for ease of use. How many people on this forum do you suppose convinced their grandparents or parents to get a mac?

When they do penetrate the "Average user" market and get into double digits of popularity then they attract attention they don't want.

There is plenty of motivation for hackers to attack OS X right now. The reason it does not happen is not the lack of motivation, but the difficulty/convenience of so doing. Smaller market share makes propagation more complex. Increased scrutiny makes exposures shorter. Many worm authors have a very windows-centric knowledge base. All of these factors may mean as OS X's market share goes up, worms become more common, but to attribute this to motivation is a mistake.

Do not under estimate the creativity and capability of the hackers out there.

I know people on both ends of the security spectrum. I'm not too worried about OS X becoming bug ridden as market share increases. In fact, I think both Windows and OS X security will increase as OS X's market share increases. The problem of security is one of motivation, but not of the motivation of malware authors, but of OS vendors. Apple needs to keep customers happy to maintain market share. Thus, if malware becomes a problem for their users they will fix it or lose money. Right now Microsoft has no such motivation, so their attention to security has been spotty at best. They don't significantly lose money when users suffer from security problems. Increasing OS X's market share might motivate them to improve security. Anyone who argues that MS or Apple is doing all they can has not been paying attention.

Explain the logic... (3, Interesting)

jpellino (202698) | more than 7 years ago | (#17431820)

"Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure"

Huh? Apple's users are to blame for Apple's work with security researchers?

Imagine that meeting - "Steve, I'd love to make sure we use every avenue available to us to secure the platform, but heck, our users are just thumbing their noses at the rest of the OS world, and gosh, but it's fun to see - I say let's just live with the holes." "Sounds good to me, Phil - thanks for the insight. Now, about that MacBoy Advance SP that Scooter's been working on..."

Nice. (1)

porkchop_d_clown (39923) | more than 7 years ago | (#17433432)

Perhaps you could try reading my post again, look at your own reply and consider how Apple fanboys have a reputation for pissing off people who have to work with Apple.

For the win: Please point out where I said it was Apple's fault they had a poor relationship with security researchers.

Re:Apple Vs. Security Researchers (0)

Anonymous Coward | more than 7 years ago | (#17432108)

Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure;...

This makes no sense.

Occam's Razor (2, Insightful)

SuperKendall (25149) | more than 7 years ago | (#17432434)

Partly it's because of the smug attitude of many Apple users - who assume that because they don't get attacked their OS is more secure; but part is also the researchers themselves.

So please explain to all of us why we have no viruses on the Mac yet, even with some tens of millions of fairly homogoneous computers around (same OS, same patches, much of the same hardware) in a world where botnets of even just a hundred thousand nodes bring in real money. There is financial incentive enough for the macs to have viruses and spyware, yet they do not.

Perhaps you should instead apply Occam's Razor, and think that if in fact any given OS sees fewer attacks than another, it is actually more secure.

Of course there are holes in OS X, any reasonable Mac users realizes this. But we also know we have yet to see any real exploits in the wild. So far this effort is not really doing anything about that situation either way, if you'll read below you'll find this first proof of concept exploit does not even work!

Re:Occam's Razor (-1, Flamebait)

porkchop_d_clown (39923) | more than 7 years ago | (#17433382)

Snort.

Sonny, I write device drivers for a living, on Linux and on Mac. I assure you, the Mac isn't more secure.

You might want to do a little research into epidemiology and on the economics of hacking in the 21st century if you want to understand why no one has targeted Macs.

Re:Apple Vs. Security Researchers (2, Insightful)

Anonymous Coward | more than 7 years ago | (#17432490)

"Apple has had poor relations with security researchers for years. Partly it's because of the smug attitude of many Apple users"

Let me just say, FUCK YOU. Seriously. And no, this is not a troll, but feel free to rate this down otherwise.

I am a Windows developer for my employer, but do most of my work off a Mac running VPC or now Parallels. When I first started doing this, I had to buy my own machine because my employer didn't feel the need to give in to my concerns. Now, half my staff do the same thing (and I run my old office).

Every so often, one of us finds a hole in the Mac, and there are proper channels to go through. Occasionally we get notes back thanking us, other times, we don't. I don't expect to be notified each and every time.

And then we have researchers like the ones that found the supposed wifi hole. That required both computers to be synch'd together. And a script to be running on the second 'hacked' computer. And a dozen of other things where even the researchers admitted that with these perfect conditions, they could only gain access once in 100 times -- and that they needed the script running on the other machine because they needed something to target that they knew was going to be resident in memory. And even duplicating this in a clean room, experts were unable to replicate what the researchers had done to the point they STILL think its only theoretical and that the original folks had faked the test.

And then the researchers state they did it purely because they wanted to put a cigarette out in the eyes of the 'smug mac users'.

So yeah, we don't have perfectly secure machines, no one does. If the original 'researcher' had been honest and upfront about the nature of the problem and left the politics out, there would have been a LOT less He Said She Said BS. It started with the researchers before Apple or anyone else had a chance to respond. Oh yeah, that Johnny Cache is SUCH a rebel...couldn't even prove his metal and then blamed Apple for keeping him down, all the while most other security researchers are actually THANKED by Apple publicly for finding flaws.

So again, Fuck You as I respond to a trollish post in a like manner...

Re:Is this true? (1)

bill_mcgonigle (4333) | more than 7 years ago | (#17431586)

"The problem with so-called 'responsible disclosure' is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial."

They could have thought of a better excuse than this. Giving the vendor n days before disclosure avoids the 'insane amounts of time' scenario, so the argument doesn't hold water. Conscientious greyhats go this route. Maybe we'll call these guys charcoal-greyhats.

So we're left to conclude that they just want attention/fame/notoriety - they haven't given us any reason to believe otherwise. If they came out with "We told Apple about these around Halloween and they're still not patched," they'd have serious security community support.

Go ahead and give Apple a hard time when they deserve it - for instance only supporting Jaguar for a bit over two years with security updates. Similarly, one would expect the installed base of Panther users to be screwed when Leopard debuts.

But that's not going to make the front page of Slashdot. I guess it's better to be "well-known" than to do the right thing by the user base.

Apple is a dangerous monopoly (-1)

Anonymous Coward | more than 7 years ago | (#17431786)

Apple proves, as always, that they are a far more brutal monopoly than MS could ever dream. They have almost total domination over every piece of hardware used on one of their computers, and until recently they forced everyone to use their insecure and buggy OS.

Not only that, but they are so hostile to 3rd parties that, just as on the hardware side, they are now the sole provider of most of the software for their system.

So now Apple had complete and utter dominion over WHERE you buy your computer (The Apple Store), WHAT you can use with your computer (peripherals), HOW you use your computer (OS, software), and WHY you need it (severely limited choices).

The only reason Apple allows people to install Windows on their Intel computers is because people were working on a (non-Apple) utility to do just that very thing... and people were very interested in it.

If Apple didn't completely fear rejection from the open market, they would allow non-Apple computers to install OS X. But fortunately, it would flop in the marketplace, thus saving the world from a proliferation of their buggy and insecure OS.

Doesn't work for me (5, Interesting)

Anonymous Coward | more than 7 years ago | (#17431120)

I just tried this on my MacBook Pro using the provided QTL files and ruby scripts, but none of them seem to have the claimed effect. Anybody else already tried this?

Re:Doesn't work for me (1)

Sentry21 (8183) | more than 7 years ago | (#17432554)

Didn't entirely work for me either. I wonder if this is just a bug in their exploit code? Either way, I'm on a Macbook, so I wonder if this is Intel-specific.

dan@Reykjavik:~/Desktop$ ruby MOAB-01-01-2007.rb
MOAB-01-01-2007.rb:58:in `close': closed stream (IOError)
        from MOAB-01-01-2007.rb:58:in `open'
        from MOAB-01-01-2007.rb:58
dan@Reykjavik:~/Desktop$ /Applications/QuickTime\ Player.app/Contents/MacOS/QuickTime\ Player pwnage.qtl
sh: -c: line 1: unexpected EOF while looking for matching `"'
sh: -c: line 2: syntax error: unexpected end of file
Illegal instruction

Plain wrong! (1, Insightful)

Anonymous Coward | more than 7 years ago | (#17431186)

This is just the wrong way to do this folks. They should be finding and notifying Apple.

Re:Plain wrong! (1)

solevita (967690) | more than 7 years ago | (#17431490)

Perhaps, but I think there's at least some merit to what they're doing. Computer security is dependant upon the various pieces of software and the like that this pair seem very adept at exploiting, but it's also about exploiting public opinion. This is a site famous for Microsoft bashing, so it's not like I need to provide any examples to demonstrate my point.

In short, Apple knows about the bugs, we know about the bugs; everyone's a winner.

Re:Plain wrong! (1)

Jeppe Salvesen (101622) | more than 7 years ago | (#17431722)

Oh yeah?

A much better approach: Find 90 bugs, give Apple 30 days to fix them, and release those that were fixed along with those that were not fixed.

That would either show whether Apple takes security seriously, without exposing the user base to added security risks.

Re:Plain wrong! (0)

Anonymous Coward | more than 7 years ago | (#17432156)

90 bugs in 30 days is an impossible task, and certainly in a code base as huge as Mac OS X's.

Every fix needs to have regression tests done to make sure something else doesn't break as a result of the fix in addition to all the tests that need to be written to ensure that the fix actually does fix the original issue.

Compound that with the fact that you really should only fix one bug in a module at a time to prevent introducing more bugs with concurrent fixes...

There are likely thousands of security problems (1)

Junks Jerzey (54586) | more than 7 years ago | (#17431210)

OS X is unimaginably complex. Even the 1500+ page "OS X internals" tome just scratches the surface of most things.

(Note that I own and enjoy using a MacBook, so I'm not blindly Apple-bashing.)

The complexity is the first problem. The second is that almost all of the code was written in an insecure manner. No one was doing code-level security reviews on QuickTime and Quartz and all the other bits of OS X. And even if you did, squashing all potential overflow/overwrite bugs in a language like C is essentially impossible. We'll keep living with endless exploits until more secure techniques are used for writing software.

Re:There are likely thousands of security problems (1)

MSFanBoi2 (930319) | more than 7 years ago | (#17431332)

Ah, but when the same thing is said about Microsoft Windows, one is modded down to obivion, called a troll or what not.

Why is it "OK" for Apple to have these issues in their complexity, yet Microsoft stuffers the slings and limp arrows of Apple fanatics when patch Tuesday rolls around?

Re:There are likely thousands of security problems (1)

MeanderingMind (884641) | more than 7 years ago | (#17432280)

I thought it was Blizzard who suffered the stings and arrows of fanatics on Patch Tuesday?

Joking aside, I'd personally appreciate something substanciative to back up the GP's statements regarding OS X. I do not doubt there is complexity or flaws, but the statements are sweeping and rather lacking in any quantitative value (how complex and insecure is OS X, perhaps in comparison to other OSs).

Re:There are likely thousands of security problems (1, Interesting)

Jeff DeMaagd (2015) | more than 7 years ago | (#17431366)

It's not just C though, Apple generally uses Objective-C, which is an object-oriented extention of C. If the programmers did the responsible thing and called libraries for their objects, then it shouldn't be a problem, fix your libraries. They shouldn't be calling for memory using C if they can avoid it. I don't think it's anywhere nearly so simple though.

Re:There are likely thousands of security problems (-1, Redundant)

TheRaven64 (641858) | more than 7 years ago | (#17431556)

It's not just C though, Apple generally uses Objective-C, which is an object-oriented extention of C.

Depends where you're looking. Things like Quicktime are written in C. The kernel is mostly C, but drivers are written in Embedded C++, which is a subset of C++ that is easy to compile to efficient code, but a bit nicer to use than plain C. The higher-level stuff is mainly Objective-C, with some bits done in C for speed, and some are even implemented in AppleScript (although not much). Apple seem to be one of the few companies that understands the concept that there is not yet a programming language that fits all requirements. Unfortunately, C++ and Objective-C programs still tend to use pure C-syntax stuff in speed-critical places, and it's easy for bugs to creep in.

Not to minimise these problems... (1)

argent (18001) | more than 7 years ago | (#17431846)

Not to minimise the problems of writing large complex software systems, but complexity is the second problem... insecure design is the first.

I'm more concerned with the fact that Safari uses the same URI handler and helper database as Finder (LaunchServices) and that Apple is more interested in giving people a false sense of security with pop-up dialogs than changing the API slightly to make it inherently secure.

* Split LaunchServices up into "web oriented" applications that are indended for use with untrusted files, and "desktop" applications. This would have the additional advantage of allowing for "viewer" versions of applications that have reduced functionality and simpler design (going back to the original poster's point).

* Disable "Open safe files after downloading" by default, and if it remains an option then include a comment in the preferences pane that enabling it will reduce the security of your system.

* And don't EVER include software installers in the list of "safe" applications! I ca not comprehend the confusion in the mind that would lead Apple to install widgets and packages directly from the browser. Firefox makes the same mistake, by the way... it's like watching gangrene spread.

This is not as bad a design problem as Microsoft's use of the HTML control as a universal gateway for viruses and spyware, but it's bad enough that it should be given priority.

YOU FAIL iT (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17431216)

arseholes at Walnut they're gone Came tossers, went out but it's not a From a technical tossers, 3ent out surprise to the

Logo (1)

Freon115 (672518) | more than 7 years ago | (#17431248)

The logo on their blog is very distrurbing

Re:Logo (0)

Anonymous Coward | more than 7 years ago | (#17432308)

Would you have preferred a rock through a window, or skinning a penguin?

These people read their own press releases (2, Insightful)

Llywelyn (531070) | more than 7 years ago | (#17431264)

If they were truly interested in "improving MacOS X" or "improving practices on the management side of Apple" then they would release these bugs to Apple first. Don't wait an insane amount of time, but give them a nice reasonable amount of time to fix the bugs. Heck, even tell them you plan on releasing them on thus and so date and start the month *then*, giving props to Apple for those they have fixed.

Doesn't work (2, Informative)

matth (22742) | more than 7 years ago | (#17431428)

I tried the exploit.. doesn't work on my macbook.

Re:Doesn't work (2, Interesting)

owsla (78381) | more than 7 years ago | (#17432184)

Same thing here on a 3rd generation PowerBook G4 with all available updates. I tried to the ruby script -- it just crashed Quicktime, but no exploit.

Re:Doesn't work (0)

Anonymous Coward | more than 7 years ago | (#17432648)

I think the exploit is x86 only.

Re:Doesn't work (1)

Jasin Natael (14968) | more than 7 years ago | (#17432302)

Doesn't work on my iMac G5 running 10.4.8 with Quicktime 7.1.3.

Maybe it only affects PC users with Quicktime, or maybe you have to have Quicktime Pro installed?

Don't give them the publicity. Certainly Apple's software team should read the site, but they don't deserve any more attention than that; Their whole site is dedicated to insulting Apple and taking pot-shots. They write like capricious seven-year-olds. I, for one, am going to ignore them for the rest of the month -- and probably for the rest of their lives. Not because of the factual content, but more for their immature, deliberately destructive, and insulting behavior.

Re:Doesn't work (1)

Weedlekin (836313) | more than 7 years ago | (#17432752)

Fails on my iMac G5 rev. 1, OS X 10.4.8 too. Looks like this particular "bug" has more FUD than substance.

I have a dumb question..... (0, Troll)

8127972 (73495) | more than 7 years ago | (#17431546)

..... Given Apple's tendency to sue just about anything that moves so that the can preserve the "reality distortion field," are these researchers not afraid of being sued out of existence?

Re:I have a dumb question..... (3, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17431618)

..... Given Apple's tendency to sue just about anything that moves so that the can preserve the "reality distortion field," are these researchers not afraid of being sued out of existence?

The reality distortion field you cite is warping your perspective. Apple is actually not particularly litigious compared to most companies their size. To my knowledge they've never sued anyone for publicizing bugs. They don't even normally go after publications that intentionally publicize their trade secrets unless they admit having obtained those secrets from an insider Apple does not know the identity of, and in the one case of that, they sued only for the name of the informant, not for any damages against the publication. The thing is, the litigation they do enegage in, is often highly publicized, making it seem as though they are very litigious.

So to answer your question, if they have a reasonable grasp on reality, no they aren't worried about being sued.

Re:I have a dumb question..... (1)

Achromatic1978 (916097) | more than 7 years ago | (#17433232)

I love watching you in full-blown spin mode:

They don't even normally go after publications that intentionally publicize their trade secrets unless they admit having obtained those secrets from an insider Apple does not know the identity of, and in the one case of that, they sued only for the name of the informant, not for any damages against the publication.

Nice way to describe it. Another way would be "rather than engaging in anything even resembling a cursorily, let alone thorough internal, investigation, Apple decided that the best way to resolve the issue was to hit a third party with tens of thousands in legal bills, rather than investigate the issue itself".

Re:I have a dumb question..... (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17433394)

nother way would be "rather than engaging in anything even resembling a cursorily, let alone thorough internal, investigation, Apple decided that the best way to resolve the issue was to hit a third party with tens of thousands in legal bills, rather than investigate the issue itself".

Sure, but the point you are missing is that Apple was legally in the right. They had every right to sue and not only for the name of the leak, but also for punitive damages large enough to shut down the small publication and discourage others. The fact that they didn't speaks to Apple's propensity to not use litigation to stop speech they don't like. And that is the subject we were addressing, should these researchers be afraid that Apple will bring a baseless lawsuit against them in order to stop their publication. The answer is, no, Apple doesn't stop speech it doesn't like when it can legally shut them down.

Re:I have a dumb question..... (0, Flamebait)

xxdesmus (932581) | more than 7 years ago | (#17431768)

I agree. Apple will go ahead and try and sue these guys because they need to maintain some semblance of smugness now don't they?

What other company sues their users for pointing out bugs? Oh right, Apple will prove to be the first.

Timing (3, Interesting)

lord_iain (1045936) | more than 7 years ago | (#17431568)

Is it just me, or is this event well timed? A month of Apple bugs/exploits on the lead up to Windows Vista's commercial release on January 30th (the most "secure" version of Windows). Sounds sinister to me.

Re:Timing (1)

xxdesmus (932581) | more than 7 years ago | (#17432458)

Sinister indeed. Better get out your tinfoil hat then... Way to turn this into Microsoft's fault (by vaguely implying they have something to do with this).

the old apple quality issue again (0)

Anonymous Coward | more than 7 years ago | (#17432248)

MacOSX is still turning up significant flaws that were fixed in other flavours of UNIX many years ago. Apple has probably the worst attitude to quality control I have ever come across in the PC industry (ie. they don't appear to have any). You might think that Windows has many problems with security holes, but looking at the automated code review tools and approach to security within Microsoft, and comparing this to Apple's approach, it is safe to say that the inferior end product will most definitely be Apple's. I also find Microsoft staff much more helpful and knowledgeable than the moron 'experts' that apple usually fields.
Having tried to program software for MacOSX, I have realised that as it stands, apple does not have a product that is usable for enterprise level applications. It is just to buggy, lacks scalability (try using heavily threaded programs, or I/O / network intensive apps), and the kernel seems to have some fairly significant and obscure bugs that can waste significant time.
I am sticking to platforms I trust:- AIX, Linux, and Solaris. They have their own lesser problems, but at least quality and scalability are not a serious concern.

Re:the old apple quality issue again (1)

SuperKendall (25149) | more than 7 years ago | (#17432528)

Your opinion might have meant something if you hadn't posted AC. As it is, it's hard to believe you've actually done any OS X programming - or at least any recent programming. Tiger cleaned up the kernel API's quite a bit.

Re:the old apple quality issue again (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#17432910)

MacOSX is still turning up significant flaws that were fixed in other flavours of UNIX many years ago.

True, Apple is running into some of the same old problems as they try to build new things to interact with old things. I wish they had stricter security reviews processes.

Apple has probably the worst attitude to quality control I have ever come across in the PC industry (ie. they don't appear to have any). You might think that Windows has many problems with security holes, but looking at the automated code review tools and approach to security within Microsoft, and comparing this to Apple's approach, it is safe to say that the inferior end product will most definitely be Apple's.

I don't know Apple's policies on code review. I know they do some audits and that is it. It looks like they could really use some improvement. That said, I do know people from MS and their security reviews are a joke. From anecdotes, less than half of all security holes reported internally are given high enough priority to ever be fixed and they don't have a thousand monkeys pounding on open code. And in the end, it is results that matter. Apple does not have a malware problem, and is mildly resistant to amateur directed attacks. Windows has a huge malware problem and can often be hacked with freely available script kiddy tools.

I also find Microsoft staff much more helpful and knowledgeable than the moron 'experts' that apple usually fields.

I've submitted bugs to both Apple and MS. Some of the Apple ones were fixes (all the security ones). None of the MS bugs have ever been fixed.

It is just to buggy, lacks scalability (try using heavily threaded programs, or I/O / network intensive apps), and the kernel seems to have some fairly significant and obscure bugs that can waste significant time.

Are you talking about server roles or desktops? Both OS X and Windows are less than optimal servers. Windows can't multitask its way out of a wet paper bag and has always had stability and security issues that result in unavailable services. I'd not build a server on either OS X or Windows though. If you're looking at the desktop, however, there is no comparison.

I am sticking to platforms I trust:- AIX, Linux, and Solaris. They have their own lesser problems, but at least quality and scalability are not a serious concern.

Quality and scalability aren't concerns on Linux? Where can I get this mythical version of Linux?

Sour Grapes? (1)

Enrique1218 (603187) | more than 7 years ago | (#17432274)

I can help but feel that this whole thing is just sour grapes. I certainly don't feel that improving OSX is the sole motivation behind this. The blog reeks of immaturity and lacks any form of professionalism. The language is smug and juvenile? pwnage? (Wow, high school all over again). They go into great deatil on how execute the exploit but dedicate one sentence on how to avoid it. Then, where is the discrete vendor warning that traditional researchers give before going public? They are not doing it! Are they trying to provoke an attack? I don't see the service that they are doing for me as OSX user. In fact, I look upon this whole stunt with nothing but contempt. I see this as a snipe at mac users because it hasn't been attacked. I think this line says it all!

You're the PC now, Mac (YTPNM).

Looking for help understanding this. (1)

4iedBandit (133211) | more than 7 years ago | (#17432748)

While I've played with ruby, perl, C and work almost daily in a variety of shells I honestly don't have the background to fully understand what they've offered up here.

From the article (and based on my limited understanding) it relies on the shell and curl being resident in a known memory location? Can someone with deeper OS X internals knowledge explain why the system would always put the shell and curl into the same memory space? This seems to go contrary to what I would expect; that the system allocates memory when a program is executed and that memory can be any from the available pool.

If OS X is indeed always putting certain programs into specific memory addresses, then yes this is definitely a problem that Apple needs to fix now. Otherwise, an attack using this approach is more like firing a gun in a pitch black room and hoping you hit a target that may (or may not) be somewhere in the room. While there is a chance it will work, I would rather spend time picking numbers for the lottery (the potential payoff would be much better).

Their link to the Phrack article http://felinemenace.org/papers/p63-0x05_OSX_Heap_E xploitation_Technqiues.txt [felinemenace.org] is a more interesting read. I can't make any claims that I understand that better but after reading through it, it makes more sense. Exploiting programs that use Apple's Webkit. Whether or not those exploits still exist, I don't know.

Somebody sue them (0)

Anonymous Coward | more than 7 years ago | (#17433246)

This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple.'"


No, this is a publicity stunt by vicious little jerks who want to draw attention to themselves and their childish 'anatomically correct' pink pony logo rather than improve security for Mac owners such as myself. Remember, Apple isn't Microsoft. It's doing a marvelous job fixing flaws before they create problems for users. Where the rubber meets the road, they're doing well. If these people were serious about Mac security, they'd have given Apple these flaws in confidence a month or more ago.

I don't care for lawyers, but if one of these bugs gets copied and out in the wild, I'd love to see some nasty lawyers form a class action lawsuit and sue the pants off those involved. Note especially the heading at the top of their web page, "You're the PC now, Mac!" That demonstrates that these people aren't simply stupid and makes it clear that they know what they want to do. They want to make Macs as troubled by bugs and viruses as PCs. That is malice intent and excellent grounds for a huge damage settlement.

If you're involved is this miserable bit of jealous venom, I suggest seeing a lawyer and coming up with a way to sue-proof your major assets. Put your home, your car, your bank account, and your stock portfolio in someone else's name. And even that may not be enough.

And yes, there is a place for publicly exposing flaws that Microsoft, Apple, Linux or any other OS developer refuses to fix. But these jerks, with their all too obvious vicious intent ("You're the PC now, Mac!") and their irresponsible 'bug a day' behavior, are going to make life hard for all the responsible people who mean well and act like adults. They're smearing the name of all those who do help root out vunerabilities.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...