Month of Apple Bugs
Posted by bordalix Wed, 03 Jan 2007 11:36:00 GMT
A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it.
The "Month of Apple Bugs" project, began on Jan. 1, and is being orchestrated in part by a security researcher who asked to be identified only by his online alias "LMH." This is the same researcher who in November ran the "Month of Kernel Bugs" project. LMH's partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years.
The security researchers told the Washington Post that, as with Apple bugs featured during the MoKB project, Apple would receive no advanced notice of the forthcoming security problems. The security researchers hope to use the project to dispel the perception that Apple systems are free of the security bugs that have long plagued Windows users.
In two days, as promised, two bugs have been publicized, all of which allows for remote arbitrary code execution:
- Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow
- VLC Media Player udp:// Format String Vulnerability
Is this the end of the "bulletproof" Mac?
Articles
There's no silver bullet in the computing world and the reasoning is as follows: if it's made by humans it will have errors. End of discussion. What I do know though is that no matter hard those guys scrutinize they won't find as many security problems as within the Windows platform. This can be "proved" by empirical evidence (afterall, even a "myth" was created around Mac OS X for its immunity) or by simply taking a look at the security websites for vulnerabilities reported. Windows clearly outstands Mac OS X on that field.
Can't that be due the huge difference of market share?
Can't that be due the huge difference of market share?
That particular line of reasoning has been debunked time and time again. No, it's not market-share-related. Windows is inherently less secure than UNIX. Period. For a recent analysis, see for instance: http://weblog.infoworld.com/enterprisemac/archives/2006/08/is_windows_inhe.html It does not mean there are no bugs in Mac OS X, nor that we'll never see a virus on that platform. Just that right now _nothing_ bad has yet happened. And that's a pretty good track record compared to Windows'. BTW both bugs reported by the MOAB team are cross-platform. And the VLC bug has nothing to so with Apple whatsoever.
I second what Pindar said. I believe that having a smaller market share as a significance of less than 20% for the issue of the security problems. IMHO all boils down to UNIX's superior architecture and security mechanisms.
VLC?
pindar is right on the spot.
Not only I double posted, I failed to see Pindar's comment on VLC's bug being included on the MoAB list. bordalix, please delete my posts!
The bug for today is more of the same: it's a QT vulnerability (though i'm not sure it's actually that: it may just be a QT feature that's leveraged against other vulnerable areas in the host OS or application -- cf. the MySpace debacle the MOAB team refers to), x-plat, and actually exploited by the MOAB team on... Windows 2000 SP4! That's right: Windows 2000 SP4, not Mac OS X, not even XP. So much for the Month of the _Apple_ Bug.
Great discussio, thanks! Pindar, I fully agree with you in the MacOSX vs Windows issue. But today's bug is about iLife!! LHM is going away from the operating system, is going for the apps! Can't wait to see were this will go...