http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs en-us 40 Simplicity, Usability, Productivity, Code, Design, Business and more <p>A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it.</p> <p>The "Month of Apple Bugs" project, began on Jan. 1, and is being orchestrated in part by a security researcher who asked to be identified only by his online alias "LMH." This is the same researcher who in November ran the "<a href="http://kernelfun.blogspot.com/">Month of Kernel Bugs</a>" project. LMH's partner in this project is <a href="http://www.digitalmunition.com/">Kevin Finisterre</a>, a researcher who has reported numerous bugs to Apple over the past few years.</p> <p>The security researchers <a href="http://blog.washingtonpost.com/securityfix/2006/12/january_2007_month_of_apple_bu.html">told the Washington Post</a> that, as with Apple bugs featured during the MoKB project, Apple would receive no advanced notice of the forthcoming security problems. The security researchers hope to use the project to dispel the perception that Apple systems are free of the security bugs that have long plagued Windows users.</p> <p>In two days, as promised, two bugs have been publicized, all of which allows for remote arbitrary code execution:</p> <ul> <li><a href="http://projects.info-pull.com/moab/MOAB-01-01-2007.html">Apple Quicktime rtsp URL Handler Stack-based Buffer Overflow</a> <li><a href="http://projects.info-pull.com/moab/MOAB-02-01-2007.html">VLC Media Player udp:// Format String Vulnerability</a> </ul> <p>Is this the end of the "bulletproof" Mac?</p> Wed, 03 Jan 2007 06:36:00 -0500 urn:uuid:d81adda5-1b5e-4ff8-8ae9-8e0c0cfebd3a bordalix http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs apple security Great discussio, thanks! Pindar, I fully agree with you in the MacOSX vs Windows issue. But today's bug is about iLife!! LHM is going away from the operating system, is going for the apps! Can't wait to see were this will go... Thu, 04 Jan 2007 13:41:39 -0500 urn:uuid:85ee060e-70f0-492d-9371-972341fedfa3 http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs#comment-377 The bug for today is more of the same: it's a QT vulnerability (though i'm not sure it's actually that: it may just be a QT feature that's leveraged against other vulnerable areas in the host OS or application -- cf. the MySpace debacle the MOAB team refers to), x-plat, and actually exploited by the MOAB team on... Windows 2000 SP4! That's right: Windows 2000 SP4, not Mac OS X, not even XP. So much for the Month of the _Apple_ Bug. Thu, 04 Jan 2007 08:23:02 -0500 urn:uuid:36b986dc-537c-455e-ab8a-3fd2142b390b http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs#comment-375 Not only I double posted, I failed to see Pindar's comment on VLC's bug being included on the MoAB list. bordalix, please delete my posts! Thu, 04 Jan 2007 05:48:11 -0500 urn:uuid:a6091010-23c1-48f3-a20e-e800b2e54cbe http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs#comment-374 pindar is right on the spot. Wed, 03 Jan 2007 19:23:11 -0500 urn:uuid:0cd49363-caa6-4676-9827-802d812ac115 http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs#comment-373 VLC? Wed, 03 Jan 2007 15:06:45 -0500 urn:uuid:bd861c5f-59b9-417b-b5af-427ea4245612 http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs#comment-371 I second what Pindar said. I believe that having a smaller market share as a significance of less than 20% for the issue of the security problems. IMHO all boils down to UNIX's superior architecture and security mechanisms. Wed, 03 Jan 2007 14:21:56 -0500 urn:uuid:20f44b07-0b29-4a04-8994-c9788441882c http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs#comment-370 <i>Can't that be due the huge difference of market share?</i><br><br> That particular line of reasoning has been debunked time and time again. No, it's not market-share-related. Windows is inherently less secure than UNIX. Period. For a recent analysis, see for instance: <a href="http://weblog.infoworld.com/enterprisemac/archives/2006/08/is_windows_inhe.html" rel="nofollow">http://weblog.infoworld.com/enterprisemac/archives/2006/08/is_windows_inhe.html</a> It does not mean there are no bugs in Mac OS X, nor that we'll never see a virus on that platform. Just that right now _nothing_ bad has yet happened. And that's a pretty good track record compared to Windows'. BTW both bugs reported by the MOAB team are cross-platform. And the VLC bug has nothing to so with Apple whatsoever. Wed, 03 Jan 2007 12:13:03 -0500 urn:uuid:b1a68b67-c774-49c3-b5ac-2bfde2a70e56 http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs#comment-368 Can't that be due the huge difference of market share? Wed, 03 Jan 2007 11:45:33 -0500 urn:uuid:9ecb1889-c55a-4439-9b15-526e291e14ec http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs#comment-367 There's no silver bullet in the computing world and the reasoning is as follows: if it's made by humans it will have errors. End of discussion. What I do know though is that no matter hard those guys scrutinize they won't find as many security problems as within the Windows platform. This can be "proved" by empirical evidence (afterall, even a "myth" was created around Mac OS X for its immunity) or by simply taking a look at the security websites for vulnerabilities reported. Windows clearly outstands Mac OS X on that field. Wed, 03 Jan 2007 07:56:54 -0500 urn:uuid:514304c0-26c2-4224-9c56-bcbe7b198d89 http://joaobordalo.com/articles/2007/01/03/month-of-apple-bugs#comment-365