Bring it on

The Month of OS X bugs (antler tip to Daring Fireball), brought to you by the somewhat adversarial and misanthropic folks who brought you the Month of Kernel Bugs, is coming in January.

There is much about this to chap the average Mac user’s ass.

  1. The attempt to steal some thunder from Macworld by picking January.
  2. The fact that Apple will not be notified of the bugs before hand.
  3. The distinct odor of Artie MacStrawman in LMH’s assertion that “many” Mac users think OS X is bulletproof and “some” want it to look that way.

But the Macalope is willing to overlook all that because, ultimately, he believes this statement is true:

LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security.

Unlike the SecureWorks fiasco, this will happen in the open. The bugs will be published with sample code and Apple will have to respond with a fix. It’s not pretty, it’s not completely ethical, but like pulling a Band-Aid off really quickly, it’ll work.

If it happens at all. Somehow the SecureWorks “tell-all” never happened and, as Krebs alludes, Oracle likely shut down the Month of Oracle Bugs.

And the Macalope seems to remember something about someone at Oracle being friends with someone at Apple…

  • Dhrakar:

    I think that it is also important to note that these folks are not just finding the bugs the day of the disclosure. Many of them have, I’m sure, been known for quite some time already. Thus, there is always the potential that someone has _already_ been exploiting them but is doing it quietly.
    This just goes to my pet peeve about the fact that there is no such thing as a zero-day exploit. Security exploits do not just come out of thin air and many times are used successfully by folks who are good at hiding their tracks prior to the publication of the exploit.
    Having said all that, however, I still think that it is highly unfair to a vendor to just announce vulnerabilities to the wide world without first giving them the chance to at least look at them.

  • John Muir:

    They may be acting like they’ve a chip the size of a Mac Pro on their shoulder, but I’m with the Macalope on this one. Could be done with more class, but is overall not a detriment to OS X. Besides, we’re going to be talking about Leopard *a lot* come January so whatever Tiger bugs they can find will seem older then than they if they’d chosen a time which didn’t coincide with the annual peak of the Apple calendar.

    Why no month of Windows bugs by the way? That rhetorical question says it all…

  • Drew:

    I look forward to a time when “LMH” is happily being kept busy with his/her/their “Year of Vista Bugs”.


  • Peter:

    “I still think that it is highly unfair to a vendor to just announce vulnerabilities to the wide world without first giving them the chance to at least look at them.”

    Agreed, and there may be more to this than I know. But it should be a two way street. They should probably show them to Apple before announcing the month of Apple bugs and give Apple a “reasonable” (say, three months) amount of time to fix them. If Apple doesn’t fix them, notify the world. That will hopefully inspire Apple to fix them.

  • “Why no month of Windows bugs by the way? ”

    Because we already had 3 decades of Windows bugs?

  • James Bailey:

    My predictions:

    The majority of the bugs published will be local and not remote. Many published remote exploits will be labeled as allowing arbitrary code execution with no evidence or explanation. The rest of the remote exploits will be either cross-site scripting issues or application flaws.

    The rest of the month will be local exploits that may or may not allow privilege escalation.

    I doubt that we will see a truly dangerous remote exploit that allows arbitrary code execution. But if we do, then I will thank the authors for providing OS X users with the ability to shut down a potential problem and helping make OS X even more secure.

  • “Why no month of Windows bugs by the way? That rhetorical question says it all…”

    That’s like when kids ask their parents, there’s a Father’s Day (Mac OS X) and a Mother’s Day (Linux) — why no Kids’ Day (Windows)? Because EVERY FREAKING DAY IS KIDS DAY YOU LITTLE FREAK.

  • Gary Patterson:

    A grubby stunt from a hacker infinitely more interested in his own publicity than security. Krebs should be held partially responsible for any damage caused by people using his information (map, instructions and helpful tips).

    If he followed the practices of a *real* security researcher, he’d be informing Apple and then blowing the whistle after several days had passed. Sadly he is to security what pointy-haired bosses are to productivity.

  • John Muir:

    Re: no month of Windows bugs. Perhaps I should have flagged it with /sarcasm!

    Not only does no one care when another gaping hole is found in Windows – and yes Vista will have them too – but its user base has become so used to it that it’s seen as just “part of the computer experience”.

    For the Mac to lose the security race now … actually it’s hard to even envisage such a scenario compared to Windows at least. We’d have to suddenly have a decade of apocalypses in security while Windows magically stops being exploited at all and sites and users start talking about “proof of concepts” instead of “millions of zombies”.

    No surprise these guys are going after the Mac. It’s the only platform with a good rep at the moment. Not to dis Linux, but you know what I’m talking about. The tech media loves its clichés.

  • Why does anyone care about “LMH”, or what he/she/it says? As already mentioned, this is the year of the Leopard, and what is vulnerable in Tiger will probably not be vulnerable in 10.5.X. I guess we can be happy knowing our old digs are insecure, but don’t we already know this without “LMH” ?

    I keep harping on this point, but if you have local access to a Mac you can just boot from an install CD/DVD and own the computer without one shred of “hacking” skill what-so-ever. Writing or coding a ‘hack’ to own a local Mac is like driving a one hundred mile loop to cross the street. Sure, you get where your going, but was the trip worth it?

    What can be accomplished with a “hack” that can’t be accomplished with a local admin account combined with SSH access? Or Remote Desktop admin rights ?

  • Ken:

    To amplify what Buster said, you can do this with [i]any[/i] non-physical security on any computer. If you don’t have physical security, you don’t have data security.

    I once walked up to an Xserve at a client’s office, plugged in my firewire drive, copied off some data, and walked away. No one batted an eye, and it took me all of a minute. Of course, I was their admin, the data copying was legit, and I had the local password, but…

  • Sarcasm, n.

    “Mac users have demonstrated that they are idiots by buying a system that works more reliably and has less malware written for it. Further, after buying a system that works more reliably and has less malware written for it, they have the unmitigated gall and poor sportsmanship to announce that they have a system that works more reliably and has less malware written for it. Then they go so far as to suggest to others that they buy a system that works more reliably and has less malware written for it. Bastards.”

  • Ken,

    Amen, brother! I couldn’t have phrased it better than that.

    Speaking along these lines, there _used_ to be a retailer in my area that had cash registers scattered throughout the store in _every_ department. They had instructions on how to open the register posted on the pole that enclosed the wires floor to ceiling.

    On this same pole they also had instructions on how to work the PA of the phone attached to the pole. So, there was always physical access for the customers, but especially when store personnel left a register unattended. One day, lacking sufficient customer service to attend to my needs, I picked up the phone, activated the PA and announced to the entire store :

    Customer with his hand in the till in Sporting Goods !

    Boy, that got their attention. Soon after the instructions disappeared from every pole. Oh, and they no longer kept the registers running with the keys in the locks, either.

    Moral of the story : Physical access means insecurity no matter the situation. ‘Nuff said.

  • Dhrakar:

    It is true that physical access means full access. Sooner or later, a person is going to get the whole enchilada. However, I think that many OS X users miss the importance of local exploits due to the fact that most Macs (like the one I’m typing on) are single user. That is, you do not have any open ports for things like ssh, etc. However, for most Unix/Linux admins the reality is that you have many users logging in to a system either at the console, or via ssh, sftp, etc. (like our big-ass Cray, Sun and IBM systems).
    While these users do not have physical access to a system, they are _local_ as far as the OS is concerned since they have logged in. Thus, the importance of local vulnerabilities (that can be used to gain root privs). Now that OS X has been out for a while and is a real multi-user capable system (and can even be used in a supercomputer 🙂 researchers are looking at it with the same eye as they do Linux.
    In reality, this issue is causing us to have to run the same system security scripts and hardening that we do for any other Unix system on our OS X boxen.
    If you want to see a constant stream of vulnerabilities discussed, check out the bug-track email list and/or some of the Linux security sites. Many of them are constanty discussing local vulnerabilities and mitigations.
    I think that if you look at the month-o-bugs from the Unix admin perspective, it starts to make much more sense. That is, it is not about malware, but about coding errors in things like /bin/lpr that can be exploited by a normal user to get root. Unfortunately, the folks who are doing the bug listing seem to be ‘sexing’ it up a lot to provoke more publicity.

  • I quote :
    “That is, it is not about malware, but about coding errors in things like /bin/lpr that can be exploited by a normal user to get root.”

    Welcome to the Hundred Mile Loop(tm). I can be root on _ANY_ Mac to which I have local, physical access. I don’t have to code, I don’t have to program, all I have to have is _bootable media_.

    I repeat – coding to gain local admin/root access is akin to taking a one hundred mile car trip to cross the street. I can gain root access in two minutes with bootable media, so why would I want to invest _hours_ coding? “Hackers” that come up with yet another “local” exploit only impress me with their sheer stupidity. Only a moron would invest that much time in a “hack” when a two-minute-boot would yield far, far more results.

    I will be impressed the day someone comes up with a “hack” that will own my Macs from across the country or around the world, hard-wired or wireless, despite being behind a firewall with a strong Admin password with root disabled. All without me ever being aware it is happening, and not requiring me to lift a finger to aid the scheme.

    Until that day comes, and I am betting on the Mac it never will, why would I ever be impressed by or give two flying figs about a “local hack”?

Leave a Comment