Apple bumper patch vindicates MOAB, MOKB hackers

Apple bumper patch vindicates MOAB, MOKB hackers

Summary: When the controversial Month of Apple Bugs (MOAB) project ended earlier this year, a derisive "that was it?" reaction could be heard coming from the Mac faithful.

SHARE:
TOPICS: Security, Apple, Hardware
247
When the controversial Month of Apple Bugs (MOAB) project ended earlier this year, a derisive "that was it?" reaction could be heard coming from the Mac faithful.

Outside of a QuickTime code execution exploit (which required user interaction), the majority of the MOAB vulnerabilities released dealt with denial-of-service crashes and privilege escalation bugs, prompting the dismissal of the project as a failed publicity stunt.

But, a close look at Apple's latest batch of bumper patches provides total vindication to LMH and Kevin Finisterre, the two hackers who went against the grain and called attention to serious defects in code coming out of Cupertino. Same goes for the researchers who participated in last November's MOKB (Month of Kernel Bugs), a sister project that highlighted kernel-level vulnerabilities in various operating systems, including Apple's flagship Mac OS X.

Apple's 2007 patch count is an eye-opener. Seven updates, 62 vulnerabilities.

Yesterday's bumper Security Update 2007-003 provided fixes for a whopping 45 security bugs affecting Mac OS X users.

The biggest takeaway from Apple's advisories since last November is the patches that address flaws found during the MOKB and MOAB disclosure projects. More importantly, in the brief notes in Apple's public bulletins, the company is making it clear that many of the MOKB/MOAB flaws were "high risk" issues that could lead to arbitrary code execution attacks. Very serious issues.

It's refreshing to see Apple reacting to those projects and getting fixes out in a timely manner, even crediting the MOKB/MOAB hackers in its bulletins but there's a lot of work to be done at Apple if the security reality is to match those Mac commercials.

Apple's marketing department gets a kick out of kicking sand in Microsoft's eye on security but, truth be told, Apple has a long way to go to match Redmond's seriousness around security. This is an issue that was raised almost a year ago by Microsoft's Stephen Toulouse and it's worth repeating.

Here are five recommendations that spring to mind:

1. Apple desperately needs a security czar to who is empowered to face the reality that there are serious problems with its code quality. When the first batch of code execution holes affecting Windows Vista comes from code created by Apple, those Mac commercials start to look rather silly. A job listing spotted by CNET's Robert Vamosi offers evidence that Apple is looking for a "security expert" to "help provide guidance on security topics to all groups across Apple, and help teams design security into new cutting-edge features and technologies." Hopefully, this is a high-level position (a la Window Snyder at Mozilla) with the power to make meaningful changes.

2. Apple needs to fix its patch release process and beef up the information in its advisories. It looks like they're on a monthly patch schedule but, who knows? I know it sounds sacrilegious to say Microsoft is a perfect example to copy but, roll your eyes all you want, it's the plain old truth. Set up a monthly patch release schedule -- I say piggyback on Microsoft's and make it easy for admins to plan/prepare for patches -- and start adding mitigations in the bulletins for customers who might not be able to patch immediately.

3. The bulletins need a makeover. In addition to mitigations and workarounds, the bulletins need a clearly marked severity rating. Adopt CVSS and add those severity scores alongside a color-coded scheme to let the average end user understand the risk. If your customers are at risk, you have a responsibility to let them know in an upfront, honest manner.

4. Apple is in the ThreatCode hall-of-shame because of serious warts in its patch deployment process. Read this lament from an IT administrator to see just how frustrating it is to apply a QuickTime patch in a Windows environment. If you're still not sold on how bad things are, check this and this. These are real, legitimate issues that need fixing. If you're deploying a patch, it needs to be a painless, automatic process for every customer, even if they're on a Windows box.

5. Why is there an "iPod Service" always running as LocalSystem on my mom's Windows XP machine? She doesn't own an iPod. If there's a security flaw in that service (MOAB proves that they do exist if you look hard for them), Apple would have put my mom at needless risk. Apple's security people should be recommending that these automatic services be unbundled from QuickTime and iTunes.

And a bonus:

6. A PR person that doesn't respond to media queries on legitimate security issues is a disservice to any company. Apple's weakness here tops the list.

Topics: Security, Apple, Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

247 comments
Log in or register to join the discussion
  • Ryan, dont be surprised if...

    you wake up next to a horse head.

    Offending the Mac faithful is a brave move. I hope you're ready for the denial / lies / accusations of bias etc.
    Scrat
    • Oooh. Nice.

      Well played shoot the messenger fallacy. Now anyone who disagrees with the author
      can be smeared as a denier, liar and zealot.
      frgough
      • Ohhh...Nicerest

        I thought it was the "strawman argument". Your not allowed to point out that for some Apple users it doesn't matter how many bugs are reported in an Apple computer or who reports them, there are always plenty of Apple users around here to "disagree with the author" then they usually finish off by pointing out that they are not saying Apples are perfect, just that the current report of a bug or vulnerability is either false or means nothing. For once, just once I would like to see one of the usual Apple apologists admit that a reported flaw is in fact a real flaw that is something as opposed to the usual nothing that Apple users relegate the vulnerability to.

        Lets face it, if a bug in the Chinese version of Excel is reported the Apple users make a huge deal out of it like the end of the world has arrived,because its a Microsoft product but a flaw in the Apple kernel means nothing. Maybe Apple users can fool themselves but they sure are not fooling anyone else.
        Cayble
    • Horses not justified perhaps a cat or something...

      But I stil lthink the whole thing was much adu about nothing or ho hum. Now
      patches have existed for OSX well before MOAB and during and will continue well
      after MOAB. They often varey in size and complexity. ie I don't think any one
      patch has ever been exactly like another because they fix and alter differnet
      things.

      The "reason" I found the whole thing dull was that I never thought of OSX as
      perfect just better. There for holes did not shock me in any fashion. Now a hole
      without an exploit is reather smallish to my way of thinking. A hole with no
      exploit and even if there were said it would do limited harm is even less
      impressive if you can imagie that.

      Pagan jim
      Laff
    • Haha, well done!!! (nt)

      .
      NonZealot
      • If you feel compelled to reply

        to someone below who is singling you out. Just remember to keep it clean and you will always have the high road. ;)
        xuniL_z
        • Interesting words coming from you.

          nt
          Hrothgar - PCLinuxOS User
    • Pre-emptive zealotry

      Good to see the anti-zealot zealots strike first. If only you guys had something interesting to say all your energy wouldn't be so wasted.
      tic swayback
      • Wickedly brilliant.

        At least you didn't stoop to marginalizing the reported flaws as usual, even if you refuse to acknowledge them.
        Cayble
    • Why should they be angry?

      Why should they be angry? Mac users get to make fun of Microsoft once a month like clockword. ;)
      olePigeon
    • FINALLY

      Finally! A post from Ryan Naraine with a logical, well thought out story regarding security. I have renewed expectations of you now Ryan.

      In regards to the story, it's good to see Apple didn't just shrug the MOAB announcements off as "denial of service" vulnerabilities, but rather saw them for what they are, potential "code execution" vulnerabilities.

      For users, life is too short to worry about every single "possible arbitrary code execution" vulnerability that is released, but for the software developers, who have one thing to focus on in life (their code), these are definitely things that always need to be looked into.
      @...
    • And your point is?

      Why do all these silly people insist on "debating" simply by dredging up some misguided stereotypes?

      Could it be because the facts are not in their favor?

      Nah, they're probably just tragically insecure, like most prejudiced people.
      chanthing
  • Ou jr.

    Looks like Ou has passed the torch.
    frgough
    • So you admit you are a zealot?

      From your post above:
      [i]Well played shoot the messenger fallacy. Now anyone who disagrees with the author can be smeared as a denier, liar and zealot.[/i]

      Looks like Scrat was right! Zealot.
      NonZealot
      • Scat was right

        His shoot the messenger fallacy allows anyone who disagrees with the author labeled
        a zealot.

        Congratulations on your part in playing the dupe who falls for the fallacy.
        frgough
        • Congratulations!

          That was a beautiful sidestep!!!

          Post that "shoot the messenger fallacy" garbage all you want... the fact remains that you can't dispute the points put forth in the article so you take digs at its author instead.
          Hallowed are the Ori
          • Havent attacked the auther myself but I still don't see

            his "vindication" point at all. IT was to my opinioin much adu about nothing.
            Without an actual exploit to be concerned about a hole isn't very impressive
            especially holes that even if exploited would do little damage. As some in the MOAB
            case were revealed to be just such. I did not expect OSX to be perfect or hole less so
            how was the recent patch a vindication? What has it proven that I did not already
            know? What has it changed for me?

            Pagan jim
            Laff
  • I was/am one of thos "that was it" people.

    I'm glad Apple has patched and continues to patch for I never assumed that OSX
    was perfect just better and I've yet to see any proff that my assumtion is incorrect.

    Still my "that was it" reaction was justfied because a flaw without and exploit is
    well nothing to be overly coincerned about. Concerned yes and one would hope
    as part of tha concernt that a flaw will b e patched/fixed no doubt. But will an
    exploitless flaw cause one to loose sleep? Break out into a sweat? Fail in the
    proper controlling of one's bowels? No I think not and my reaction still stands
    "That was it?"

    Pagan jim
    Laff
    • The answer remains yes.

      The question:

      Are OS X users safer from viruses and malware right now than Windows users?
      frgough
      • Thats because you are hardly in the crosshairs.

        When you do get targeted, the carnage will be vast. You folks have no practice at fighting malware. Also we have theoretical exploits. It doesn't worry me either. But I choose to use common sense so if you do also, you are no safer than I. Biggest security threat is the meat between the keyboard and chair. There is no patch for stupid. Getting tired of hearing about the bulletproof OS that doesn't exist.
        osreinstall