Mac Developer mulling OS X equivalent of ZERT

Mac Developer mulling OS X equivalent of ZERT

Summary: Landon Fuller, a former engineer in Apple's BSD Technology Group, believes there's a place for immediate, third-party patches when there's a legitimate threat of code execution attacks. Now, he's mulling a plan to expand the month-of-Apple-fixes initiative.

Now that the Month of Apple Bugs project is done, Landon Fuller just wants some rest. Then, if his buddies are up to it, the brain behind the month of Apple fixes counter-project wants to expand the initiative to provide "zero-day patches" for critical issues affecting Mac OS X users.

"Perhaps [it could be] the Mac OS equivalent to ZERT," Fuller said, referring to the Zero-day Emergency Response Team, a group of respected security pros that offer unofficial patches during malware crises.

Fuller, a former engineer in Apple's BSD Technology Group and one of the primary architects of the Darwin ports system, believes there's a place for immediate, third-party patches when there's a legitimate threat of code execution attacks.

"I don't think I could ever survive another month of bugs," he says with a laugh. "[But] I'd like to see some longer lasting positive efforts result from all of this. In my day job, I'm the Director of Infrastructure for a small games company -- we have a number of Macs, and I'd like a tool for patching them if the need arises," Fuller added.

"This is more about providing the option, as well as fixing the issues for our own use. I kind of think of it as the open source ethos applied," he said.

Fuller's group started floating the idea for life after MOAB in mid-January when Sun issued a warning for a nasty code code execution flaw in Java's GIF image decoder. Because the vulnerability allowed the execution of arbitrary code within the JVM via any Java applet, Fuller created a temporary patch for Mac OS X. (Apple is responsible for porting and maintaining the Java Runtime Environment, meaning that Mac OS X users are still vulnerability to the Java GIF issue). "The Java bug is an example [of what we can do going forward]. I'd like to improve upon our code a bit, I've considered implementing some sort of secure auto-update feature," he explained.

Throughout the MOAB project, Fuller and a group of volunteers -- mostly close friends -- collaborated on a Google Group to respond to each reported issue with a runtime fix. The group spent between 2 and 8 hours a day coding and testing the fixes but deliberately punted on patching kernel bugs because, as Fuller explains, "the cost for a mistake in a kernel patch is very high."

Software vendors -- and security experts -- generally caution against using unofficial patches because of the risk of potentially violating support contracts or breaking existing applications but there's a strong argument that an emergency fix is better than nothing at all during zero-day malware attacks.

Fuller's team applied a buyer-beware tag to their fixes and positioned the project as providing an option for Mac OS X users who could have been at risk when MOAB flaw information was publicly released without Apple getting a chance to create patches. "There are absolutely downsides to third party fixes, and as a business, I'd be very, very careful before choosing to install one," he said, explaining that one of the advantages of his project was the use of runtime patches that could be easily removed or disabled.

The MOAB fixes team brainstormed the idea of coordinating with the MOAB hackers -- L.M.H. and Kevin Finisterre -- but, after some back-and-forth, decided against it. However, Fuller believes MOAB helped to raise awareness about insecurities in the Mac ecosystem, even if it was unfortunate that users were caught in the crossfire.

"I'm interested to see the ramifications that it has on the overall Macintosh security debate, if any. In the community, I do think that there is often a general dismissiveness of security concerns. I think that's very unfortunate, as these are very complex issues and I feel that they're important enough to deserve a fair evaluation. The Mac has a great security track record, but I think there's great value in asking "why?" he argued.

Topics: Operating Systems, Apple, Hardware, Open Source, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Heroes and anti-heroes

    The two seemed like Satan and God, but together MOAB and MOAB-fixes have
    improved security awareness on the Mac. I hope Apple leverages their initiatives to
    make the Mac the most secure system ever.
    • Already done

      The Mac still is the most secure system ever. It was before Maynor's buddies tried
      "let's diss the Mac because we hate Mac users" part 2, and it was afterwards.

      No details were released, but I suspect Fuller didn't work in cooperation with the
      MOAB jerks precisely because they were a couple of snotty irresponsible jackass Mac
      haters who took a month-long bath in a gian tu quoque fallacy and patted
      themselves on the back for showing those smug little Mac using hippies.
      • Yeah..

        I'm sure you're qualified to speak on any of
        this. What do you do for a living and where is
        your degree from again?

        Fact remain, OS X has almost no security
        measures in place, because they've never had to
        deal with it. The sooner you realize this, the
        sooner you can start sounding remotely
        intelligent. Also, if you're going to edit your
        foaming, at least remove the random line breaks
        their parsing mechanism puts in.

        To summarize OS X security:

        Role based security: NO
        Sandbox security: NO
        Code Level Permissions: NO

        So in reality, no security, whatsoever.
  • Hopefully...

    Microsoft doesn't try to patent zero day updates, or software updates in general. What am I thinking...the patent application is most likely already in the mail.
  • Landon Fuller just wants some rest.

    Poor baby.
  • One thing for sure.

    He definitely doesn't have the stamina to handle a bigger OS than OSX (like Windows) if just one month tired him out. MS engineers do this every day of every month as a steady job. Pays very well too, from what I hear :-). If he needs a rest, think of the rest the MS patch folks need. OSX is secure more because it was built on a pretty secure OS from the get go than anything Apple did. MS created theirs from scratch. The headache is naturally going to be more when you do anything from scratch. Unix-based system have been around for decades for use by engineers that designed it to be an engineers OS. Windows was designed to be a consumer OS from the beginning. With all its flaws and security issues, I think its done a pretty good job - and the MS patch folks should be commended for being in a nonstop rotation of issues. Sone would say that they have a job that is created by the lax programming of other MS engineers; could be. But when you are the big dawg, you get the most attention. The programmers are human too; not robots. They won't get everything right. Bush has used 100's of billions in Iraq and its not right either. You'd think that with all that money, you could buy "getting it right". It will never happen. As long as humans are involved, getting it "exactly right" will always be a challange and will also always take time. Its good to see the Mac folks see how difficult a life they would have if they had the marketshare of a MS. Life would surely be different for Apple!
    • what are you talking about?

      For almost all patching of Windows boxes on my network, I read report a system generated 1 page report. It's automated beyond belief, and I spend very little time on it.
      Occasionally there is a need for manual intervention, but I waste far more time pulling files off backups because some designer (on a Mac) trashed then saved over a file.

    --seem to be software related.The hardware engineers are perfected beings but the software engineers are dolts!
    • HA! Good one Balthor!...

      Sometimes you really do make sense! :)

      I've wondered many a time if some problems aren't actually related to bit flip and such; and of course, hardware engineers haven't looked hard enough at how to prevent firmware flash exploits.

      If the quantum architecture gets any smaller, they will be using DNA molecules for switches!
  • RE: Mac Developer mulling OS X equivalent of ZERT

    Sounds like a fine idea. However, NoScript blocked the proof-of-concept code from executing on my computer. I could have given it specific permission to continue, but did not.

    IMHO NoScript does a fine job of fool proofing OS X from browser related attacks. Of course nothing could idiot proof it.
    • Yes but, what about the trusted sites?

      The ones you turn NoScript off. Even trusted sites are getting pwned now-a-days; so you really missed a chance to mitigate that factor.

      Also the patches are probably very easy to remove/disable when the OEM patch comes out.

      I had forgotten about ZERT; I'll have to inform my Apple Mac buddies of this.
  • Use a real computer with real exploit mitigation...

    And you won't have these issues.