Month of Apple bugs hacker signs off

Month of Apple bugs hacker signs off

Summary: The controversial MOAB (Month of Apple Bugs) project crossed the finish line today with a cryptic "coming soon" note, a promise to release an exploit for a remote kernel vulnerability and a vow from one of the organizers to stop publicizing his flaw findings."My time disclosing exploits is over," said L.


The controversial MOAB (Month of Apple Bugs) project crossed the finish line today with a cryptic "coming soon" note, a promise to release an exploit for a remote kernel vulnerability and a vow from one of the organizers to stop publicizing his flaw findings.

"My time disclosing exploits is over," said L.M.H., the mysterious hacker who released daily warnings about software bugs -- and potentially serious vulnerabilities -- affecting Mac OS X users.  "No more open security stuff," he said in an interview moments after releasing the project's final advisory, which hints that a remote kernel flaw exploit is in the works. 

"I will roll an exploit but, after that, I'm going to stop disclosing stuff," L.M.H. added.

For the entire month of January, L.M.H. teamed up with Mac OS X security specialist Kevin Finisterre and others to release proof-of-concept exploits for issues affecting the Mac ecosystem. For the most part, the project did not live up to the early hype.  Outside of a QuickTime code execution issue, which has already been patched by Apple, the majority dealt with denial-of-service crashes and privilege escalation bugs but security researchers warn against downplaying the MOAB findings.

"A lot of people will try to discount those as trivial bugs because they're not weaponized.  If someone took the time to weaponize them, they could be very serious," says David Maynor, CTO and founder of Errata Security, a consulting and product testing company.  "From my understanding, the goal of the project was not to release weaponized exploits.  It was just to highlight that there are trivially bad programming practices in the Mac OS X operating system. Simple things like format string overflows, stack overflows... Other software vendors are eradicating those types of flaws but they are still plentiful in the Mac OS X," said Maynor.

Maynor believes LMH and Finisterre "achieved the goal" of highlighting major weaknesses in the Mac ecosystem and raising awareness of Apple's perceived smugness when it comes to acknowledging security issues in its software products.  "Hopefully, Apple learned that it's not a good thing to deal with security through a PR-type response.  I really don't think we'll see a difference there but hopefully the message was loud and clear," said Maynor, a researcher who was himself embroiled in a flaw disclosure dispute with Apple.

The project was not without critics -- in an outside of the notoriously finicky security research community.  Matasano Security's Thomas Ptacek, a self-confessed detractor of what he calls the MOXB phenomenon, recently conducted an informal 'MOAB-pro-or-con?' survey of his peers and found that it largely polarized the vulnerability research community.

L.M.H., who appears sensitive to public criticism, summed up the project this way: "The project met its objectives and I'm certainly proud of the results.  There are different approaches to making change -- aggressive and not-so aggressive -- but I don't think the security industry is going to change much.  I think our job is done.

Topics: Security, Apple, Hardware, Operating Systems

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • yeah... these guys really showed those mac user??? what a joke...

    really shook things up... hey Maynor, where's your wireless exploit? these guys are complete morons.

    ask your colleague Mr. Ou when he's going to finally put out that super top secret info on that "exploit" he had in his back pocket and going to release in a "couple of days"... the counter is what... 6 months now?

    if making Mac users even more smug than they were before last month is success.. then yes, absolutely they succeeded... these jokers need to find a new day job.
    • (nt)A little defensive, are we?

      • I would not call that defensive....

        just calling the losers who try to smear Apple in the hopes of cutting of yet another option for people.

        Point is...the MOAB was a complete joke. Interested to see what the non zealot types with no axe to grind will start spouting now.
        • I do admit to wondering about the likes of George Ou

          my buddy NonZealot and such. After all is their a defense meaning that hey this
          month was chaulk full of REAL danger and such. If it was I missed it.

          Pagan jim
    • Or just simply

      find a job. Period. LMH and his smug grandstanding just looked to me like he was
      trying to attract a consulting contract somewhere by drawing attention to his
      expertise through the media. I think the MoAB project was a fizzle.
  • They crossed another kind of line when they embedded a DoS hack...

    • Not with a bang...

      ...but with a whimper.

      Eh, big deal. So much for the apocalypse.
      tic swayback
      • Several of the Bugs...

        Were for software that Apple didnt write and didnt come with their computers, they were 3rd party apps.

        Also some of them were local only exploits, which for personal use is probably not a big concern for most Macs users.
  • Well it seemed a bit Ho Hum too me.....

    Pagan jim
    • didn't care like most people here...

      never did visit the site but I'm sure if they found some major flaw we would have heard about it here. btw, I just lit up a cigarette...jk!!

      gnu/ choice to the neX(11)t generation.
      Arm A. Geddon
  • Close your eyes

    Of course when a pigeon closes its eyes the cat doesnt eat it. There is no danger till we keep our eyes closed so lets maintain the status quo. Of and BTW to all non-Mac users - There are no threats to people only editing images and videos or typing elglish alphabet in a big textbox and hitting submit. We can do all that serious stuff despite the MOAB threat. Cheers, we are safe!
  • One month of Apple FUD ending with the release of Vista

    You could probably get a bug an hour for a couple of months on Vista but I don't
    think that was the point. The point was to inflict a negative spin on Apple's
    outstanding security record right before the release of Vista and to somehow
    insinuate that Microsoft makes secure operating systems.