Two flaw hunters, Kevin Finisterre and the pseudonymous LMH, say that each day in January, they will feature a security hole in Apple Computer's Mac OS X or applications for that operating system. Like previous efforts, which concerned Web browser and kernel flaws, the "Month of Apple Bugs" is meant to improve security, the two state on their Web site. Flaws that are publicly disclosed will get fixed quickly, they argue.
"Some of us use OS X on a daily basis. Getting problems solved makes that use a bit safer each day," LMH and Finisterre wrote on the project Web site. "A constructive side effect, probably, will be a more concerned user base and better practices from the management side of Apple."
While the researchers dispute that the public exposure of flaws is for the greater good, not everyone agrees. After all, giving out details of a bug in software without notifying its maker and without a patch being available puts users at risk, critics say. It goes exactly against the "responsible disclosure" practices advocated by software companies.
For example, the Month of Apple Bugs includes detailed exploit code that could provide ammo to hackers for use in attacks. Software makers are sent scrambling to address the flaws.
That's exactly what the people behind the campaigns want. The approach was inspired by July 2006's "Month of Browser Bugs," set up by HD Moore, a well-known security researcher and developer of the popular Metasploit security tool. That effort was followed in November by the "Month of Kernel Bugs" project, run by LMH.
"My experience has shown that the fastest way to secure a piece of software is to release a working exploit for it," Moore said in an e-mail interview Wednesday. "Users will get software patched in a much timelier manner. They can also take precautions they didn't know to do before."
The bug releases regenerates the responsible disclosure debate. Software makers want bug hunters to report flaws privately to them and to give them time to fix the problems. Researchers have complained that software companies ignore them and take much too long to address the reported problems.
"Responsible disclosure can't work. People do whatever they want," said Pete Lindstrom, an analyst with Burton Group. Still, a parade of zero-day bug releases obviously doesn't serve the Net public, he added. "These initiatives are always more about the egos of the bug finders than anything else," Lindstrom said.
Apple has said that it is aware of the project, but has chosen not to comment beyond saying in an e-mail message to CNET News.com that it takes security very seriously and has "a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
However, it would have been better if Apple or the applicable software maker had been given at least some time to address the issue. "There is something to be said for both sides, but I would rather hear about the findings after Apple released a new Security Update," McLaughlin said.
|
