84332
story
Comments: 94 +- IT: Mac Developer Mulls Zero-day Security Response on Thursday February 01 2007, @10:49PM
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicbusiness.gif); width:64px; height:54px;
business
background: url(//a.fsdn.com/sd/topics/topicapple.gif); width:52px; height:64px;
apple
1.6 Beta writes "Landon Fuller, the Mac programmer/Darwin developer behind the 'month of Apple fixes' project, plans to expand the initiative to roll out zero-day patches for issues that put Mac OS X users at risk of code execution attacks. The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches. The article quotes him as saying, 'Perhaps [it could be] the Mac OS equivalent to ZERT,' referring to the Zero-day Emergency Response Team."
Related Stories
$16,000 Bounty for Sendmail, Apache Zero-Day Flaws 173 comments
With/Without - and who'll deny it's what the fighting's all about?
-- Pink Floyd
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
Bonzi buddy auto-installer (Score:5, Funny)
Windows has an auto-updating mechanism for "third-party patches". It's called Internet Explorer.
Arbitrary patch (Score:5, Funny)
Welchia - learn from its mistakes (Score:2)
If you're going to do this, please put a sleep statement in between your 'attacks'. Welchia [wikipedia.org] worked but made no attempt to throttle network connections, swamping every network segment where it was active, and Microsoft's sites as well. If it had taken on one machine every fifteen minutes on a segment, nobody probably would have noticed.
Re: (Score:2)
Re: (Score:2)
Quite nice (Score:1, Insightful)
This is not a "move on Apple's part" (Score:5, Insightful)
What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now. Apple needs to be patching issues in a much more timely manner. Hopefully the outcome of MOAB, things like Fuller's proposal, and other related things will be a real discourse on Apple security response and Mac OS X security.
Parent
Re: (Score:2)
In professional World, people already asks AVID, Adobe, Quark before applying any OS updates or they test it on test machine several days to make sure it won't break their work cycle.
I was only bugged about Quicktime issue (which was exploited at Myspace) and Apple released the
Re: (Score:2)
Re: (Score:3, Insightful)
What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now.
I've heard claims that Apple is not responsive enough before, but never any real support for those claims. They've certainly been fast enough in responding to security bugs we sent them. It would always be nice if they were faster. If they had 1000 people waiting by the phone to instantly work on any security issues that came up, and rolled them out in hours on an unstable bran
Re:This is not a "move on Apple's part" (Score:5, Interesting)
Let's drop the cognitive dissonance, shall we?
Vint Cerf recently made a report to the UN committee on internet security. He said that maybe 25% of all computers tied to the internet are infected. We're currently seeing the highest spam levels in the history of the internet, much of which is being sent by botnets that contain thousands or hundreds of thousands of compromised machines. We've gotten to a point in history where 'hundreds of thousands of machines compromised' is no longer a newsworthy fact. It's so freaking common that people just look at it as an unpleasant fact of life.
And right in the middle of that context we have a few tens of millions of Macs that have been running unmolested for years.
I don't give a damn about your abstractions. I don't give a damn about your heuristics. I don't give a damn about your moral indignation that Apple doesn't run its entire business in a way that's consistent with the .3 seconds of what passes for thought that you've put into any given issue. I'm an empericist. I care about what's actually happened.
What's actually happened is that there hasn't been a single large-scale compromise of the Mac platform since the introduction of OS X. What's actually happened is that Apple has been notified of several vulnerabilities over the past few years and has rolled out security updates to address them. In many cases, they've also listed the names of the people who notified them of the problem. What's actually happened is that Apple has continued to develop its security model and has built a whole new set of tools into Leopard that will make OS X even more secure than it is today.
There are exactly three classes of people who try to bang the "Macs are no more secure than Windows, but Mac users are too stupid to care" drum any more:
Please note that I do not place Landon Fuller in any of those categories. He isn't trying to sell the world the idea that Apple's sky is falling. He's talking about a fairly interesting concept of community involvement in the overall Apple security process.
I happen to disagree with the idea, personally.. IMO the chance of a zero-day patch breaking something is higher than the chance of a Mac getting infected between day zero and the time Apple releases an official patch (and yes, that includes all those issues that have been hanging out there unpatched for years.. show me the number of active exploits in the wild instead of just stuffing another set of panties into the wad currently wedged up your ass). I also see problems with trust and vetting. A MacZERT would presumably do some QA on the patches before distributing them, which leads to the same kinds of delays you get from Apple. And a MacZERT's capacity to look for unwanted side effects would be limited by the fact that outside third parties don't have all the relevant code.
I do see the possibility of large benefits from a community effort to isolate and develop proposed solutions to bugs, since that would help Apple's own security team with some of the heavy lifting. I think Apple could develop a good dialogue with the third-party security community through such a system.
But that has absolutely nothing to do with you. You're just another anti-fanboy out to spew meaningless FUD. The fact that you can't distinguish between "hundreds of thousands of compromised machines in a single botnet" and "no exploit of even a thousand machines over the past five years" means your opinion is too stupid to be taken seriously.
Parent
Re: (Score:2)
Enh, probably..
But seriously folks, this well has been poisoned. To my mind there are three highlight events associated with the whole, "Mac users need to get off their complacent butts" meme:
Symantec published a white paper with essentially that title. Its contents were a bunch of generalizations about complacency being bad and prevention being good.
About a month later they published another paper that boiled down to, "No, we don't know of any actual Mac exploits in the wild. No, we don't have a
Re: (Score:3, Insightful)
Re: (Score:1, Troll)
Re: (Score:2, Insightful)
It's more risky running "zero day patches" than it is waiting a few days for any bugs with said patch to be flushed out.
Given that Apple's not exactly famous for being Johnny-on-the-spot with security fixes, I don't quite get where you get "a few days" from.
When days become weeks and weeks become months waiting for the official patch to arrive, the risk equation (such as it is) may very well be worth it for some groups of users. Maybe not you, but it's no use foreclosing everyone who might be interested from that possibility. And even beyond that there's the whole Freedom to Tinker [freedom-to-tinker.com] thing. I personally found working on some
Re:Quite nice (Score:4, Insightful)
Given that Apple's not exactly famous for being Johnny-on-the-spot with security fixes, I don't quite get where you get "a few days" from.
Do tell, how slow is Apple to fix known security issues? My coworkers have submitted two security bugs to Apple that I know about. Both were local rather than remote, thus posed little risk to the average user. Both were fixed within a few weeks and credited the person who found them. In at least one instance of a more serious security issue Apple turned a fix around in 9 days from disclosure, which is bloody fast or a full dev/qa cycle at any real software company. So you do have some reason for believing Apple is slow to respond to real security concerns, don't you? I'm a bit less inclined to just assume you're right and a little more interested in some citations.
Parent
Re: (Score:2)
My own experience (DHCP remote root a couple years ago) was that it took 2 1/2 months for a fix during which c
Re: (Score:2)
Well, one obvious example would be that it's now N days into February and only one of the MoAB bugs has a patch...
I take it you've never done commercial software development in your life? How exactly would you schedule a dev/qa cycle that gets all the bugs fixed and regression tested so that all the bugs at the beginning of the month and end of the month are fixed at the end of the month a day after the last, official bug is announced? Part of the reason the MoAB is so responsible is that spacing out bug
Unnecessary. (Score:5, Insightful)
The normal processes are working. What is NOT working is the MOAB process. If they used the normal procedure of notifying the developers privately, these bugs could have been fixed in days or even hours, before any public disclosure. But that wouldn't achieve what the MOAB hackers wanted. MOAB isn't about security, it's about publicity whoring.
Re: (Score:2, Informative)
Re: (Score:2)
http://www.isfym.com/site/blog/C65B4D05-6B0F-46AB- 9D15-9B841876FEF1.html [isfym.com]
These guys and organised trolls in name of professional developer houses could be one of the worst ones IT industry ever seen.
I don't recall any security "blog" freezing OS default browser to prove their 133t capabilities. I have also heard that jp2 issue is a year old bug which was never publici
Re: (Score:2)
These guys and organised trolls in name of professional developer houses could be one of the worst ones IT industry ever seen.
Yeah, they are real security "experts" [heise-security.co.uk]
Re:Unnecessary. (Score:5, Insightful)
Yeah, that's clearly their intention after you look at the non-apple issues such as the ones in OmniWeb, Transmit, VLC, Flip4Mac, Rumpus, et cetera. Clearly, those are an attack against apple's "flaky technical support".
Parent
arrogance (Score:2, Insightful)
Re: (Score:3, Interesting)
I can assure you that is not the case. I consider myself a Linux user above all else. As for the arrogance, I can only speak about those I've come in contact with, which is mainly here on slashdot. It seems that every post about OS X security or Apple's business practices ends with "but-but-but Windows!". That comes off as arrogant to me. I know there are plenty of exceptions. Just don't claim that I feel
Re: (Score:2)
Yeah, well, same applies to posts about Linux, and about Windows. Newsflash: n% of all people are idiots. That applies to Mac users as well as to Linux or Windows users.
Re: (Score:2)
I can assure you that is not the case. I consider myself a Linux user above all else.
Re: (Score:2)
If our opinion of humanity was based on comments posted to Slashdot, I think we'd have all shot ourselves by now.
Re: (Score:2)
Your argument boils down to bad OS karma. That's pretty wea
bo-oh-oh-oh-oh-gus! (Score:5, Interesting)
Although I agree that a Mac OS X worm would be bad publicity for Apple, and that Apple could improve the way they handle response to reported security defects, I think they have produced a reasonable track record over the past five years regarding the basic security of Mac OS X. Apple's security track record is due much more to the relatively weaker security of Windows systems than to Windows market dominance. Windows is low hanging fruit, crack-wise. If it were harder to own Windows systems, crackers would switch to Mac OS X in a flash. Crackers don't need to own 20 million systems, they really only need a few thousand at a time.
Parent
Re: (Score:2)
For somebody who took another to task for not putting numbers into context, perhaps you should have qualified the assertion above by stating that the linked article quotes two people, so in this case "many" should be read as "a couple".
Re: (Score:2)
Yeah, and he DID mention Windows as the "low hanging fruit", did he not? That does translate into the "easiest source of income".
Kinda makes our point. Doesn't matter if the Mac OS has vulnerabilities or not. Doesn't matter if his numbers are right or not. (Which, at the rate of sales per Q1 this year, may well be right.)
The point is, that Windows is so vulnerable, due in large part to lazy or uneducated users failing to patch their systems and
Re: (Score:2)
The Month of Apple Bugs couldn't even find 30 bugs in the OS itself to fill up a typical month, let alone 31 for the chosen month of January. Just how does that stack up to the huge number of vulnerabilities, exploits, viruses, worms and trojans now hitting even the 1/4 of all PCs you cite?
I'm sorry, but your balance seems just a bit skewed.
Re: (Score:2)
Nothing I said claimed that the Mac OS is invincible. You can take your Arty McStrawman back to where you drug him out from under some rock. What does matter is that, on balance, the Mac OS IS less vulnerable than the bug riddled mess that is Windows, which, like has been noted before, is much of the reason why malware writers go after Windows, and not the relative numbers.
Nice try at changing the subject...
Re: (Score:2)
Oh, yeah, backlash. Is that why they inserted html code into the web page for day 29 that crashes Safari? Complete with a nasty little jibe at "loopers" (whatever that is???)
Complete bullshit.
These guys are only after the same thing Maynor and Ellch were after last summer - notoriety and publicity.
Anything that includes a hidden attack in the code of a web page is unethical, unwarranted, unprofessional and just plain
I call BS (Score:2)
Show us specific, documented examples of bug reports sent to Apple that they have refused to address.
If MOAB doesn't like the attitudes of some users, then go kick some tires. But exhaust the official channels with Apple or 3d party developers, be professional, or you're going to be dismissed by professionals as dangerous and immature.
Instead, they've come out swinging at not only the Mac community that app
Artie strikes again! (Score:2)
Yeah... Although I think it's mostly Artie MacStrawman [crazyapplerumors.com] who's responsible for the Mac community's bad image.
Re: (Score:2)
These are reasonable concerns and it shows that Apple is worrying about the bottom line more than the customer.
One of the reasons OS X will have better security than any Windows release for the foreseeable future is that Apple's bottom line is directly tied to the satisfaction of their customers. If the average OS X user starts to have problems because of worms, they switch to something else and Apple loses money. There is very little locking people in. You can even just install a new OS on the Mac. Most
Re: (Score:2)
Except for
Apt-get? (Score:4, Funny)
He's going to port apt-get to OS X?
Too late! (Score:3, Informative)
Good idea, but needs support it won't get (Score:3, Interesting)
You'd think that this kind of hand-in-hand cooperation would be a no-brainer, but I doubt it. Companies (here's looking right at Apple) still just haven't wrapped their heads around the open exchange of ideas; they are afraid that admitting flaws makes them -look- bad. Ewwww, poor coders. But in reality I think everyone who uses computers by this point in time KNOWS flaws happen...it isn't that they will happen, it has become what are you gonna do about it? And it is pure arrogance by the OS vendors to think that neither the community has the ability to create these patchs nor that the users/admins are interested in them.
Really this is a thing that OS vendors should aspire to, integrating this kind of response mechanism into their existing Software Update suite would be a Good Thing.
Re: (Score:2)
I guess I would agree though, MS won't be able to match it, or they'll need to fix the fix.
Re: (Score:2)
They are too busy huging iPhone brochures and feeding up their credit cards.
Re:no trolls?! (Score:5, Interesting)
MOAB includes hack attempt [isfym.com]
Parent
Re:no trolls?! (Score:4, Interesting)
BTW it didn't "try" to crash Safari, the default/preinstalled browser of an operating system, a tabbed browser. It actually froze it. It is again, not a security issue but could be a good troll tool.
IMHO if nobody has seen true face of these idiots, they should have seen on day 29.
ps: That JP2 is bad for OS X Finder too, don't keep it in your disk or don't browse that folder with Finder/Path Finder,whatever uses Kakadu jp2 lib.
Parent
Re:no trolls?! (Score:5, Interesting)
When fanbois and anti-fanbois come into contact they emit a special radiation that causes a temporal shift, known informally as "a colossal total waste of time", for anyone who happens to be reading or listening. For example, you're reading a technical thread, then two of these subsentient particles come into contact. They insist on threadjacking your discussion into an us versus them discussion that only tangentially involves the subject at hand and is logically irritating since it represents a false dilemma [wikipedia.org]. As you skip past the messages looking for some meaningful discussion and swearing about the state of technical discourse, you suddenly discover two hours have passed due to the temporal-moronic radiation.
Maybe people could study training Bayesian filters to delete those messages (or just delete the authors).
Parent
iPhone a public fiasco? (Score:2)
Re: (Score:2)
It is good to see the profile of MOAB supporters on Slashdot considering the fact that MOAB people aren't much different, they have somehow learned how to fuzz files, use gdb or use jp2 to freeze Safari on public pages.
Re: (Score:2)