Forgot your password?
typodupeerror
Security Businesses Apple

Mac Developer Mulls Zero-day Security Response 94

Posted by CowboyNeal
from the in-the-nick-of-time dept.
1.6 Beta writes "Landon Fuller, the Mac programmer/Darwin developer behind the 'month of Apple fixes' project, plans to expand the initiative to roll out zero-day patches for issues that put Mac OS X users at risk of code execution attacks. The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches. The article quotes him as saying, 'Perhaps [it could be] the Mac OS equivalent to ZERT,' referring to the Zero-day Emergency Response Team."
This discussion has been archived. No new comments can be posted.

Mac Developer Mulls Zero-day Security Response

Comments Filter:
  • by User 956 (568564) on Friday February 02, 2007 @12:02AM (#17854674) Homepage
    The former engineer in Apple's BSD Technology Group has already shipped a fix for a nasty flaw in Java's GIF image decoder and hints an an auto-updating mechanism for the third-party patches.

    Windows has an auto-updating mechanism for "third-party patches". It's called Internet Explorer.
  • by MillionthMonkey (240664) on Friday February 02, 2007 @12:06AM (#17854702)

    Because the vulnerability allowed the execution of arbitrary code within the JVM via any Java applet, Fuller created a temporary patch for Mac OS X.
    Can he write an applet that runs the installer using the vulnerability? That would be really convenient.
    • And that, folks, is the good side of virus writing.
      • by bendodge (998616)
        But - the bad PR would kill his credibility, and cause people distrust third party patches even more.
        • by rbarreira (836272)
          Especially if the patch caused any problems for the computer...
          • by Da Fokka (94074)

            Especially if the patch caused any problems for the computer...
            Yeah, like breaking the third party auto-update feature.

      • And that, folks, is the good side of virus writing.

        If you're going to do this, please put a sleep statement in between your 'attacks'. Welchia [wikipedia.org] worked but made no attempt to throttle network connections, swamping every network segment where it was active, and Microsoft's sites as well. If it had taken on one machine every fifteen minutes on a segment, nobody probably would have noticed.
    • Maybe he could get the games company he works for [threerings.com] to do it? Their games are in Java.

      And it's not like you don't have to spend ages configuring games anyway.

  • Quite nice (Score:1, Insightful)

    I love the idea of zero day patches, it's very... at the risk of being labeled a fanboi, Apple-ish. I know a lot of people are going to be calling for Microsoft to do something similar, but that's not going to happen just because of the sheer number of patches M$ has to put out. That makes the idea of a zero-day response team even more advantageous to Apple because it would give them yet another advantage over Microsoft that Gates just can't match. Definitely a good move on Apple's part, both for its use
    • by daveschroeder (516195) * on Friday February 02, 2007 @12:22AM (#17854812)
      Apple isn't doing this, and Landon Fuller doesn't have anything to do with Apple, other than having worked there. (And no, conspiracy theorists, he's not doing this at Apple's behest or as part of some coordinated fanboy effort to "make Apple look good".)

      What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now. Apple needs to be patching issues in a much more timely manner. Hopefully the outcome of MOAB, things like Fuller's proposal, and other related things will be a real discourse on Apple security response and Mac OS X security.
      • by Ilgaz (86384)
        People who are close to Apple or at least know how company works said they won't rush out untested OS patches/updates just because some idiot file fuzzer (can crash the kernel via broken DMG. http://en.wikipedia.org/wiki/Fuzz_testing [wikipedia.org]

        In professional World, people already asks AVID, Adobe, Quark before applying any OS updates or they test it on test machine several days to make sure it won't break their work cycle.

        I was only bugged about Quicktime issue (which was exploited at Myspace) and Apple released the
        • given how apple seems to encourage use of dmgs for distributing mac files (a mac file is defined here as a file that contains actual information in the resource fork) i'd say a security issue (iirc it was a "crash but potential arbitary code" one) sounds pretty serious to me.
      • Re: (Score:3, Insightful)

        What Apple should be doing is developing a much more comprehensive and responsive security response group, which is lacking now.

        I've heard claims that Apple is not responsive enough before, but never any real support for those claims. They've certainly been fast enough in responding to security bugs we sent them. It would always be nice if they were faster. If they had 1000 people waiting by the phone to instantly work on any security issues that came up, and rolled them out in hours on an unstable bran

    • Re: (Score:3, Insightful)

      by AlanS2002 (580378)
      It shouldn't be a marketing advantage, releasing patches with so little testing onto the general population. Yes patches should be released in a timely manner, but that would just be taking it to opposite extreme.
    • Re: (Score:1, Troll)

      by loid_void (740416) *
      What I like is that along with the innovation, Apple continues to think more about the customer than M$, in more ways than one. Fanboy, yup.
  • Unnecessary. (Score:5, Insightful)

    by sakusha (441986) on Friday February 02, 2007 @01:22AM (#17855204)
    Almost all of the MOAB bugs have already been patched, including OS fixes by Apple. Some of the application fixes were released within hours of the public announcement of the bug. Yet NONE of those fixes have been linked on the MOAB website.

    The normal processes are working. What is NOT working is the MOAB process. If they used the normal procedure of notifying the developers privately, these bugs could have been fixed in days or even hours, before any public disclosure. But that wouldn't achieve what the MOAB hackers wanted. MOAB isn't about security, it's about publicity whoring.
    • Re: (Score:2, Informative)

      by landonf (905751)
      I wholeheartedly agree with the importance of notifying the vendor -- unfortunately, that's not always done. The point of "0-day" patches is to provide a security option where none currently exists.
    • by Ilgaz (86384)
      I think it would be also very bad to link to MOAB site to make people's Safari browser freeze with a tab having non submitted webmail waiting?

      http://www.isfym.com/site/blog/C65B4D05-6B0F-46AB- 9D15-9B841876FEF1.html [isfym.com]

      These guys and organised trolls in name of professional developer houses could be one of the worst ones IT industry ever seen.

      I don't recall any security "blog" freezing OS default browser to prove their 133t capabilities. I have also heard that jp2 issue is a year old bug which was never publici
      • by Lars T. (470328)

        These guys and organised trolls in name of professional developer houses could be one of the worst ones IT industry ever seen.

        Yeah, they are real security "experts" [heise-security.co.uk]

        This is not the first time that the MoAB team has had its fun at the expense of users. Those who tried to call not yet released advisories by guessing their file names were treated to extremely disgusting pornographic images. When heise Security reported on the matter and refused to retract its criticism, calling the action "childish", LMH accused Heise of being into "illegal, dishonest, malicious" activities.
        He apparently just failed to understand that a German ver

  • Yeah, right... (Score:1, Flamebait)

    by vought (160908)
    The former engineer in Apple's BSD Technology Group

    Not sure I'd trust zero-day patches from a guy who couldn't hack it working for Avie.

    Just sayin'.
  • Apt-get? (Score:4, Funny)

    by MECC (8478) * on Friday February 02, 2007 @08:20AM (#17857236)
    auto-updating mechanism for the third-party patches.

    He's going to port apt-get to OS X?

  • by ScooterComputer (10306) on Friday February 02, 2007 @09:48AM (#17857796)
    I don't see why this shouldn't be done. In fact, it makes a lot of sense for all platforms. Create a third party mechanism by which users/admins can patch Zero day/unpatched flaws that relies on a community effort to provide the patches. Simple. Except it really needs the support of the OS vendor, because at some point, when the vendor releases the patch, you'd want to be able to "turn off" the temporary one. You'd also need an agreed upon "Master List" of vulns, for tracking purposes.

    You'd think that this kind of hand-in-hand cooperation would be a no-brainer, but I doubt it. Companies (here's looking right at Apple) still just haven't wrapped their heads around the open exchange of ideas; they are afraid that admitting flaws makes them -look- bad. Ewwww, poor coders. But in reality I think everyone who uses computers by this point in time KNOWS flaws happen...it isn't that they will happen, it has become what are you gonna do about it? And it is pure arrogance by the OS vendors to think that neither the community has the ability to create these patchs nor that the users/admins are interested in them.

    Really this is a thing that OS vendors should aspire to, integrating this kind of response mechanism into their existing Software Update suite would be a Good Thing.

If a 6600 used paper tape instead of core memory, it would use up tape at about 30 miles/second. -- Grishman, Assembly Language Programming

Working...