“A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple’s OS X operating system or in Apple applications that run on top of it,” Brian Krebs, yes, that Brian Krebs, reports for The Washington Post.
“The ‘Month of Apple Bugs’ project, currently slated to begin on Jan. 1, is being orchestrated in part by a security researcher who asked to be identified only by his online alias ‘LMH.’ This is the same researcher who in November ran the ‘Month of Kernel Bugs’ project. LMH’s partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years,” Krebs reports.
Krebs reports, “To the chagrin of some security experts, however, LMH declined to give affected vendors advance noticed before posting evidence of kernel bugs on his Web site last month. Eleven of those kernel bugs were related to Apple software and applications, including a serious security hole that prompted a software update from Apple just two weeks later. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message.”
Krebs reports, “LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security. ‘Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way,’ LMH said.”
Full article here.
MacDailyNews Take: Which Mac OS X users think their systems are bulletproof? No one we know. Most of us simply know for a fact that Mac OS X is vastly more secure than Windows. Hopefully, “LMH” finds something of value with which Apple can work and his irresponsible method of posting them before notifying Apple doesn’t cause any damage. Judging from past performances, we’re sure Krebs is fairly drooling over the possibilities, real or imagined.
Related article:
Re: Brian Krebs’ reporting on supposed MacBook Wi-Fi exploit – August 04, 2006
Hopefully this will be good for OS X security, but it just seems to reek of a publicity ploy for these people – always riding on other people’s coat tails.
be happy that people are willing to do this for Apple!!
Maybe someone should hack his personal information, and disclose such without warning.
This just sounds malicious.
All public good is obviated by these tactics.
I just shot my Mac in the face (by accident).
Nope. Not bulletproof. Why did my lawyer just run screaming from the room?
On the last OS security story, Brian Krebs proved to be a hack writer who doesn’t know technology and can’t be bothered with little things like accuracy or research.
Let’s see how he handles this next piece.
If these exploit rumors keep going around, we should call it the Krebs Cycle.
Rather than reporting a crime, the Washington Post intends to inform criminals all houses whose doors and windows are left ajar. So much for ethics in journalism.
At least Apple has advance warning of the Month of Bugs. If I were them I’d put a rotating 24/7 team of patch developers and PR spokespeople on duty during that month.
Take anything this Krebs character reports with several grains of salt.
Irresponsible, gutless coward. LMH have the nuts to use your real name if you’re going to do something that lays open the vulnerabilities for many people, no matter the OS. Your methods are wretched, the means do not justify the ends. Unless the end you’re intending is to cause undue harm to others. To you it may seem a trifle inconvience, but if a serious problem were to happen to someone’s sytem due to your irresponsible action it may lead to more than a broken computer system. Sensitive information lays within our computers. Have you ever heard of identity theft, it’s whole possible through our systems. I’d rather be shot.
Fucking asshole.
Now does anyone know how to contact him so I can forward this to him.
What?
I thought this was an article on aphids.
If Krebs has any journalistic integrity and competency, he should publish a comparison of Microsoft versus Apple OS exploits, failures, and hazards and quantify them. A rigorous and detailed comparison of Microsoft and Apple should provide the public with more useful information and help people make a truly informed decision.
Hopefully Krebbs will have learned from the mistakes he made with the MacBook airport security issue when he failed miserably to check out what he was reporting on…
Anyway, this kind of activity is pointless. Why don’t they just report the issues they discover to Apple? Or have they something to sell and need the ‘WOW GEE LOOK OSX SECURITY HOLES’ press…
And by the way, look at the fscking inane comments from WinTrolls on that blog…
LMH, like so many others in the security business feel they have the right to force companies to fix bugs by exposing them without notice, putting the rest of the public at risk.
Whether they like or not bugs happen and private companies should be given the chance to fix them in their own time. I’m a software engineer and I know It can take some time to do a fix correctly not just a bodge job (Microsoft take note).
LMH may be a great programmer and thinks he knows everything but the fact is he has no idea what it will really take to fix the bug. Any idiot can find a bug, fixing it without any knock on’s is the real business (Microsoft take note).
Apple is one of those companies that does not communicate their security status unless they have to. The fact that LMH may not get a response in the time he expects doesn’t mean Apple haven’t taken onboard what he has said and that they are not working on a fix. I suppose he feels rejected when he see’s that empty mail box.
For god sake if you’re gonna contribute do so, don’t demand! otherwise go get a real job!
Rant over… Sorry. : )
p.s. I also hate the fact that they rate companies based on how quickly it takes to fix bugs. It takes as long as it takes!
If all these reported security holes are plugged with 10.5, what then? Apple sells more copies of Leopard. When Microsoft’s Vista suffers zero-day exploits this will be dismissed as Windows funtioning normally and as expected. People generaly expect more from Apple and less from microsoft. Same ol’ dance.
‘LMH’s irresponsiblity is actually supported by Microcrap to slow down Apple
How much you being paid, BOY ??!! Too ashamed of using your own name, BOY ??!!
What, nothing to say, BOY ??!!
I quess MS weasles (no offense to the weasle genre) are beginning to come out from under their rocks
meatofmoose beat me to it. I don’t think 10.5 will be bullet proof, but my guess is that most if not all of LMH bugs will be fixed. Leopard will have its own set of problems. I think Leopard will be ready for WWDC rendering LMH’s “discoveries” moot.
I’m starting something similar, “the Decade of Win Bugs” I hope I can get to all of them, that’s not a lot of time!
MW = lived
oh, I thought it said livid…
About time MDN revealed its identity too…
My buddy with a G5 iMac doesn’t think his is bulletproof after 10.4.8 fried the contents of his hard drive. “This is why I moved away from windows” is what he said.
Had to bring the drive over to me so that I could re-partition it. It wouldn’t even mount in diskutility on my G5 PowerMac, but did against MacBook. Diskwarrior couldn’t see it either.
Fair enough.. we’ve just had 5 years of windows bugs, and about to get another 5. One month of Mac bugs ought to cover it.
A little short-term notoriety in exchange for potential long-term vilification.
Not a trade-off I’d be willing to risk…
MDN, mine is bulletproof.
>”I’m starting something similar, “the Decade of Win Bugs” I hope I can get to all of them, that’s not a lot of time!
“
Decade? Ha, ypu mean millennium!
I don’t care if they have a “year of bugs” report on Mac OSX. I still don’t have any malware on my Mac, regardless of how much they report that Macs are virus prone or have holes etc. The facts remain the same…. I am and have always been virus free.