Apple to get a month of security bugs

Independent security researchers to post Apple bug reports

Apple will soon be a member of the "month of bugs" club.

On January 1, two security researchers will begin publishing details of a flood of security vulnerabilities in Apple's products. Their plan was to disclose one bug per day for the entire month, they said.

The project is being launched by an independent security researcher, Kevin Finisterre, and a hacker known as LMH, who declined to reveal his identity.

Some of the bugs "might represent a significant risk", LMH said in an email interview. "Others have a lower impact on security. We are trying to develop working exploits for every issue we find."

The two hackers plan to disclose bugs in the Mac OS X kernel as well as in software such as Safari, iTunes, iPhoto and QuickTime, LMH said. Some of the bugs would also affect versions of Apple's software designed to run on Microsoft's Windows operating system, he said.

LMH was one of the brains behind the recent [Month of Kernel Bugs] project, which exposed flaws at the core of several different operating systems. It was inspired by an earlier effort, called the [Month of Browser Bugs], which was kicked off in July.

This latest Apple project was being launched to raise awareness of security vulnerabilities in Apple's products and to stomp smugness, Finisterre said via email.

While the Macintosh is generally considered to be more secure than the Windows PC, many security researchers believe that this reputation is not attributable to any superior security practices on the part of Apple. They say attackers have been deterred by the Mac OS X's more secure Unix kernel and the product's less widespread adoption.

Apple enthusiasts and security researchers have been at odds since last August, when David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple's wireless device drivers. They played a video at the Black Hat conference demonstrating how this flaw could be used to run unauthorised code on a MacBook. However, their claims have been slammed because the demonstration used a third-party wireless card rather than the one that ships with the MacBook, and because the two hackers still have not published the code used in their attack.

LMH said the Apple community's negative response to Maynor and Ellch's claims played a role in the decision to launch the Month of Apple bugs.

"I was shocked with the reaction of some so-called Apple fans," he said. "I can't understand why some people react badly to disclosure of issues in their system of choice. ... That helps to improve its security."

A similar effort to disclose flaws in Oracle's software had to be abandoned before it was ever launched last month. The man behind the Week of Oracle bugs, Cesar Cerrudo, of Argeniss Information Security, said he pulled the plug when it became clear that the project could damage the relationship between one of his customers and Oracle. "This customer realised that they could have had serious business problems, so they changed their mind and asked to cancel it," he said.

LMH said he didn't expect any legal problems from Apple. "I keep talking to a guy from the Apple security team and I'm willing to help whenever necessary," he said. "I'm far away from any illegal activity."

Apple, for its part, did not seem to be upset with the project. "We always welcome feedback on how to improve security on the Mac," an Apple spokesperson, Anuj Nayar, said.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?