'Month of Apple Bugs' turns up 10 flaws so far

Kevin Finisterre and 'LMH' uncover 10 Apple flaws as part of their security campaign

A month-long campaign by two independent security researchers to disclose security flaws in Apple's products has so far resulted in 10 vulnerabilities being publicly disclosed -- and several more on the verge of being announced. Exploit information has also been published along with proof-of-code detailing how to take advantage of the flaws, several of which were described as being remotely exploitable by the researchers.

The disclosures are part of a Month of Apple Bugs (MoAB) effort launched on Jan. 1 by independent security researcher Kevin Finisterre and another researcher identified only by the initials LMH.

The goal of the effort, identical in nature to the Month of Kernel Bugs and Month of Browser Bug campaigns in 2006, is to raise public awareness of security issues in Apple's products, according to Finisterre. "[Apple's] creating commercials claiming to be secure and the user base feels like they are wearing a suit of armor," Finisterre said via e-mail. In reality, "there's NO lack of bugs on OSX from both an application and platform standpoint."

Finisterre said that while only 10 flaws have been publicly disclosed so far, he "has lost count" of the number of vulnerabilities that have been discovered as part of the MoAB effort. "Finding an abundance of bugs has been no problem at all, [but] not all of them are easily exploitable."

According to Finisterre, several of the vulnerabilities stem from Apple's inadequate documentation for various Application Programming Interfaces (APIs) related to functions commonly used for displaying error messages. "Several developers are misusing the functions and that is leading to potentially exploitable situations," Finisterre said.

Dave Marcus, security researcher and communications manager for McAfee Avert Labs, said that the effort to find Apple bugs appears to be succeeding in raising awareness of security issues on the platform.

But so far, at least, none of the disclosed vulnerabilities appear to be "showstoppers," Marcus said. In fact, the only flaws that appear to be "interesting" is one affecting QuickTime that allows for arbitrary code execution and an Adobe PDF flaw that affects multiple operating environments, including the Mac OSX, he said. "They are interesting because they affect products that are commonly and widely used." Marcus said.

The decision by Finisterre and LMH to publicly disclose flaws before giving Apple a chance to address them has raised the risk for users, Marcus said. But the efforts by an ex-Apple engineer named Landon Fuller to issue fixes for each of the flaws being disclosed is mitigating some of that risk, he said.

Fuller did not immediately respond to a request for comment. But his fixes and workarounds for the flaws are posted at landonf.bikemonkey.org/.

Apple itself has not released any patches for the flaws and did not discuss how it would respond to the disclosures. In a brief e-mailed statement, a spokesman for the company said that Apple "has a great track record of addressing potential security vulnerabilities before they can affect users," but did not offer any elaboration.

The statement also noted that Apple welcomes feedback on improving security for the Mac platform.

Efforts such as the Month of Apple Bugs initiative can be useful in raising awareness of security problems with platforms such as Mac OS X, said Charles King, an analyst with Pund-IT consultancy.

"Apple has historically had fewer problems with security breaches than the Wintel platform," with some security experts saying that's at least partially true because it has a much smaller user base, King said. A concerted effort to find flaws in its software could push Apple to pay more attention to security -- much as Microsoft has been forced to do, he said.

At the same time, care needs to be taken that such efforts don't end up unnecessarily exposing users to risk, King said. "There's a fine line between public service and a publicity stunt."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jaikumar Vijayan

Computerworld
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?