Quantcast

January is MoAB (Month of Apple Bugs)

syadasti

i heart mac
Apr 15, 2002
12,690
290
VT
MoAB website

This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third-party applications designed for this operating system. A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple. Also, we want to develop and provide tools and documented techniques to aid security research in this platform. If nothing else, we had fun working on it and hope people-with-a-brain out there will enjoy the results.
So far...
Jan 1st - Quicktime
Jan 2nd - VLC

Article on the MoXB phenomenon

PC World said:
Apple Bug-Hunt Begins
Security researchers plan to publish daily bug reports in January.
Robert McMillan, IDG News Service
Wednesday, December 20, 2006 07:00 AM PST

Apple Computer will soon be a member of the "month of bugs" club.
A Bug a Day

On January 1, two security researchers will begin publishing details of a flood of security vulnerabilities in Apple's products. Their plan is to disclose one bug per day for the entire month, they say.

The project is being launched by an independent security researcher, Kevin Finisterre, and a hacker known as LMH, who declined to reveal his identity.

Some of the bugs "might represent a significant risk," LMH said in an e-mail interview. "Others have a lower impact on security. We are trying to develop working exploits for every issue we find."

The two hackers plan to disclose bugs in the Mac OS X kernel as well as in software such as Safari, iTunes, iPhoto, and QuickTime, LMH said. Some of the bugs will also affect versions of Apple's software designed to run on Microsoft Windows, he added.

LMH was one of the brains behind the recent Month of Kernel Bugs project, which exposed flaws at the core of several different operating systems. It was inspired by an earlier effort, called the Month of Browser Bugs, which was kicked off in July.

This latest Apple project is being launched to raise awareness of security vulnerabilities in Apple's products and to "stomp smugness," Finisterre said via e-mail.
Security Questioned

While the Macintosh is generally considered to be more secure than the Windows PC, many security researchers believe that this reputation is not attributable to any superior security practices on the part of Apple. They say attackers have been deterred by the Mac OS X's more secure Unix kernel and the product's less widespread adoption.

Apple enthusiasts and security researchers have been at odds since last August, when David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apple's wireless device drivers. They played a video at the Black Hat conference demonstrating how this flaw could be used to run unauthorized code on a MacBook. However, their claims have been slammed because the demonstration used a third-party wireless card rather than the one that ships with the MacBook, and because the two hackers still have not published the code used in their attack.

LMH said the Apple community's negative response to Maynor and Ellch's claims played a role in the decision to launch the Month of Apple bugs.

"I was shocked with the reaction of some so-called 'Apple fans,'" he said. "I can't understand why some people react badly to disclosure of issues in their system of choice. ... That helps to improve its security."
Bug-Hunt Responses

A similar effort to disclose flaws in Oracle's software had to be abandoned before it was ever launched in November. The man behind the Week of Oracle bugs, Cesar Cerrudo, of Argeniss Information Security, said he pulled the plug when it became clear that the project could damage the relationship between one of his customers and Oracle. "This customer realized that they could have had serious business problems, so they changed their mind and asked to cancel it," he said via instant message on Tuesday.

LMH said he didn't expect any legal problems from Apple. "I keep talking to a guy from the Apple security team and I'm willing to help whenever necessary," he said. "I'm far away from any illegal activity."

Apple, for its part, did not seem to be upset with the project.

"We always welcome feedback on how to improve security on the Mac," said Anuj Nayar, an Apple spokesperson.
 

syadasti

i heart mac
Apr 15, 2002
12,690
290
VT
Sorry, I need to stay better informed regarding the most POS OS out there.

OK, so explain the dates to me on those many hundreds of patches.

Learn me biatch.
The last iMac Core Duo Mactel I setup had more megabytes of patches to download than the new PCs I've setup...
 

Ciaran

Fear my banana
Apr 5, 2004
9,841
19
So Cal
Sorry, I need to stay better informed regarding the most POS OS out there.

OK, so explain the dates to me on those many hundreds of patches.

Learn me biatch.
You're BOTH morons.

Stinky, Windows is a solid OS, IF... (and here is the BIG frikkin IF) you know how to set it up correctly. Windows is just not a beginners OS, the way the Apple OS is. Sadly, Microsoft would have you think otherwise.

Windows REQUIRES mucho config before you use it. Which is why the Win PC's of folks like Sydasti, B.V. and myself all work... without issues. Hell the only thing to crash on me in the last month was Vista and that was due to a flub on my part, and the iPod.

They are both computers... they both do the same thing... they both download porn and make their users look like idiots. The stupid mac vs. apple virus thing has been beaten to death. Let it go.

:plthumbsdown:
 

syadasti

i heart mac
Apr 15, 2002
12,690
290
VT
So 3 months of MS patches weighs less than 6 years of Apple patches.

It's becoming clear now!
Actually if you sort by date about 550 of around 600 results are dated from WinSP2 time period onward.

For the end user their brand new 10.4.X vs. WinXP SP2 is a fair comparison and there are more MB of patches necessary for the new OSX machine.

That is reality since I support both platforms in the real world fanboy.
 

Ciaran

Fear my banana
Apr 5, 2004
9,841
19
So Cal
So, ease of use is for beginners? And all of this time, I thought a buggy and poor facimile of the Mac OS was NOT the way to go...

Thanks C!
You don't listen do you?

Try reading my post again and see if you can understand it.

Let me try it this way: You buy a new bike... new DH sled... Top of the line... you ride it out of the box without adjusting the seat height, suspension, or putting air in the tires. And it comes with every accessory you could imagine ALREADY INSTALLED. You go ride it and it sucks.. heavy, won't turn and just sucks. Is it the fault of the bike? Or did you not configure it correctly?

Or simply put: New fork + no adjustment for rider weight and riding style = bad ride.

Now do you get it?

Yes it's Microsofts fault. No I don't like it, and I think they should offer a more stripped down user friendly version of the OS. But that doesn't mean that it doesn't work.
 

stinkyboy

Plastic Santa
Jan 6, 2005
15,187
1
¡Phoenix!
You don't listen do you?

Try reading my post again and see if you can understand it.

Let me try it this way: You buy a new bike... new DH sled... Top of the line... you ride it out of the box without adjusting the seat height, suspension, or putting air in the tires. And it comes with every accessory you could imagine ALREADY INSTALLED. You go ride it and it sucks.. heavy, won't turn and just sucks. Is it the fault of the bike? Or did you not configure it correctly?

Or simply put: New fork + no adjustment for rider weight and riding style = bad ride.

Now do you get it?

Yes it's Microsofts fault. No I don't like it, and I think they should offer a more stripped down user friendly version of the OS. But that doesn't mean that it doesn't work.
Dude, settle down.

If I was hungover and angry, I'd dance with ya some more, but that's the old me.

:brows:
 

Reactor

Turbo Monkey
Apr 5, 2005
3,976
1
Chandler, AZ, USA
What's funny is that Microsoft released eight security related patches on December 12th alone.

A total of 78 last year, that's a pace of one every two and a half working days. Of those 71 were rated Critical or Important.

They've released 133 in the last two years, Average of a security bug every three days and 119 of them were rated Critical or Important.

A total of 229 patches in the last four years, or about one every four working days. Of those patches 202 were rated Critical or Important.



Obviously the trend is going up. You could blame it on the ever increasing number of lines of code Microsoft maintains. You could blame it on ever degrading programming staff as the old guard retires and is replaced by people using 3 and 4 GLs. Or something tottaly different. There is no proof of cause and effect either way. What you can't blame it on is market share. Microsoft has a near monolopy on home, business and server os's, and office automation software. They have huge presence in other areas like SQL server software.

Microsoft has a huge code base compared to Apple. I'd wager they both have similar error rates in code. The problem, as was mentioned earlier, is Microsoft's plan of war is to try to bundle as much stuff together to lock you into their products. And they spend a lot of time and effort putting hooks and handles in their code to allow their products to work together well. All of that translates into an OS that has more lines of code and more points of failure. The OS isn't as secure, in large part, because of the huge amount of code.

Unix (the mac OS is BSD UNIX at it's core) and windows have a different design philosophy. In Unix everything is a file, and all programs stand (for the most part) alone. Windows throws everything into a code quesinart end pours out DLL's. The result is a patch for Apple is likely to be a lot bigger than a patch for windows, which may involve a few DLL's. Both approaches have pros and cons. The unix approach is less likely to have one problem cripple or endanger a system. But it's harder on lower level users, programs don't always work together seemsly. The windows approach can be more efficient, and allow programs to work together much more easily and seamlessly for the user. But it can allow viruses and malware to work easier too.

Yes I can believe a mac downloads a large byte total of patches than a winXP sp2 machine. It's by design.

Is Microsoft or Apple evil? No. Are they Different? Yes. Should you be aware of the differences. Yes. Does it mean windows is a bad OS. No really, it just means you have to be aware of the potential problems and protect yourself.


(can you tell I'm bored?)
 

syadasti

i heart mac
Apr 15, 2002
12,690
290
VT
What's funny is that Microsoft released eight security related patches on December 12th alone.
Yes Microsoft tends to release CVE's individually every month on Tuesdays. Apple is usually every few months in a bundle of CVE's.

To repeat the same for Apple:

What's funny is that Apple released 1 security related CVE patches in Dec., 31 in Nov., 15 in Sept., and 31 in Aug. for an average of about 16 CVE's per month.

Their CVE rate really isn't much different than Microsoft.

Is Microsoft or Apple evil? No. Are they Different? Yes. Should you be aware of the differences. Yes. Does it mean windows is a bad OS. No really, it just means you have to be aware of the potential problems and protect yourself.
Yes, this is the point of MoAB or any other MoXB month.