Month of Apple Bugs (MOAB)
Dave Schroeder
das at doit.wisc.edu
Tue Jan 2 16:42:16 PST 2007
On Jan 2, 2007, at 6:28 PM, Robert La Ferla wrote:
> Looks like we will get a bunch of bugs this month and hopefully
> fixes by Apple...
>
> http://projects.info-pull.com/moab
Yeah, and the second bug is a vulnerability in VLC, which also
affects the Windows version (and probably other versions) of VLC as
well...
And yes, these will be fixed by Apple.
We've seen plenty of similar types of vulnerabilities, with exploits,
for Mac OS X to date, and then Apple fixes them fairly quickly. I
don't think this is really anything new.
Also, I take issue with this use of "from remote" in security
nomenclature in general. There is a HUGE difference between a worm
that spreads and/or owns machines completely remotely and externally,
with no user interaction of any kind, and someone having to visit a
malicious web site (and yes, I know there is precedent for inserting
something into, say, advertising on popular sites). As we sit here
and talk about this "doozie", dozens (hundreds?) of affected Windows
machines at my location alone are being cleaned up from the latest
completely remote and automated worm that affected, of all things,
Symantec AntiVirus.
There is a project that is providing runtime patching for each of
these issues, run by a Darwin developer and former Apple BSD
Technology Group engineer, with source provided:
http://slashdot.org/article.pl?sid=07/01/02/2058239
My concerns with MOAB in general are summed up here:
http://www.securityfocus.com/archive/142/455673/30/0/threaded
and
http://www.securityfocus.com/archive/142/455700/30/0/threaded
In general, the treatment this will get in the press - just as it did
in this blog - is going to be remarkably sensationalistic. Mac OS X
has always, and will always, have bugs, some of which will provide
vulnerability channels that will be exploitable. No reasonable person
ever said Mac OS X was invulnerable. Show me a vulnerability in, say,
mDNSResponder that really is totally remotely exploitable WITHOUT
user interaction, and then I'll be worried. I'm not saying a
vulnerability that could affect someone simply by visiting a web site
isn't severe. But we've already had that exact sort of issue
countless times on Mac OS X, so I fail to see how this is any
different. It's just another bug that is unpatched, that will end up
being patched, like all the others. The only difference is the way
people are choosing to disclose it, which is admittedly a large
difference. I know one of the people running MOAB, but I just
disagree with how they're doing it. It's as if they're more concerned
with somehow "proving" that Mac OS X is insecure and shutting up
"fanboys" than they are with legitimate Mac OS X security.
On the other hand, Apple does need to really increase resources that
it devotes to security response, or else it could find itself in the
same position Microsoft was five years ago.
- Dave
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2380 bytes
Desc: not available
Url : /mailman/archive/macosx-talk/attachments/20070102/33dc45d0/smime.bin
More information about the MacOSX-talk
mailing list