Why isn't Apple releasing patches for the Month of Apple Bug exploits???

[hexstar]

Why is it that there still has been just one patch released from Apple (that one that fixed the QuickTime exploit) to address just one of the many Month of Apple Bugs? These bugs need to be fixed and I really hope that Apple is actively working on patches for all of the exploits related to Mac OS X that the MOAB team found...is it because they're putting all their programmers energy into 10.5? If that's true they really should take a few of the programmers and assign them to making patches for these exploits...what's the chances of these exploits being fixed in 10.5? c'mon Apple...get on it already!

 

[Mikuro]

I haven't been following MoAB closely, but I've read over a few, and they all seem to fall into one or more of these categories:

A) Requires local access to the machine.

B) Does nothing but cause an app to unexpectedly quit.

C) Can allow for "arbitrary code execution" in theory, but nobody seems to know how to exploit this in practice. ("Arbitrary" does not mean "predictable" or "controllable".)

D) Requires at least the deployment of a trojan to exploit. Trojans will always be possible to make on any system, period. Deploying them is the only hard part, and I've seen nothing on MoAB to make this any easier.

E) Is not a bug in any of Apple's software, but rather third-party programs. (Why are these in the Month of Apple Bugs to begin with? Could he not fill 30 days with actual Apple bugs even with his low standards?)


None of them seem to be especially dangerous, so none of them demand Apple's immediate attention. Mostly they're just extra-geeky ways to crash programs, with some dangerous-sounding terms like "denial of service" (i.e., a crash) and "potential arbitrary code execution" (which could, and probably does, just mean something completely unpredictable, which would probably manifest itself in an application crash and nothing more).

IMO, it's just insubstantial fear-mongering. It's cute and clever, but really, it makes me feel better about OS X's security, not worse. If these are the worst a dedicated geek can come up with, then hot damn, we're in good shape!



But again, I have not read every entry closely. Is there any one in particular you think deserves immediate attention?

 

[hexstar]

yes, I really think Apple should get out patches to fix the Mac OS X exploits that can corrupt memory and possibly cause data loss as well as those that cause privilage escalation and thus result in a root shell...there is at least one exploit for each of those cases with public proof of concept exploit code published publicly for each thanks to the Month of Apple Bug team...the fact that such exploits are out there is dangerous and IMO are important to fix...as Apple users could be tricked into running malicious files that utilize those exploits in the same ways Windows users are (minus the ability to install the exploits with ActiveX thank god) such as spam and saying the download is something it's not so it looks appealing to people and they unsuspectingly download and run the malicious file causing havoc on their poor mac...surely I can't be the only one worried about this?

 

[nixgeek]

This has been a concern for me as well. One of the podcasts that I listen to is called PaulDotCom Security Weekly and they do talk about Apple's delay in patching. They have said that Apple sometimes takes longer than Microsoft wth its updates when the exploit has already been found. Granted, Microsoft Windows is exploited at a fairly alarming rate compared to Mac OS X, but it's still important to make sure that you patch the operating system of your customers in a fairly short amount of time. Linux is quite popular as well and has enough exploits, but these are patched within a day or two if not within a few hours.

For the record, Paul and Larry (two of the guys in the podcast) are proud Mac owners and love their Macs, but they don't like the irresponsibility that Apple is showing in regards to security. I honestly have to say that I feel the same way as they do.

 

[fryke]

The MoAB has started on the wrong foot. They chose bugs one could ridicule (like the VLC bug) and chose to be k1ddi3 about critics. But the outcome is what we all have to accept: Apple's not somehow inherently safe with OS X. I, too, hope that Apple answers more quickly in the future.

 

[sinclair_tm]

i have to go with mikuro on this one. all the ones i bothered to look at were 3rd party issues, not even apple issues, except for the qt one, which also effects windows, not just the mac, and apple did do something. as for proof of concept, until it starts happening in the real world, not just forced in the lab, i see no reason why apple should waste its time addressing these issues as they are still theroies. and because so few people spend time writing malware for macs, they are going to stay theroies.

i also feel that if someone is stupid enough to just open what ever is sent to them in their email, or download whatever without researching first, they deserve whatever they infect themselfs with. i know it sounds mean, but i believe in the school of fort knocks.

 

[fryke]

then you didn't read them all. the ones giving root permissions to normal users kinda _do_ freak me out a little. apple ignoring these issues freaks me out even more.

 

[nixgeek]

Security through obscurity only works for so long, as we've seen with Oracle and some other companies that decide to rely solely on that. MoAB was primarily done to bring awareness of possible vulnerabilities in Mac OS X. This was done during the Month of Kernel Bugs and the devs for Linux and other open source operating systems took them into consideration. Especially with the QuickTime vuln, Apple claimed to be able to patch QuickTime much faster because it has fewer dependencies and is less complicated than OS X, for example. Mind you, it took them 30 DAYS to finally put out the patch. If this is how long it took for something "simple" as QuickTime to be patched, imagine how much longer it would take to patch anything that might be affected in OS X. Apple needs to do some better work when it comes to releasing patches for OS X.

 

[Satcomer]

Apple did release a Security Update on January 23rd for the QuickTime exploit. If you want a detailed description of the hacker daily exploits take a look at this article.

I want to make it it clear MOAB is just a bunch of hackers that want mad props for breaking the Mac so they could become "cool" in the hacker community and get a lot of press. IMHO they were never interested in helping the Mac, they just want to "show up" Mac security.

 

[fryke]

Denial really doesn't help. I'm not saying we should be panicking or anything, but the MoAB's bugs weren't _all_ old/QT/VLC bugs. And it's not about the specific bugs either. MoAB _has_ shown that Apple's been neglecting some very basic things. Quite reputable heise.de called Apple itself taking OS X not so seriously as a multi-user operating system by what at least one of the bugs in MoAB has shown. A bug open and known for about a _year_ no less.

Again: Denial doesn't help.