Got a tip for us? Share it...

Month Of Apple Bugs: January 2007 [Updated]

Picking off where the Month of Kernel Bugs left off, security researcher "LMH" and his team is reportedly set to launch another month-long security-hole finding project, this time targeting only Apple's products. According to the Washington Post, the Month of Apple Bugs will be January 2007, where each day will feature a previously undocumented security hole in Apple's OS X operating system or in Apple applications that run on top of it.

LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security.


For the Month of Kernel Bugs, software vendors were not given prior warning before vulnerabilities were released, a practice that has ruffled a few feathers in the industry. According to the Post, the Month of Apple Bugs will run similarly, as Apple will not be given advance notice of the bugs.

It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle's software announced his intention to launch a "Week of Oracle Database Bugs" project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation.


You can read MacRumors' interview with LMH regarding the Month of Kernel bugs here.

Update: IDG/MacWorld provides additional information.

Apple enthusiasts and security researchers have been at odds since last August, when David Maynor and Jon Ellch claimed to have discovered a flaw that affected Apples wireless device drivers. They played a video at the Black Hat conference demonstrating how this flaw could be used to run unauthorized code on a MacBook. However, their claims have been slammed because the demonstration used a third-party wireless card rather than the one that ships with the MacBook, and because the two hackers still have not published the code used in their attack.

LMH said the Apple communitys negative response to Maynor and Ellchs claims played a role in the decision to launch the Month of Apple bugs.

I was shocked with the reaction of some so-called Apple fans, he said. I cant understand why some people react badly to disclosure of issues in their system of choice. That helps to improve its security."



However, Apple doesn't seem to mind the effort. An Apple spokesman simply replied "We always welcome feedback on how to improve security on the Mac."

Top Rated Comments

(View all)

67 months ago
Guess January isn't going to be all fun and games for Apple...
Rating: 0 Positives / 0 Negatives
67 months ago
Well, as long as it improves OS X security I'm all for it.
Rating: 0 Positives / 0 Negatives
67 months ago
For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.
Rating: 0 Positives / 0 Negatives
67 months ago
Good. Better he do it now while Apple is focused on his bugs and ready to release patches as soon as possible.

Is it fair to focus only on Apple bugs? Not really.
Rating: 0 Positives / 0 Negatives
67 months ago
Hopefully the Jan release of Leopard will put a wrench in his gears. :cool:
Rating: 0 Positives / 0 Negatives
67 months ago
Gets more press. If he focused on Windows bugs, he'd be one of 10k guys pointing out tens of thousands of bugs. He'll find 30 bugs (maybe) and post them one day at a time. It's more media whoring than anything else unfotunately.

Is it fair to focus only on Apple bugs? Not really.

Rating: 0 Positives / 0 Negatives
67 months ago

For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.


The problem about that is that as long as the issue isn't publically disclosed, companies like Apple take their good old time patching them. Earlier this year, a guy was complaining that some issues that he found hadn't been addressed 6 months after he had reported it to Apple, so he finally released it to the public. If I recall, he ended up retracting the information and then the next Apple security update fixed the issue :rolleyes:

Hopefully the Jan release of Leopard will put a wrench in his gears. :cool:


Keep dreaming.
Rating: 0 Positives / 0 Negatives
67 months ago
Does this guy really think he's doing a service? He is not. Maybe a service to criminals.
Rating: 0 Positives / 0 Negatives
67 months ago

For 'security researcher' read 'publicity seeking idiot who doesn't really give a damn about other people's security'. If he was that concerned about improving security he'd disclose after bugs were fixed.


Perhaps one of the reasons why these guys/gals are doing it this way is to attract Apple's attention and get them to interact/become part of Apple team. Without good arguments, that is, only with idle threats, Apple will never pay attention to them. If, however, some of these "bugs" turn out to be serious, Apple will have to pay attention.
I agree that this is a blatant way of publicity seeking, but nowadays it is the only way to sell a product. And in this case it is a perfectly legal way!
Rating: 0 Positives / 0 Negatives
67 months ago
like many said before, if he really cared he would just send it to apple...
Rating: 0 Positives / 0 Negatives

[ Read All Comments ]