Author Topic: Month of Apple bugs (Read 3047 times)

krissel · « **on:** January 05, 2007, 06:50:44 AM »

Gunug's earlier thread disappeared so here is an update.

http://isc.sans.org/diary.php?storyid=1993

http://projects.info-pull.com/moab/

Aside from the first 'bug', the others so far look like something pretty obscure.

Xairbusdriver · « **Reply #1 on:** January 05, 2007, 02:22:29 PM »

What disturbs me is not that the 'bugs' are obscure, that's usually the case, anyway. What bothers me is that these 'experts' also create and publish code that can make use of the vulnerabilities. That puts almost every OSX user at risk until a fix is posted. Fortunately, a programmer <Landon Fuller> who used to work for Apple has been able to create patches for each bug, so far. Amazingly, he doesn't get any advance alert about what each new, daily bug will be and yet he has been able to create a fix within hours. I wonder how long it took the 'experts' to find and create their list?

Is it perhaps easier to fix Unix bugs because the core is more secure to begin with?

Of course, the 'experts' claim they are getting no 'reward' from their effort. I suspect they would get even less 'reward' if they simply stated/explained the bugs and didn't also create a way ti access/use them.

Their only claim of credulity, to me, is that their method forces the developer(s) to take them seriously, sooner. In my view, that also means the developer(s) have to work on fixes that haven't even become live problems, instead of creating other improvements. Oh well, hope they enjoy their 15 minutes/seconds...

gunug · « **Reply #2 on:** January 05, 2007, 02:41:33 PM »

Thanks Krissel! I was thinking of following this up but I've been busy elsewhere!

XABD - Wow! You said what I was going to say; but much better!

Gregg · « **Reply #3 on:** January 06, 2007, 03:16:51 PM »

Sounds like the fox watching the hen house.

krissel · « **Reply #4 on:** January 08, 2007, 07:01:51 AM »

The latest 'bug' is in OmniWeb which is supposed to be a "Mac browser". At the end of the exploit they mention that Safari is not affected. So how is this Apple's fault?

http://projects.info-pull.com/moab/MOAB-07-01-2007.html

Note that their workaround is to await an update to Omniweb or download Firefox.

What's the matter with Safari if it's unaffected?

gunug · « **Reply #5 on:** January 08, 2007, 03:15:07 PM »

Switching to Firefox is the solution to some abnormalities in page formatting through our Portal into the Groupwise Webmail system. I personally do very little with Safari; mostly just touching it if I'm working on someone else's MAC! I've only ever seen Omniweb in the wild once and I think it was a much older version than the current version 5! I couldn't see using a piece of software that I'm paying for over a free one (Safari or Firefox) unless there was some significant benefit; I don't think I really except this as a big time MAC bug unless there are many more people out there using Omniweb!

tacit · « **Reply #6 on:** January 08, 2007, 03:24:33 PM »

QUOTE(krissel @ Jan 8 2007, 01:01 PM) [snapback]115388[/snapback]

The latest 'bug' is in OmniWeb which is supposed to be a "Mac browser". At the end of the exploit they mention that Safari is not affected. So how is this Apple's fault?

It's not.

The Month of Apple Bugs is not intended to find problems that are "Apple's fault." The project is aimed at finding potentially exploitable bugs in Mac OS X or in Mac OS X applications. OmniWeb is a Mac OS X application; the project does not claim to find only problems specific to Apple-created software.

bil207 · « **Reply #7 on:** January 08, 2007, 04:00:09 PM »

"OmniWeb is affected by a format string vulnerability in the handling of Javascript alert() function, which could allow remote arbitrary code execution."

OmniWeb 5.5.2 fixes this.

"OmniWeb 5.5.2 changes"

"Updated French, Swedish, Italian and German localizations.
Security issue addressed: JavaScript Alert() format string vulnerability".

Xairbusdriver · « **Reply #8 on:** January 08, 2007, 05:39:49 PM »

I think the following quote speaks volumes about the motives of these 'researchers'. I've never known of "hate" being an important attitude in scientific study.

QUOTE(Wired News @ 07:45 AM Jan, 08, 2007)

Jacob Appelbaum, who presented a flaw in Apple's File Vault encryption at the 23C3 conference in December, says he was motivated by anger. "Apple doesn't just treat security researchers poorly, they lie to their users," he asserts, revealing a depth of animosity toward the company's security policies many researchers have echoed in recent months.

News:

Author Topic: Month of Apple bugs (Read 3047 times)