Month of Apple Bugs update

Created , updated 3 minute read

I continue to disapprove of the disclosure practices of the people running the Month of Apple Bugs (to be clear, I disapprove of how the vulnerabilities are being disclosed, not the fact that disclosure is taking place).

Reading the transcript of the discussion between "LMH" (who has been making the disclosures) and Landon Fuller (who has been providing fixes) is quite interesting.

Fuller: I’d like to coordinate on fix releases, but my concern (feel free to laugh at me) is an appearance of collusion – I think a lot is gained by having you demonstrate that the vulnerabilities exist, are real, and exploitable, and having me separately demonstrate that they’re easily fixable.

LMH: Sounds like your trouble is appearing like if I’m not as evil as zealots want to say, right?

Talk about miscommunication. Fuller raises a valid concern, and LMH responds in a totally paranoid/bipolar fashion. That transcript segment reads to me like this:

Fuller: I’m worried that it might rain.

LMH: Sounds like your trouble is appearing like I’m not as evil as [the] zealots want to say, right?

So in the end it looks like there’s not going to be any collaboration and the truth is I think there probably shouldn’t be. What’s to be gained by giving the "moabfixes" team a few hours of head start? What should really be happening is that the vendors should be given a reasonable notification (30 days, I’d say, as I previously suggested). Giving a bunch of enthusiasts a few extra hours to prepare their "fixes" (really, "fixing" this stuff with APE is like using a radio-controlled robot to stick a band-aid on the arm of a running child) does little to shield users, and it’s really the possible harm to users which concerns me, not Apple’s wounded pride.

Don’t get me wrong, I think the "moabfixes" team is doing a wonderful job and I’m glad they’re doing it. But collaborating with a grey hat who’s doing everything he possibly can to generate scandal and publicity at any cost is of dubious value.

Ah well, one thing is for sure, LMH is raising a lot of awareness. I wonder how long before I’ll have to stop recommending to inexpert users like my parents that they move from Windows to Apple because "they won’t have to worry about viruses any more".

Facts and beliefs
  • Fact: All software has vulnerabilities.
  • Fact: Mac OS X is no exception.
  • Fact: Mac OS X has fewer known vulnerabilities than Windows.
  • Fact: Mac OS X has fewer known exploits/viruses/worms in the wild than Windows.
  • Belief: Mac OS X is more secure than Windows.
  • Belief: This may be partly because there are fewer vulnerabilties to exploit.
  • Fact: It is also because there are fewer users and Windows is therefore a more attractive target.
  • Fact: Mac OS X users haven’t had to worry about viruses.
  • Belief: At some point in the future, Mac OS X users will have to start worrying about viruses.
  • Belief: Sad but true; it was inevitable that it would happen sooner or later. Given that there is no such thing as perfect software, the only thing which can "save" Mac OS X will be to avoid gaining too much market share.
  • Belief: Publicity stunts like the "Month of Apple Bugs" do little to increase security but they do at least raise awareness.