Behold, An iPhone |
| And Speaking Of Security
December 19, 2006
Happy New Year, Here’s A Mac Bug
Once more into the breech on the subject of Mac security.
Brian Krebs over at The Washington Post’s Security Fix blog is reporting that an anonymous security researcher going by the handle LMH is going to try and give Apple a security-related headache. January 2007 will be the “Month of Apple Bugs” in which LMH and partner Kevin Finisterre will each day reveal a security vulnerability in Apple’s OS X.
LMH has a history here, having run the Month of Kernel Bugs which were aimed at Unix vulnerabilities. Since OS X is derived from BSD, which is itself a flavor or Unix, the Mac was apparently affected by some of the bugs disclosed by the Month of Kernel Bugs, as OS X is mentioned 13 times. In one posting LMH taunts Mac users with comments like “Mac OS X users and developers, beware (and be careful) about what you do with binaries. Especially when trying to analyze some "useless malware proof of concept"...
The state of Mac security is an area there is a great deal of misunderstanding. I don’t know how many times I’ve had to correct people who’ve told me to my face that switching to the Intel architecture would increase the security risks to the Mac. Wrong. They often say the same thing about Boot Camp. Wrong.
Still, I’ve always tried to be realistic in my assessments of the security situation on the Mac. I don’t recommend anti-virus software to Mac uses, for instance, because there really aren’t any Mac viruses to speak of. Since I believe there is no such thing as absolute security, I think security research into the Mac OS should be candid, rigorous, and constant. The only possible result is positive: Either no vulnerabilities are found, or those found ultimately get patched.
But doing this security research by shaming the company isn't exactly the right way to go about it as the potential for harm to innocent bystanders increases. It’s one thing to contact Apple and tell them you’ve found something that isn’t widely known about, and give them a chance to fix it before publicizing the nature of bug. This LMH, in some attempt to either call attention to him/herself, has declined to do, preferring instead to shame Apple publicly, and thus spur some action.
I called Apple for comment and here it is: “Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
And for the record, if you are a security researcher and know about something inside Mac OS X that should be fixed, there is a right way to report it: Send an email to firstname.lastname@example.org. I’m told that email address is monitored 24 hours a day. And there’s more info here.
However, given that this effort appears to be underway, and its principals determined to carry out on their stated mission, the right thing for Apple to do is be prepared to respond. And by respond, I don’t mean call the lawyers: I mean tell the guys in the security group that for good or ill, they should be ready for a busy January spent plugging holes as fast as possible. Oh, and that suggestion about a Security Czar? I still think it’s a pretty good idea.
TrackBack URL for this entry: