January 31st, 2007

Month of Apple bugs hacker signs off

Posted by Ryan Naraine @ 6:08 pm

Categories: Apple, Hackers, Responsible disclosure, Vulnerability research

Tags: Apple Computer Inc., Project, Security, Apple Mac OS, Apple Macintosh, Apple Mac OS X, Hacker, Exploit, Ryan Naraine

The controversial MOAB (Month of Apple Bugs) project crossed the finish line today with a cryptic "coming soon" note, a promise to release an exploit for a remote kernel vulnerability and a vow from one of the organizers to stop publicizing his flaw findings.

"My time disclosing exploits is over," said L.M.H., the mysterious hacker who released daily warnings about software bugs — and potentially serious vulnerabilities — affecting Mac OS X users.  "No more open security stuff," he said in an interview moments after releasing the project's final advisory, which hints that a remote kernel flaw exploit is in the works. 

"I will roll an exploit but, after that, I'm going to stop disclosing stuff," L.M.H. added.

For the entire month of January, L.M.H. teamed up with Mac OS X security specialist Kevin Finisterre and others to release proof-of-concept exploits for issues affecting the Mac ecosystem. For the most part, the project did not live up to the early hype.  Outside of a QuickTime code execution issue, which has already been patched by Apple, the majority dealt with denial-of-service crashes and privilege escalation bugs but security researchers warn against downplaying the MOAB findings.

"A lot of people will try to discount those as trivial bugs because they're not weaponized.  If someone took the time to weaponize them, they could be very serious," says David Maynor, CTO and founder of Errata Security, a consulting and product testing company.  "From my understanding, the goal of the project was not to release weaponized exploits.  It was just to highlight that there are trivially bad programming practices in the Mac OS X operating system. Simple things like format string overflows, stack overflows… Other software vendors are eradicating those types of flaws but they are still plentiful in the Mac OS X," said Maynor.

Maynor believes LMH and Finisterre "achieved the goal" of highlighting major weaknesses in the Mac ecosystem and raising awareness of Apple's perceived smugness when it comes to acknowledging security issues in its software products.  "Hopefully, Apple learned that it's not a good thing to deal with security through a PR-type response.  I really don't think we'll see a difference there but hopefully the message was loud and clear," said Maynor, a researcher who was himself embroiled in a flaw disclosure dispute with Apple.

The project was not without critics — in an outside of the notoriously finicky security research community.  Matasano Security's Thomas Ptacek, a self-confessed detractor of what he calls the MOXB phenomenon, recently conducted an informal 'MOAB-pro-or-con?' survey of his peers and found that it largely polarized the vulnerability research community.

L.M.H., who appears sensitive to public criticism, summed up the project this way: "The project met its objectives and I'm certainly proud of the results.  There are different approaches to making change — aggressive and not-so aggressive — but I don't think the security industry is going to change much.  I think our job is done.