The Month of Kernel Bugs (MOKB) project went out with a bang today in more ways than one. (See Kernel Bugs Come Marchin' In.)
After releasing a kernel-related bug per day throughout the month of November, researchers today scrapped plans for a memory corruption bug in the Apple Airport Extreme wireless card firmware that affects Intel-based Macintosh machines, after determining the issue required further research.
Meanwhile, controversy erupted at the eleventh hour over another Apple bug. A Macintosh software developer disputed a critical Apple OS X DMG vulnerability reported by MOKB leader LMH on November 20 that purportedly lets an attacker take over a machine via a Safari browser.
The developer contends that the OS X DMG bug isn't a serious memory-corruption flaw, as the MOKB reported, but is a more benign flaw that basically crashes the system. "It's the boy who cried wolf story all over again, really," says Alastair Houghton, who independently researched the vulnerability. "As for the bug, it's still a significant bug. But probably not a shout-it-from-the-treetops security exploit. The worst a remote attacker could do is, by getting a user to click on a link to a disk image file, cause their machine to 'kernel panic.'
"A user is unlikely to get tricked into doing that more than once, and there is, it seems, little benefit to the attacker from doing that," Houghton says.
Kernel panic, akin to Windows' "blue screen of death," is not as dangerous as a memory-corruption bug, which can allow an attacker with knowledge of a machine's memory layout to execute arbitrary code in the kernel and gain total control over the machine, Houghton says.
But LMH maintains that he said the code execution was a "potential" risk with the vulnerability. "I never said there was code execution right away, but a potential risk, and that risk also exists in others [bugs] that didn't make it to the MOKB schedule, and there will be a risk until DMG-handling is fixed in order to validate the data being read from the DMG disk image."
The researchers have traded barbs in blog posts and disagree on several technical issues surrounding the flaw, including what constitutes a real vulnerability and what does not. No one budged. Houghton argued in one post that LMH's analysis was "flawed" and his conclusions "wrong," and LMH challenged Houghton on several technical points.
Despite the brouhaha over the OS X DMG bug, the MOKB is credited with drawing much-needed attention to wireless driver flaws. The MOKB effort prodded several wireless card vendors to respond with patches to their products this month. MOKB, which borrowed its theme from the Month of Browser Bugs (MOBB) run in July by renowned researcher HD Moore, ran a kernel bug per day through November. Aside from Mac OS X, vulnerabilities were posted for Sun Solaris, FreeBSD, NetBSD, Windows, and GNU/Linux.
"[MOKB] did have an impact, and some vendors have been taking care of patching and contacting me and whoever was related to the initiative for feedback and so on," LMH says.
The wireless driver bugs, many of which were found by researchers Moore, Errata Security CTO David Maynor, and researcher Jon Ellch (a.k.a. johnny cache), got the vendors hopping. D-Link and NetGear, for instance, released their first security patches immediately after the MOKB reported bugs in their systems, Moore notes. "On the wireless side, [the MOKB] was a complete success," Moore says. "Microsoft commented about the Windows one, Apple fixed the WiFi one in record time, and D-Link and NetGear actually responded to the issue."
With regard to the newest Apple bug, which LMH says appears to be a heap corruption issue in the memory, he says he will await Apple's update. "Until Apple releases an update and we verify the issue, I can't release further details. I believe it's better to coordinate disclosure when it's really necessary."
LMH says he's confident he properly verified the MOKB bugs during the month, although he admits there's always room for error. "I had to debug, verify, document, and test once and again each one of the issues and it was a tedious task, prone to errors -- quite probably I did make a mistake somewhere else, but I'm certainly confident about the final results."
So with the new controversy over the Apple MOKB bug and the recent cancellation of the Week of Oracle Database Browser Bugs, could this be the end of the Month of Bugs model?
Not a chance. LMH says he may launch another month of daily bugs, this time for a single vendor.
And other researchers have projects in the pipeline. "A few people have emailed and said they were working on their own, but it's anyone's guess how many of these will actually go through," researcher Moore says.
Moore may launch another one of his own next year, possibly on Apple or wireless bugs, he says. Or he might execute one via his employer, BreakingPoint Systems. "I might do something similar with BreakingPoint -- a new, strange hardware bug every week or something."
Kelly Jackson Higgins, Senior Editor, Dark Reading