informa
/
Risk
News

An Apple (Bug) a Day

Happy New Year from your favorite hackers

3:50 PM -- Hackers have their own New Year's resolutions, and they don't waste any time procrastinating and agonizing over their lists like the rest of us. So Happy New Year: January will be the Month of Apple Bugs.

Researcher LMH, who launched the Month of Kernel Bugs last month, will be heading up the latest bug-of-the-month postings starting on New Year's Day. LMH, who will team up with researcher Kevin Finisterre, says bug-of-the-month pioneer HD Moore may well contribute to the effort -- Moore submitted a Mac OS X WiFi exploit to the MoKB.

(Moore was not available for comment, but he did include a Month of Apple Bugs in a recent list of upcoming plans, so watch out). (See Month of Kernel Bugs Ends in Controversy and Wave of WiFi Bugs Won't Bite.)

But hosting a Month of Bugs has gotten a lot tougher to pull off since Moore first spearheaded his wildly popular Month of Browser Bugs in July. Remember the Week of Oracle Bugs researcher who mysteriously scrapped his plans before even posting a bug this month? And the MoKB project in November ended with a little controversy of its own over a vulnerability reported in Apple's OS X DMG.

LMH says the Month of Apple Bugs was already in the works during the MoKB. "We intended to have a bit more fun around OS X," he says. "One of the goals is attracting more security-minded people to the platform, developing new exploitation techniques whenever possible, as well as tools and other resources necessary to make such work easier and more comfortable in the long term."

Critics say these projects are more of a novelty than anything else. And the more Month of _____ Bugs there are, won't they lose their impact?

None of this fazes LMH. He says he expects the MoAB to have a significant impact on OS X security, and he's playing it by ear whether he'll give Apple advance notice on the bugs. "We aren't going to give preliminary 'advice' to Apple about the issues, but this may change depending on different conditions, one of them being the potentially harmful impact of the issue and necessary circumstances for successful exploitation," he says.

The gameplan, he says, is to develop working exploits for each bug.

Meanwhile, he's got other high-profile researchers possibly on tap to add bugs. Wireless hacker Jon Ellch, a.k.a. Johnny Cache, says he'll probably contribute, depending on his workload. And David Maynor, CTO of Errata Security, says although he has no current plans to contribute, "if LMH asks for submissions, I will be the first in line."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Apple Inc. (Nasdaq: AAPL)
  • Recommended Reading:
    Editors' Choice
    Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
    Joshua Goldfarb, Director of Product Management at F5