The Month of Apple Bugs aims to disclose one bug – with a working (presumably relatively harmless) exploit – every day for the rest of January. This is good news.
Apple’s reaction to exploits and subsequent fixes has been slow. Disclosure of closed exploits was abysmal until about two years ago. There’s no doubt that there is room for improvement in Apple’s security machinery.
Some people will without a doubt say that this is an attention-grabbing trick by amateurs, but I’m not so sure. As opposed to some other fellows, these guys produce publicly-available code demonstrating the bug in question. Even if they were only out to heckle – and it doesn’t look like they are – they’re putting a stake in the ground outside 1 Infinite Loop. They’re saying: “Your OS X product page tells us you’re delivering the highest level of security and we want to take you up on that. No piece of software is perfect, but you have some bugs that could really cause damage: here are the details of 31 such bugs.”
Will they all be fixed before March? June? December? Before December 2008? I don’t know. But it will be fun to watch this thing unfold, if nothing else to compare the treatment to those bugs that went through official channels.
Update: I can’t claim I like the general attitude this far. One of the stated goals was to expose bugs in Apple’s software or popular Mac OS X software; the second bug is a cross-platform vulnerability in VLC. It’s Mac OS X software, for sure, and it’s a real exploit, but where, exactly, are Apple even involved? The only thing separating it from the same bug in VLC on Windows is that it also applies to the Mac VLC. This is reaching.
No comments yet.
Sorry, the comment form is closed at this time.