OS X under attack?
 
Is Mac OS X about to come under attack? This is the claim of Washington Post reporter and known-agitator-assistant Brian Krebs. In a recent “Security Fix” posting, Mr. Krebs claims that two “security researchers” will be launching a project called “Month of Apple bugs” come January 1, 2007. It’s not entirely clear how Mr. Krebs obtained this information, other than a claim by him that some of it was through an IM (instant message) conversation with one of the “researchers.” The claim has of course been picked up by various news services, so it now appears to come from all over, but Mr. Krebs may well be the only source (along with a follow-up posting seemingly by one of the researchers, KF, at the Security Focus Web site).
 
The researchers are clearly taking advantage of two trends: The “Month of XYZ bugs” trend that started last summer, and the “pick on Apple” trend that started a bit earlier (fueled by both Apple’s recent successes and Apple’s “I’m a Mac, I’m a PC” security ads). One of the researchers previously exposed a number of OS X bugs as part of their “Month of Kernel bugs,” but many of those exposed bugs were more self-serving than anything else. As an example, one bug could only be exploited by writing a fairly complex program that took advantage of a flaw in the API (application programmatic interface) to Apple’s old AppleTalk protocol (which isn’t used for much any more, and which doesn’t even work over the Internet).
 
How worrisome is this purported upcoming attack? Pretty worrisome actually, but not for the reasons you might think. Regardless of how bogus the bugs might or might not be, they will no doubt focus distorted attention on the subject, and distorted attention is not good. Additionally, the researchers are alleged to have said that, contrary to accepted practice, they will not tell Apple about the bugs ahead of time. So, if they do find a serious bug, and if they do carry through on this threat, the Mac’s security will be further compromised compared to if they had not done the research in the first place, at least in the short term.
 
As usual, there are the normal upsides to publicity about OS X security issues, in terms of increased awareness and decreased complacency. But it’s getting harder and harder to tell whether someone’s crying “wolf” or not, so when a real serious security issue comes along (and such an issue will come along), it may well take longer than it should for us all to realize that the issue is in fact serious. Such is life in the Mac security world as we enter 2007. Happy New Year.
Thursday, December 21, 2006