Spy vs. spy

As we process Apple’s Macworld Expo announcements (expect a whole lot more about cell phone security in the months ahead), the Month of Apple Bugs project continues to generate interesting results, just not necessarily the type of results its perpetrators may have expected. Bugs have been found (what a surprise!) but most of them have been in rather obscure areas (the VLC media player, the OmniWeb browser, iPhoto photocasting and PDF internal coding, to name a few). What’s really been interesting is the reaction of the Macintosh community. In a rather surprising technical feat, a community group has formed that is actually fixing the bugs, usually within hours of their being exposed. Also, a recent Wired article has leant credibility to both the original project and its counter-project. Finally, MOAB has countered the counter-project by finding bugs in the counter-project’s bug fixes!

The whole chain of events was started by a couple security “researchers” who have been able to gain publicity through a couple recent “Month of XYZ Bugs” projects. The researchers decided to target Apple as their first project of the New Year, at least partially because of the added publicity they felt they could gain. In typical Macintosh style, a group, led by Landon Fuller, quickly sprung up to counter the researchers. The group discusses the bug-du-jour posted on the MOAB Web site and then comes up with a fix, which they post on their Web site. The parallels to the MOAB project are quite impressive. This isn’t exactly a classic black-hat versus white-hat scenario, but it’s close.

A number of trade publications have now picked up on the original project, and on the Mac community’s great response. Wired magazine’s article, entitled “Putting a Bug in Apple’s Ear” is an excellent overview of the whole thing. The article’s somewhat controversial and worrisome, but not unreasonable conclusion is: “...with the proliferation of platform-independent browser-based malware and the rising number of Mac bugs and Macs to exploit, the security haven enjoyed by Mac users is giving way to a more dangerous net.”

Finally, there’s already one interesting postscript to the Wired article, with many more no doubt to follow. Yesterday’s MOAB bug was nothing other than a purported flaw in the mechanism being used by the counter-project to fix many of the MOAB bugs in the first place! (Note: a direct link to that bug is not provided due to the page’s use of sound in a very annoying way. Access the full project and then click on bug 8 if you’re really interested). And, yes, the counter-project has now fixed that bug too!

Tuesday, January 9, 2007

next >

< previous

blog home book home

Technorati tags: security, Macintosh, Mac, Apple, firewall