Does 'Month of Apple Bugs' make sense?

Two security researchers have kicked off 2007 with a "Month of Apple Bugs," promising to feature a new vulnerability related to Mac software each day in January.

It follows two similar monthlong campaigns last year that focused on browser flaws and kernel flaws.

However, some experts and users have questioned the purpose of these projects, wondering how much security value they have. To find out what people on the street make of it, we asked our Mac Views panel, made up of ordinary readers, this question: "Do these kind of bug-publicizing campaigns do any good for the general Net public?"

Brooks Graham

While I generally dislike these near-extortion-like tactics, I have a greater dislike of weak security and the problems that can arise from it. In a perfect world, software vendors such as Apple would respond immediately to all reports of security problems, but having worked for a very large software company myself, I know that resources are limited and issues get prioritized. Putting a little public pressure on their prioritization scheme might be effective. (Then again, in a perfect world, all software would be perfect!)

Of course, this needs to be balanced with any potential risk associated with publicizing security issues and their possible exploits.

From a public perception standpoint, I do worry that continuously publishing new security bugs gives ammunition to any fence-sitting Windows user to unfairly compare the general security of OS X to that of Windows.

Michael Halsall

From my perspective, these bug-publicizing campaigns do more harm than good, if misused.

I feel that their only use should be to prod action when a behind-the- scenes heads-up fails to elicit any response from the company. If these two security researchers had alerted Apple to these issues a couple of months ago, and Apple failed to act on them, then by all means make them public. Embarrass the company. Use collective pressure to achieve improvement.

However, just highlighting bugs for no apparent reason, or picking on one company or whatever program does not really help. Their purpose would be to... what? Ensure that people do not trust Apple? Or Microsoft? Sure there are bugs. If you look for problems hard enough and long enough, you're going to find them, no matter what program or platform or company.

Paul Cesarini

It really depends on the intent of those who are doing this. If the intent is purely to create more public awareness of recent system vulnerabilities, so the folks at Apple can quickly address these issues, I suppose this serves quite a great deal of good.

However, if the intent is instead to more or less try to draw some element of bug-related parity between Mac OS X and Windows, in order to somehow demonstrate that Macs are equally prone to security vulnerabilities, then I would say this effort doesn't not serve any greater good. Mac OS X is simply a more secure operating system. I am guessing that for every "Month of Apple Bugs" there could likely be a "Month of Twice as Many Windows Bugs."

Michael Salsbury

I think they're good from a variety of standpoints.

First, they help dispel the myth Apple likes to perpetuate in its advertising that Mac OS X is completely solid and secure. Users who buy into this myth won't take appropriate steps to protect their systems from viruses, adware, spyware, rootkits, and other malware. As a result, their infected systems will cause everyone to be at risk.

Second, odds are whoever is publicizing these bugs has known about them for a while, and they've existed for a while. Focusing some attention on them will help raise Apple's awareness and spur them to fixing the problems.

Third, these kinds of publicity campaigns remind everyone (not just Mac users) to think about security.

I'd have preferred to see this particular campaign submit all the bugs to Apple at least a month before going public with them. That would reduce the risk to Mac users that one of these would be exploited by the wrong sort of person. But then again, if someone manages to get away with a significant exploit before Apple gets the bug patched, that just underscores my first point. Also, in my experience, the bugs I've reported to Apple seem to fall into a black hole, including one very serious one that would allow anyone physically present at the keyboard to create an administrator account without even logging in, has not been fixed in over a year.

Damon Osborne

Yes and no. It is always good to have peer review, regardless of the field studied. However, publishing "bugs" or "vulnerabilities" of an operating system or application to the general public without first notifying the company and allowing a reasonable amount of time for a patch/repair/update is irresponsible at best.

My past experience with Apple and their operating systems has shown a willingness to address the serious issues with their software on an as needed basis (i.e., when a fix is needed, a software update is distributed).

Norm Ennis

The answer is yes. Just like a strong virus makes the population stronger (by killing off all those who have lowered immune response), this kind of action will cause software updates.

However, unless these kind of people have first notified the responsible companies and received a rebuff, then I tend to think of them as glory-seeking "butt holes" that could care less about the health of the general computer-using public.

Michael J. Prather

I personally do not see the point in any manner of posting flaws in public. If there are flaws, then vendors should have the chance to review those flaws and begin work on fixes BEFORE the public is aware.

And I do not see the 01/03/07 posted VLC flaw as a Mac flaw. VLC is provided by a 3rd party for Mac systems, yet Mac did not create this flaw nor is it Mac's job to fix such flaw. I was expecting the flaws to focus on Mac OS flaws from the title of "Month of Apple Bugs" rather than 3rd party software vendors. I'll be curious of the ratio of Apple vs 3rd party flaws at the end of this month.

Tony Trippe

This sort of thing does absolutely no good at all for the general Net public. It would be different if they were identifying bugs or vulnerabilities which could be exposed under normal circumstances and situations. Instead, most of these represent "worst case" scenarios that would not normally be exposures under normal usage situations. They are typically a means of trying to attract attention--especially this one, which is being launched during the week leading up to one of the most anticipated MacWorld conferences ever.

Jeff Edsell

I'd like to be positive about the Month of Apple Bugs, and assume that the researchers merely want to dispel the myth (held by many Mac users) that OS X is bulletproof. But I think it's rather more likely that the goal is simply publicity for the researchers themselves--OS X is widely known to be secure enough that any security exploit, no matter how harmless or unexploitable, makes front-page news in the tech world. And so far it seems that the information provided isn't really intended to be useful or helpful, to the average user or to Apple.

It's also easy to imagine the researchers are motivated more than a little bit by anger towards the legendary smugness of Mac users. Like people who buy a non-iPod MP3 player simply because they're sick of seeing white earbuds everywhere, there's probably some weird feeling of rebellion involved.

That said, hopefully Mac users, rather than getting their backs up or simply being dismissive, will remember that they need to take security precautions with their machines as well.

Chris Lawrence

I do think campaigns of this nature are good for users. It dispels the propaganda that Macs are invulnerable to attack and makes (the conscious) users more careful. Additionally, it puts well-deserved pressure on developers to address these issues quickly.

I do think it's a bit irresponsible for them to not report the issues to the developers first, though. This form of grandstanding is not in the spirit of goodwill and encourages abuse.

Ted Rodrigues

As with any software, there will always be bugs and vulnerabilities at various levels. Some are going to be easily exploitable, while others will take work and a veritable software crowbar to be a threat to the average user.

That said, to publish the vulnerabilities is good for the general public, in that it keeps us all aware of the need to keep our software up-to-date, and to be aware of what channels and tricks a hacker might use to gain access to those bugs. For example, if there is a file download vulnerability, then knowing that should allow the average user the protection to choose to avoid such downloads.

Andrew October

We should not be too critical with Apple at this time as the current OS 10.4 (Tiger) reaches the end of its life-span and we prepare for the launch of OS 10.5 (Leopard). Personally, as a decade-long Apple user, I've experienced very few issues and have taken the advice of my local Apple outlet not to install third-party AV and firewalls.

Robert Ahrens

I am reminded of the brouhaha this August regarding the "researchers" Maynor and Ellch with the wireless attack on the third party wireless card on the MacBook. Like the current "researchers," Maynor and Ellch made comments about smug Mac users as a motive for their actions. While these guys have not been as insulting as the cigarette in the eye thing was, their comments betray their motives, which are, simply, for the publicity.

Dennis Burges

I think the general public is largely oblivious to these security campaigns, and only takes notice when a security flaw is exploited to cause widespread damage. Nevertheless, there is value in publicizing such flaws. Software makers are likely to take a more vigilant stance on security when there is increased public scrutiny. This is a good opportunity for Apple to show they are responsive to the concerns of security experts.

Tom Merrill

I have been both a Mac and PC user for over 20 years. Macs are clearly, in my experience, the most stable platform when it comes to security. An interesting question is, "Is this because Macs make up so small a part of the overall market?" I do NOT think it a good idea to publish flaws in Mac OS software--it seems to me an invitation for hackers to take advantage.

Patrick Evans

Publicizing bugs found on any system is generally a good thing, but this campaign seems to go a bit far. The bugs seem to focus on exploitable ones (access a machine that doesn't want to be accessed), not just ones that are obscure "this isn't working right."

General bug ID work and subsequent publishing of that work is a great thing, it helps the company who writes the stuff and helps the consumer when he/she might encounter the problem. NET active bugs might be a different matter. We should be careful not to posit challenges to the hacker communities.