The good and the bad of bug campaigns
Researchers have launched the third monthlong parade of flaws, this time in Apple software. But do the efforts do any good?
Two bug hunters, Kevin Finisterre and the pseudonymous LMH, say that each day in January, they will detail a security hole in Apple Computer's Mac OS X or applications for that operating system. Like previous efforts, which focused on Web browser and kernel vulnerabilities, the "
"Some of us use OS X on a daily basis. Getting problems solved makes that use a bit safer each day," LMH and Finisterre wrote on the project Web site. "A positive side effect, probably, will be a more concerned user base and better practices from the management side of Apple."
While the researchers argue that the public airing of flaws is for the greater good, not everyone agrees. After all, broadcasting details of a bug in software without informing its maker and without a patch being available puts users at risk, critics say. It goes squarely against the "responsible disclosure" practices advocated by software companies.
For example, the Month of Apple Bugs includes detailed exploit code that could provide ammunition to cybercrooks for use in attacks. Software makers are sent scrambling to address the flaws.
That's exactly what the people behind the campaigns want. The approach was inspired by July 2006's "Month of Browser Bugs," dreamed up by HD Moore, a well-known security researcher and developer of the popular Metasploit security tool. That effort was followed in November by the "Month of Kernel Bugs" project, run by LMH.
"My experience has shown that the fastest way to secure a piece of software is to release a working exploit for it," Moore said in an e-mail interview Wednesday. "Users will get software patched in a much timelier manner. They can also take precautions they didn't know to do before."
Ego trip?
The bug releases rekindle the responsible disclosure debate. Software makers want bug hunters to report vulnerabilities privately to them and to give them time to fix the problems. Researchers have complained that software companies ignore them and take much too long to address the reported problems.
"Responsible disclosure can't work. People do whatever they want," said Pete Lindstrom, an analyst with Burton Group. Still, a parade of zero-day bug releases obviously doesn't serve the Net public, he added. "These initiatives are always more about the egos of the bug finders than anything else," Lindstrom said.
Nick Frollini, a business consultant and Mac user from Pittsburgh, Pa., agreed. "All these campaigns accomplish is driving traffic to the sites of the security researchers," he said. "The better approach is to work with the vendors to address flaws and to only publicize them if the vendor is completely unresponsive. Why unleash more zero-day exploits?"
But LMH disputes that he and Finisterre are in it for personal glory. "We aren't receiving any kind of reward," LMH said in an interview via instant messaging service. "We are releasing information and code that could represent a significant benefit when sold to certain parties. Thus, we are losing money with this."
Double-edged sword
Efforts such as the Month of Apple Bugs are a double-edged sword, said Dave Marcus, security research and communications manager at software maker McAfee. "The posting of a flaw does make it get patched. It is an effective way of getting security vulnerabilities fixed in a lot of instances. It just puts user at risk at the same time, which I am not a fan of," he said.
Marcus believes in the good intentions of the hackers behind the bug releases. "These guys were superstars in computer security before they were doing the months of the bugs. I think they honestly do it in the thought of serving the community," he said.
In the short term, Net users will be at risk because of the Month of Apple Bugs, but in the longer term, the products featured in the project will be more secure, said Jon "Johnny Cache" Ellch, a security researcher who has contributed to the Month of the Kernel Bugs project.
"When this is over, though, you've got to realize there will be 30 fewer ways to break into Macs. Who could think that is a bad thing?" he said.
Already, one developer has stepped up to the plate to provide third-party fixes for flaws released as part of the Month of the Apple Bugs.
Apple has said that it is aware of the project, but has chosen not to comment beyond saying in an e-mail message to CNET News.com that it takes security very seriously and has "a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
Another purpose of the Apple-focused month could be that it serves as a wakeup call for Mac users, Lindstrom said.
Malicious software that targets Mac OS X systems is rare and has been limited largely to proof-of-concept code, instead of actual attacks. However, there are indications that hackers are increasingly targeting the Mac.
"Mac addicts are a different breed; they are one of the few groups that, by and large, think their operating system is somehow impervious to attack. It may be beneficial to security to actually prove that weaknesses exist," he said.
That's a good point, said several participants in CNET News.com's Mac Views panel of readers.
"I am a fanatical Apple user and am certain that OS X is one of the most stable and secure operating systems in the market, but there is no such thing as a perfect piece of technology," said Bay McLaughlin, chief executive of iMago Productions. "Therefore, I do believe that it is worth exploring the shortcomings of OS X."
However, it would have been better if Apple or the applicable software maker had been given at least some time to address the issue. "There is something to be said for both sides, but I would rather hear about the findings after Apple released a new Security Update," McLaughlin said.