One of the things that the mac web has been buzzing about this month (other than the Jesus Phone, that is), has been the so-called "Month of Apple Bugs". The Month of Apple Bugs project has declared that they are going to announce a new security vulnerability in the Mac ecosystem every day. The unfortunate thing that I have witnessed about this, however, has been the reaction from some parts of the Mac community.
The worst offender is David Chartier, who writes on "The Unofficial Apple Weblog (TUAW)". In a post from January 3rd, he writes:
"Let me be clear: if these guys have actually found enough problems with software (be it Apple's or otherwise) to fill a whole month of releases, I honestly and sincerely thank them - they can help whoever makes that software to make it better. What is so horrendously wrong with this 'project' is that they're stirring up hype and making news headlines with these exploits, instead of sticking with the traditional and ethical practices of reporting and discussing these bugs with the relevant parties."
His whole post is filled with digs at this project, David is missing the overall point. Mac OS X, like every other operating system, has security flaws. The more of these flaws that we find (and get fixed), the better off that we all are.
As an example, I read about one of their more recent finds, in Software Update. I was able to reproduce it on my iMac G5, by executing these commands:
Last login: Wed Jan 24 23:18:05 on console Welcome to Darwin! [currents:~] andyr% touch %x.%x.%x.ThisIsEmbarrassing%x.%x.%x.%x.swutmp [currents:~] andyr% open %x.%x.%x.ThisIsEmbarrassing%x.%x.%x.%x.swutmp
With the following result:
The error message from Software Update (which in this case, didn't crash).
Notice that all of the %x characters that I typed into my filename are now filled
in with internal data from Software Update.
This shows, rather conclusively, that there is something wrong with Software Update, that Apple should take a look at. While arguments can be made for and against different disclosure policies for security vulnerabilities, those of us who comprise the Mac community need to keep our heads, and realize that we're not on Mac OS 9 anymore. Security problems in OS X are going to be a fact of life, and we need to understand that they aren't the end of the world, and support people that find them, and also those that fix them.
-Andy.
Technorati Tags: Apple, Macintosh, TUAW, David Chartier, Month of Apple Bugs, MOAB, Software Update
Regarding "the traditional and ethical practices of reporting and discussing these bugs with the relevant parties," I have heard horror stories about how Microsoft sits on such bug reports for many months. I don't know whether Apple is also bad about this, but if they are then I support outing these bugs directly rather than condoning them being ignored by participating in the "traditional" process. Maybe if all bugs went to press 2 weeks after discovery, software developers would put more time into security audits in the first place.