I’m not a developer. I’m not a coder. I’m not a Mac evangelist. I have recommended people buy Macs and have recommended that others buy Windows. I use Macs (and have for almost 2 years) but am also comfortable enough with Windows to run it without the need for anti-spyware and anti-virus software and not have to worry. I’m also familiar enough to know that while some criticisms of Windows are outdated (BSOD is not nearly as common as it used to be), many more difficult ones to describe are not (i.e. the overall experience of getting things done feels much easier on a Mac, including things like watching a DVD, which, in Windows XP, required extra software).

I do not have any Apple stock. I have no vested interest in the company. I am not Artie MacStrawman. I’m just a user.

I read with interest about the alleged WiFi security issue which exists, in some form, maybe, possibly. I was fully willing to believe there was such a flaw. Had there been such a flaw it might have been an important event in the life of Mac users.

Instead we got posturing. Apple’s comments on the matter seemed fairly straightforward, whereas the comments from the accusing side seemed slippery at best, and finally went up in a cloud of smoke.

Out of those ashes arose the Month of Apple Bugs. But it came with a bitter taste in its mouth.

Let’s keep out of personal attacks, they don’t bring anything interesting to the playground, and after all, there are plenty of ways to poke fun out of someone without resorting to dirty tricks.

But it was personal. You could see the chip on their shoulders from space using a Pringles can for a telescope. The whole thing reminded me of Jack Nicholson’s character in A Few Good Men trying to attack Tom Cruise’s character and yelling “I’m gonna rip out your eyes and piss in your skull” or something to that effect (the last time I saw it was on the USA network which had dubbed in “rip off your head and puke in your neck”). There is rage there, and I suspect most people are well aware of it.

Various Mac programmers have been interviewed and most said the same thing: “We all want a more secure OS X, but this isn’t the way we’d go about doing it.” Clearly the MOAB folks knew this was coming and their answer was:

[Q:] Are the issues being reported to the vendor before public disclosure?
[A:] Rarely, the point is releasing them without vendor notification.

I still don’t get what this means: “the point is releasing them without vendor notification.” The point, it seems clear to me, is “OS X isn’t as safe as you think it is and here’s a month worth of examples.” That point, at its most legitimate, could have been made, in January 2007, having informed all of the vendors one month earlier.

Although, sometimes we may decide to pass an issue through the appropriate people.

Read: “We have the power here, and we’ll use it as we see fit.” One might ask who benefits the most from this policy: OS X users, or the MOAB folks. Are they doing this for the betterment of OS X society, or for notoriety?

The problem with so-called ‘responsible disclosure’ is that for some people, it means keeping others on hold for insane amounts of time, even when the fix should be trivial.

“Some people”? Who cares about “some people”? Even I, with a minor amount of knowledge in this area, am aware that security holes are routinely reported with a note to the effect of “I plan to make this public on (insert date here).” They could have done that. They chose not to. Who benefits from this policy?

And the reward (automated responses and euphemism-heavy advisories) doesn’t pay off in the end. ‘Responsible disclosure’ exists when the vendor doesn’t deploy any harmful tactics against the source of the vulnerability reports, and requires confidence by all parties involved. At the moment, we don’t trust Apple on these matters due to the track of incidents and unpleasant situations surrounding their policy on product vulnerability handling.

This is an allusion to the argument that Apple strong-armed the people involved in the supposed WiFi hack into not disclosing it. There is no proof that Apple really did this, just allegation. So far these are unsubstantiated claims against Apple which has routinely demonstrated a willingness to attribute discovery of security problems. If Apple deviated from that pattern, one might ask “Why”? Is there some major conspiracy in place to protect Apple against the disclosure of a WiFi vulnerability? Or is the truth more mundane, like the company agreeing to give up its claims in exchange for Apple using them as security consultants?

No one knows. The MOAB folks don’t know. Oh, and it’s important to note that Apple was by far not the only vendor whose software came up in the MOAB.

In fact, the MOAB is really quite a misnomer. Many of these are not Apple bugs, per se, they are bugs in software which you can use on OS X, the operating system made by Apple. OS X != Apple.

I would be curious to know if the MOAB folks contacted the folks connected at VLC (day 2) or Adobe (day 6) or OmniGroup (day 7) or Unsanity (day 8) or Colloquy (day 16) or Rumpus (day 18) or Panic (day 19) or Telestream (day 27). After all, if they were just concerned with Apple, they could have contacted the other developers, right? I mean, more than one whole week of the MOAB was 3rd party exploits: how many of them were contacted by the MOAB organizers? Were any? The folks at OmniGroup have a pretty solid reputation in the community as being decent — did that reputation gain them anything?

Apparently not:

If the “Month of Apple Bugs” project had given us advance notice of the security issue, we would have posted a fix sooner; as it was, they sent us notice at 11:15am and (as you can see) we posted this fixed release a few hours later.

We’re not proud to have had a vulnerability in the first place, naturally, but we are proud of our response time! (Now I guess we’ll see how quickly they respond to our fix, updating their workaround section to point people at our fixed release.)

By Ken on 01.07.07 3:11 pm

Well, more than 3 weeks later, Ken is still waiting.

It seems the MOAB folks were not all that interested in how vendors responded. At least, they weren’t interested enough to update their website to tell people that fixes were available.

VLC and Colloquy fixed their issues right away. Yet as of today (2007-02-01) there is no mention of these fixes on either the Colloquy MOAB page or the VLC MOAB page.

Transmit was fixed within days but the Transmit MOAB page has not been updated.

They wanted a more secure OS X, right? Does the response time for vulnerabilities mean anything? Not to Artie MacStrawman who believes that OS X is 100% completely safe and never has no problems nowhere and was therefore shocked shocked I say! to learn that some apps, even on OS X, are imperfect. To the rest of us, however, the response time of the 3rd party vendors should be heartening.

Oh, and what about that other vendor, Apple? They fixed the issue from Day 1 and released it on January 23rd (not bad considering that the huge Macworld conference also took place in the meantime). They even credited the MOAB folks for their discovery. What does the MOAB site say?

The only potential workaround would be to disable the rtsp:// URL handler, uninstalling Quicktime or simply live with the feeling of being a potential target for pwnage.

Oh I never get tired of that “pwnage” either. Did you see how they mashed up words there? It’s just so clever, like the Macarena, I can’t imagine ever getting bored of it.

They address this in their FAQ too:

The ‘pwnies phenomenon’ isn’t more than yet another meme or non-sense net-folklore. The original image is done by Jon-Mikel Gates and was sent to Jonathan Coulton. A fellow proposed it to be used for giving a sarcastic / humorous sense to the Apple-related bugs. Probably, the intention was to create the slang word (pink bug) for these issues, given the totally non-sense and immature reaction from so-called Mac fan boys. On the second question, if that, for you, ruins the credibility of this exercise, you’re clearly not the audience we’re speaking for.

Who is the audience they’re speaking for? Is it Mac end users? If so, I am one of them, and their H4xor-speak did indeed lessen the seriousness with which I considered their work.

They clearly know that the Apple Security update has been released, since they mention it in Day 23 of the MOAB:

This has been tested via QuickTime™ Version 7.1.3 running on Mac OS X 10.4.8 (8L2127), with the Apple Security Update 2007-001 applied.

So they haven’t bothered to update their site for any of the apps which have been updated since their reports went forth. Rumpus FTP really? In 2 years of Mac usage I haven’t even heard of this software. Smells like padding to me. In fact, having 8 third-party apps smells pretty fishy to me too. How many actual Apple bugs were there?

I count 22: #1, 3, 4, 5, 9, 10, 11, 12, 13, 14, 15, 17, 20, 21, 22, 23, 24, 25, 26, 28, 29, 30.

Day 31 was essentially meaningless. I was going to give them extra points for picking a month with 31 days in it, versus February’s 28. I suspect they chose January more because of Macworld than the number of days in the month. Really they only gave us 30 bugs, or 22 Apple bugs, which is what they originally promised. And even those 22…. well…

Of those, 5 (#9-13) all have to do with DMG handling. The most serious problem there is that Apple has insisted that Safari automatically mount DMGs. That is mindbogglingly stupid, IMO, and qualifies as “Just Asking For It.” When Leopard ships and Safari quietly has this turned off by default, we should all cheer (Note: I haven’t seen Leopard yet, so I’m just guessing that they will fix that.) Meanwhile, I download all of my DMGs from people/places I trust, so I don’t worry much about those.

Local Privilege escalations basically mean that if someone has a regular user account on your computer, they can get more power, either as an administrator or root. If I ran a lab full of Macs, this would be an issue. As it is, the only user on my Macs is me. So I don’t worry much about local users. That means #28, 22, 21, 15, 17, and 14 are essentially unimportant to my daily living.

Overall I find myself disappointed at the MOAB. The Macalope wrote:

The Macalope highly suspects that the Month of Apple Bugs is starting off intentionally lame in the hopes that Apple blogs will take the bait.

Please hold your snide remarks until all the bugs have been announced

  1. #1: Fixed by Apple
  2. #2: Fixed by Vendor
  3. #6: “temporal” [sic] fix: Use Adobe Reader 8 for PDFs
  4. #7: Fixed by Vendor
  5. #8: Fixed by Vendor (although I don’t use APE and would not be surprised to find more security holes in it)
  6. #9: Only download DMGs from trustworthy sources
  7. #10: Only download DMGs from trustworthy sources
  8. #11: Only download DMGs from trustworthy sources
  9. #12: Only download DMGs from trustworthy sources
  10. #13: Only download DMGs from trustworthy sources
  11. #14: I don’t use Appletalk and it’s local only issue as far as they know
  12. #15: N/A (I’m the only user)
  13. #16: Fixed by Vendor
  14. #17: See Appletalk issue #14 above
  15. #18: Fixed by Vendor (for an app I’ve never even heard of)
  16. #19: Fixed by Vendor
  17. #20: My AIM list is already set to only accept messages from people on my buddy list, so the risk here is low, and even the MOAB description is fairly vague as to the level of the threat
  18. #21: Workarond provided (and I think this is a local-only bug anyway)
  19. #22: Local or remote? Unsure but it seems like it’s local only
  20. #23: PICT? I guess someone could put it in a website or something…
  21. #24: So if I create a file and open it myself I can create a crash? Are there other risks? (And before they mock me for not being smart enough to understand what they are saying, ask yourself: Who is their audience? If not me, then who?)
  22. #25: I don’t run a Mac webserver, so I guess that doesn’t apply to me
  23. #26: So I should only install packages from places and people I trust?
  24. #27: Vendor patched? I don’t find myself using Flip4Mac all that often, so again I’m not all that worried here
  25. #28: Local only
  26. #29: I never have used iChat Bonjour. It’s like the Zune WiFi sharing: using it would mean someone else around me has iChat and Bonjour setup. They don’t…. although I bet I’d find another iChat user before I found a Zune user
  27. #30: “ Due to a bug in CoreFoundation, these issues are currently difficult to exploit for code execution. Still, certain conditions exist that make it possible under certain circumstances.” So you’re saying that there are bugs but those bugs can’t be exploited because of other bugs?

I’m frustrated and disappointed. A month of these things and a mere handful which really seem like anything to worry about. If there are more, please tell me, I’ll happily admit I’m wrong. But if one of the goals of MOAB was to get average users realize there are a lot of security problems with OS X… well, I came away feeling more like “They couldn’t even find enough to fill a month.” Maybe I’m wrong, but at the end of the day, I still feel like OS X is pretty secure, especially compared to Internet Explorer, which could compromise your system even if you didn’t use it. Admittedly that was awhile ago, but the level of danger of running OS X to Windows seems low. Not zero, but very low.

Update: I use Opera, which doesn’t even think about loading DMGs. And I have turned off the setting in Safari in case I’m ever using that when someone tries to hijack it. My point is 1) that if you have been paying attention at all, you have heard to turn this off, and 2) this needs to be turned off in Leopard.

See also: