Sunday, January 07, 2007

Security project focuses on Apple

Two security researchers are spending the next month publicising bugs in Apple's OS X operating system and programs that run on it.

The plan is to only publicise flaws that have never been found before.

The two hackers behind the project also propose to produce working code that can be used to exploit any loopholes they find.

The pair said they will be revealing problems that range in importance from the trivial to the critical.

Bug tracking

Describing the project on their blog, Kevin Finisterre and hacker LMH said their work was not driven by malice.

Instead, they said, highlighting problems and getting them solved would "improve" OS X and many of the programs that run on it.

"A positive side-effect, probably, will be a more concerned (security-wise) user-base and better practices from the management side of Apple," wrote the two researchers.

LMH told the BBC News website that enough bugs have already been found, including some extra ones as back-up.

Apple iPods, AP

The project started on 1 January and the first discovery was a flaw in Apple's Quicktime video software and the way it handles a particular protocol.

Exploiting this bug via a booby-trapped webpage would let attackers install malicious programs on a target machine.

The attack is designed to work on Intel-based Macs and can also be used to attacks PCs running the Windows version of Quicktime. The flaw is found in version 7.1.3 of Quicktime.

LMH said there had been a variety of reactions to the project from Apple users.

He said: "We have had non-sense personal attacks, delusional responses, some people liked it, some Mac users giving thanks over email, others sent bugs."

Another response has come from former Apple employee Landon Fuller who has set up an unofficial project to patch the bugs found throughout January.

Writing about his project on his blog, Mr Fuller said: "If I have time (or assistance), I'll attempt to patch the other vulnerabilities, one a day, until the month is out."

In an e-mail to the BBC he said: "My run-time patches are band-aids, in that they wrap and protect the vulnerable code. Apple will actually fix the bugs."

Apple has yet to issue an official statement on the project. It is not known if it will produce official fixes or patches.

But, LMH told the BBC News website that he expected Apple to respond and produce official fixes.

"They may be dysfunctional at some points but they will catch up sooner or later," he said.

Previously similar projects have been run finding bugs in web browsers and the kernels, or core, of several operating systems.

No comments: