Researchers Plan Campaign To Flag Apple Security Flaws

The "Month Of Apple Bugs" campaign is slated to kick off Jan. 1 with a remote code execution bug and at least one exploit. In addition to flaws in the Mac OS X kernel, the project will feature vulnerabilities in Apple applications such as iTunes and Safari and popular third-party applications, a security researcher who goes by the name "LMH" told CRN in an e-mail interview.

LMH was the driving force behind the November "Month Of Kernel Bugs" project, which highlighted vulnerabilities in Apple, Netgear, D-Link and Broadcom products, as well as those of other vendors. He will be joined in the Month Of Apple Bugs effort by Kevin Finisterre, a security researcher who has discovered numerous vulnerabilities in Apple products, including the Inqtana worm, which spread through a vulnerability in Apple's Bluetooth software.

The purpose of publishing information on Apple vulnerabilities is to "clear the air of the idea that Macs are rock solid" when it comes to security, Finisterre said. "For whatever reason, Mac users think they are wearing a suit of armor. Take a peek at one of the 'I'm a Mac, I'm a PC' commercials. Smugness is the only word I have for it," he wrote in an e-mail to CRN.

Apple couldn't be reached for comment on the project.

Solution providers said they're aware of the Month Of Apple Bugs project but don't expect it to put a major dent in Apple's security reputation.

"From a customer perspective, obviously we have to address it because people are going to be concerned," said Michael Oh, president of Tech Superpowers, a Boston-based Apple specialist. However, Oh said he doesn't plan to significantly change his approach to deploying Macintoshes in the field or advising customers on how to protect their systems.

Most Mac users are well-aware that the Mac's security reputation stems in part from its relative lack of market share vs. Windows, Oh added. "As much as the Apple community loves to feel secure, we're not fooling ourselves," he said.

Marcial Velez, president of Xperteks Computer Consultancy, New York, said the Month Of Apple Bugs project will likely boost awareness that users must consider taking steps to create a more secure environment, regardless of their computing platform.

"Just having a Mac is a step in the right direction, but no one should just stop at that. Everyone should consider creating layers of security within the entire network," Velez said.

Apple security proponents often cite the relative dearth of OS X bugs in the wild as proof that the Mac is a more secure platform than Windows. However, Finisterre said he and other security researchers had exploits for the OS X Mach exception ports vulnerability for about eight months before it was patched by Apple in late September.

LMH and Finisterre said they don't plan to inform Apple about the new vulnerabilities before going public with details. "We would rather just get these out of the way and let Apple deal with them on their own terms. The communication process with Apple can be like pulling teeth at times," Finisterre said.

In late November, a team of security researchers announced plans to launch a Month Of Oracle Database Bugs but called off the effort a few days later without explanation. Although it's unclear if Oracle took action to stop the project, LMH doesn't expect Apple to try to shut down his project.