Month of OSX Bugs

December 21, 2006 · Filed under Apple, Flaws, Security

Security researchers LMH and KF will begin a ‘Month of Apple Bugs‘ in January of 2007. I have been reading the various articles which have been written around this topic and a few interesting quotes from LHM including this one:

“IMHO, Apple should speed up the process, as it takes (a) long time for an issue to get fixed, and more for getting the patch released to the users.”

I have to say that I totally agree with him on this. What LMH should do is a month of bugs for each application which ships with OSX. Like, Month of QuickTime bugs, Month of Safari flaws, etc… Now that would be something interesting to see, and probably not very hard to do either. I have some flaws I will also be releasing in January which were reported to Apple months ago.

5 Comments »

  1. dav Said,

    December 22, 2006 @ 7:42 am

    I found stupid you release the advisories before a software-home will release a patch. Your work is very good, but please wait until a patch is released

  2. Tom Ferris Said,

    December 22, 2006 @ 6:16 pm

    I think its more important for the users to be informed what security flaws affect their system, rather than waiting on the vendor to take 3-8 months to release a patch.

  3. Rob Said,

    December 27, 2006 @ 4:08 pm

    I think the idea of disclosing all those vulnerabilities (no matter what platform or application) arbitrarily and without prior warning to the software makers is horrendously irresponsible, stupid, malicious and self-serving on the part of people who are responsible for those disclosures. I will go even further and add that I don’t see a difference between those people and crackers who use that information for attacking disclosed vulnerabilities.

    There are tens or hundreds of thousands of software users who have no idea that they are being exposed to all kinds of malware just because some underappreciated megalomaniac wants to prove how smart he is.

  4. Tom Ferris Said,

    December 27, 2006 @ 10:03 pm

    Rob,

    Thanks for the comment. Just for the record, all of the flaws which I will soon be releasing have been sent to Apple Product Security. Some of them go as far back as March of 2006.

  5. Rob Said,

    December 29, 2006 @ 6:24 pm

    In that case, I got no objections. The key to responsible approach to the problem is to give software makers a chance to fix the flaw before anybody else even learns about it.

RSS feed for comments on this post · TrackBack URI

Leave a Comment