Researchers schedule January as ‘month of Apple bugs’
Two security researchers intend to kick off the new year by detailing a range of Mac exploits.
Kevin Finisterre, an independent security researcher, and a hacker known only as LMH, will begin publishing information on vulnerabilities in Apple products on 1 January 2007. Each day they plan to disclose one flaw involving Apple’s operating system Mac OS X or applications that run on the OS. Neither individual plans to notify Apple before publishing the exploits.
Security research H.D. Moore started the latest craze for ‘a bug a day for a month’ with a month of browser bugs which revealed flaws not only in Microsoft’s Internet Explorer, but also in Mozilla Firefox, Apple’s Safari and Opera.
Hmm. I think this is irresponsible, self-serving and disgusting. If their aim was to make computing more secure for users of Apple, Microsoft, Mozilla etc products, they would inform the company in question and give them an opportunity to fix the vulnerability, rather than advertise it to people who would exploit it. Of course, their aim is to sell their services.
I would quite like to see a scenario where a company wasn’t able to fix a vulnerability that these wankers had announced before an exploit was created and doing harm. I’d like then for those who suffered disruption or data loss to sue them.
Recent Posts RSS
December 27th, 2006 at 3:33 pm
Er… surely the point of advertising these flaws is to alert users to them. Chances are, if there is an exploit, most script kiddies already know about them and so do the companies (Apple often works on exploits in secret without advising users of the problem before it is fixed).
In fact, usually the only people who don’t know of the exploit are the end-users.
Hardly irresponsible to advise them of the problem. Sure, this is entirely about increasing these guy’s rep, but if the user benefits, what’s the problem?
At least then users know what not to do to get their machine taken over and it puts more pressure on the companies to fix these exploits (if only a handful of people know, what’s the rush?).
January 3rd, 2007 at 11:20 am
OK granted, if the company in question is unaware of a vulnerability, an exploit already exists and there are steps that users can take to protect themselves until a fix is released, then that is fine.
I have my doubts though that a) the general user benefits, because he doesn’t have the faintest idea what vulnerabilities exist since they aren’t reading the kind of sites where they are reported b) consultants like LMH have a care for whether they are helping to protect users or are in fact endangering them further.
Call me cynical, but it seems to me that security consultants have no interest in end user benefit whatsoever - it pays their rent that exploits, spyware and viruses exist. Moreover, I’ve no doubt that they’d be quite happy to overplay the threats that we all have to contend with so we’re sufficiently scared to buy their service. That shameless FUD exercise by McAfee is a case in point.
I’d rather they just quietly worked with software developers to improve their products.