About | ACP | Buy | Industry Watch | Learning Curve | News | Search | Test
Home » Industry Watch

A Month of Apple Fanboys

The Month of Apple Bugs has barely begun and the Apple fanboys are already hysterical, their behaviour more of a news item than the bugs themselves. It's also a wake-up call for potential switchers.

There's no question about it: Apple have an operating system irretrievably superior to Microsoft's, and when it comes to turnkey convenience, elegance, and ease of use no one will ever beat them.

And although there have been mishaps in the security sector, Apple's record is fairly intact. They may not have the solid routines Microsoft have, but then again no one else does either: no other system can possibly galvanise like leaky Windows.

Apple's biggest gaffes have been with systemic design flaws rather than isolated coding errors. The 'Opener hole' was dismissed as irrelevant by Apple for years before finally being closed in April 2005 and the 'input managers hole' was only recently recognised after years of complaints flooding the company's inboxes.

But anyone who's worked with Apple can attest to the fact that Apple do in fact take security very seriously, keeping in close contact with bug reporters, even nagging them to keep testing code improvements, and so forth. For a company used to not grappling with the issues Microsoft are plagued with this is fair praise.

It's another matter with Apple's notorious fanboys, that infected appendix that means so much to the Apple balance sheet but in so many ways is an embarrassment for the corporation. It doesn't build good PR to have people running around threatening and harassing journalists because their opinions are not the same as everyone else in the 'think different' community.

And it's mostly frustration with the fanboys and their leaders - the likes of John Siracusa and John Gruber to name but two of the most unsavoury examples - that's prompted security guru Kevin Finisterre and the mysterious 'LMH' to initiate a 'Month of Apple Bugs', providing a new Apple advisory every day for the thirty one days of January 2007.

Apple Fun

Kevin and 'LMH' are running their project through the Blogspot URL http://applefun.blogspot.com/ and the Info-pull URL http://projects.info-pull.com/moab/. Their project mascot is pictured at right.

In an attempt to explain their project, Kevin and 'LMH' offer the following.

'This initiative aims to serve as an effort to improve Mac OS X, uncovering and finding security flaws in different Apple software and third party applications designed for this operating system. A positive side effect, probably, will be a more concerned user base and better practices from the management side of Apple. Also, we want to develop and provide tools and documented techniques to aid security research in this platform. We had fun working on it and hope people with a brain out there will enjoy the results.'

But it didn't take long for the fanboys to draw their covered wagons into a circle.

Fanboy Hysterics

Already on 20 December John Martellaro of The Mac Observer published an editorial entitled 'A Month of Continuous Foolishness'.

'Sooner or later you're going to hear about a project by two fellows to bypass the normal channels of security bug reporting and openly publish previously 'undocumented' security bugs in Mac OS X every day for a month', Martellaro wrote, adding 'so when you read about this, the best thing to do is feel sorry for these wannabes and move on to the next story.'

Martellaro is particularly hysterical when he proffers 'the supposition that there are some people who take the security of Mac OS X more seriously than the BSD professionals and Apple engineers is stupendously arrogant and self-serving'.

The fanboy constituency at Slashdot have also short-circuited over the event.

'This isn't a problem because it has been proven that only Windows can get viruses. Therefore, because it's not possible for viruses to spread with MacOS, security threats are irrelevant', writes one fanboy.

'The end result is decreasing the overall security or [sic] computing. It serves no one except the researchers who are showboating and being irresponsible', writes another.

Surprisingly the likes of John Gruber are for now standing on the sidelines and waiting to see how the dust settles, perhaps due to previous skirmishes with the security community that did not turn out favourably.

Grand Opening

And so on New Years Day the project began - and with quite a bang at that. The first of the 'thirty one' concerned Apple's QuickTime 'RTSP' handler.

By supplying a specially crafted string (rtsp:// [random] + colon + [299 bytes padding + payload]), an attacker could overflow a stack-based buffer, using either HTML, Javascript or a QTL file as attack vector, leading to an exploitable remote arbitrary code execution condition.

The Washington Post's Brian Krebs was not late to try it out.

'I am far from an expert on OS X, but the test exploit link I obtained from LMH launched QuickTime on my test OS X Tiger system and then quickly crashed the application. When I manually relaunched QuickTime, it froze the entire computer, and the operating system threw up a message telling me that I needed to restart.'

Krebs speculates further.

'If the advisory is correct, this vulnerability does not strictly rely on tricking the would-be victim into clicking on a maliciously crafted hyperlink. The exploit could be inserted into a video embedded in a web page, one that loads automatically when the user visits the site. It also can be invoked inside of Macromedia Flash code or through JavaScript commands.'

'Drive by' pranks could be but a street corner away.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.