I suppose most of you have already heard or read about MOAB – The Month of Apple Bugs, a project initiated by LMH and Kevin Finisterre (the guys that already held the Month of Browser/Kernel Bugs). They publish vulnerabilities of Mac OS X or other Apple software and other apps for Mac OS X (like VLC, OmniWeb) together with 0day demo exploits before informing Apple. There is some controversy about whether this is the right way to disclose serious security issues before Apple has a chance to react and provide bugfixes. I personally like it and think it’s a chance for Apple to strengthen security in Mac OS X and promote it as a feature. I can also understand LMH’s and Kevin Finisterre’s frustration about Apple reacting on bugreports, I also submitted several bugreports and one of them is still open – for 1 1/2 years by now.

Some of the vulnerabilities are really serious so some guys formed a group moabfixes to write patches for these exploits using the Application Enhancer utility which gives the ability to manipulate applications running in Mac OS X. Funnily enough, today’s MOAB vulnerability MOAB-08-01-2007 was found in even this app (Application Enhancer) and the authors of MOAB strongly advise users to stay away from it. Obviously they dislike the team of moabfixes surrounded by Landon Fuller to fix the bugs and steal some attention.

To refer to the post title and the keynote in about 10 minutes again: I am pretty sure Steve Jobs will mention the Month of Apple Bugs project as a sidenote (in the way he always mentions current news in the days before keynotes – making a joke about it), but I wish he will take it seriously this time and give a statement on Apple’s security measures and plans regarding software security and Mac OS X.

Lets see. cordney*

The NSA helped out Microsoft in developing Windows Vista security features as the Washington Post reports. According to Microsoft, who confirmed the report, there was a “red team” who did penetration tests on Windows Vista and a “blue team” who guided system administrators of the Defense Department.

Of course it looks suspicious if the worldwide market leader (how they got there is another questions?!) cooperates with the worlds largest intelligence agency in security measures of it’s upcoming operating system (backdoor?).

Read yourself and think what you like:
Report: For Windows Vista Security, Microsoft Called in Pros, Washington Post

Yesterdays Mac OS X 10.4.8 update and security update 2006-006 for Max OS X 10.3.9 fixes a dozen security issues in the following system components:

- CFNetwork
- Flash Player
- ImageIO
- Kernel
- LoginWindow
- Preferences
- QuickDraw Manager
- SASL (Simple Authentication and Security Layer)
- WebCore
- Workgroup Manager

Apple: About the security content of the Mac OS X 10.4.8 Update and Security Update 2006-006

Apple recently fixed 4 critical security holes, 3 of them in their own Airport drivers. Various Mac’s were vurnerable to arbitrary code execution by buffer overflows in the Airport drivers and the Airport API used by third-party WiFi software.

Apple: About the security content of AirPort Update 2006-001 and Security Update 2006-005
Heise security: Three critical holes in Apple’s Airport driver

It seems some developers did not read the Developer Documentation properly, especially the topic about security:
[Full-disclosure] NETRAGARD-20060624 SECURITY ADVISORY] [ROXIO TOAST 7 TITANIUM - LOCAL ROOT COMPROMISE ]

In short, your Mac can be compromised locally and in the worst case data being erased because of the use of insecure system calls.

Source: Unsicheres Déjà-vu-Erlebnis unter Mac OS X – heise online (German)