'Month of Apple Bugs' turns up 10 vulnerabilities -- so far

Computerworld - A month-long campaign by two independent security researchers to disclose security flaws in Apple Inc.'s products has so far resulted in 10 vulnerabilities being publicly disclosed -- and several more on the verge of being announced. Exploit information has also been published, along with proof-of-code detailing how to take advantage of the flaws, several of which were described as being remotely exploitable by the researchers.

The disclosures are part of a Month of Apple Bugs (MoAB) effort launched on Jan. 1 by independent security researcher Kevin Finisterre and another researcher identified only by the initials LMH.

The goal of the effort, identical in nature to the Month of Kernel Bugs and Month of Browser Bug campaigns in 2006, is to raise public awareness of security issues in Apple's products, according to Finisterre. "[Apple's] creating commercials claiming to be secure, and the user base feels like they are wearing a suit of armor," Finisterre said via e-mail. In reality, "there's NO lack of bugs on OS X from both an application and platform standpoint."

Finisterre said that while only 10 flaws have been publicly disclosed so far, he "has lost count" of the number of vulnerabilities that have been discovered as part of the MoAB effort. "Finding an abundance of bugs has been no problem at all, [but] not all of them are easily exploitable."

According to Finisterre, several of the vulnerabilities stem from Apple's inadequate documentation for various application programming interfaces (APIs) related to functions commonly used for displaying error messages. "Several developers are misusing the functions and that is leading to potentially exploitable situations," Finisterre said.

Dave Marcus, security researcher and communications manager at McAfee Avert Labs, said that the effort to find Apple bugs appears to be succeeding in raising awareness of security issues on the platform.

But so far, at least, none of the disclosed vulnerabilities appear to be "showstoppers," Marcus said. In fact, the only flaws that appear to be "interesting" is one affecting QuickTime that allows for arbitrary code execution and an Adobe PDF flaw that affects multiple operating environments, including the Mac OS X, he said. "They are interesting because they affect products that are commonly and widely used," Marcus said.

The decision by Finisterre and LMH to publicly disclose flaws before giving Apple a chance to address them has raised the risk for users, Marcus said. But the efforts by an ex-Apple engineer, Landon Fuller, to issue fixes for each of the flaws being disclosed is mitigating some of that risk, he said.

The flaws vary widely in severity and include both remotely exploitable ones and those that allow a local user to gain unauthorized access to systems, Fuller said. For instance, the buffer-overrun issue affecting QuickTime is a relatively serious flaw. But two other flaws -- a format string vulnerability involving a third-party product called OmniWeb and another involving a third-party media player product -- though serious were quickly fixed by the vendors, he said.