I have been reading up on this ubiqutous ‘Month of Apple Bugs’, and in light of this article, I have become increasingly angered with the website. The article on AppleGazette makes very valid points, as to why effectively the MOAB project has lost all of its credibility. I want to state upfront that I’m not writing this as an Apple Fanboy (though I am), I am writing this as a user of OS X and Windows, and various Apple products.
The MOAB project aims to show off a vunerability in Apple products over the 31 days of January. The first bug was understandable, a Quicktime based Buffer Overflow that has a “vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution.” This affects Windows an Mac OS X. This is a real flaw in Apple software, and can allow the execution of malcious code, via this buffer overrun, so it is critical.
The second vuneralibility however is debatable. In my eyes, this flaw is neither OS X, nor Apple. This flaw is based within the popular VLC Media Player. Now lets stop here for a second. VLC? Yes, the cross platform and open-source media player available on Windows, Linux, *nix and other platforms. However you look at it, I have no idea how this is an Apple Bug. Yes remember the title of the project. Other than running on OS X, and the actual vunerability allowing execution of arbitrary code (as with the Quicktime flaw above) which as you can see it would allow execution of code on OS X. But does this mean the problem is anything to do with Apple themselves? NO. Do we blame Microsoft for 3rd party software that has holes in it which can cause Windows to get a buffer overrun? Abosultely not. We blame the software developers. Why should Microsoft (or in this case Apple) deal with an application that they do not develop? It makes no sense. If you call your project ‘Month of Apple Bugs’ then please use Apple bugs, and not an open source software that has the same vunerability in every other distribution!
As AppleGazette pointed out, they do state on their website:
Are Apple products the only one target of this initiative?
Not at all, but they are the main focus. We’ll be looking over popular OS X applications as well.
Yeah they do defend themselves, but for goodness sake, if you create a title, which is then missleading what do you expect people to do? How is an OS X application an Apple Bug. It is only on the same OS. I’ll re-iterate myself: Do we blame Microsoft for flaws in developer ‘x’ software? Hell no. The developer is blamed. It seems that they are only seeking attention by putting Apple and Bugs in the same title. Now don’t get me wrong, I’m all for this. After all publicising vunerabilities helps to get them fixed faster, and thus leading to a more secure application. However I don’t like the other statement on their website:
John Doe has written a ‘post’ in his blog, saying he debunks the XXX bug, what’s that?
No worries. It’s probably someone begging for attention or PR-brainwashed.
Maybe they should have a look at their answer, because when you post titles of the project on social websites like Digg, del.icio.us, forums, etc, people will be miss-lead on what the actual flaws are on. Posting an open-source software bug on the second day is no good way to get started, and with their title it seems like they are the ones begging for attention.
The third vunerability is similar to the first one in that it is a vunerability which allows the execution of arbitrary code through Quicktime, but in Windows. Specifically it is “A vulnerability in the handling of the HREFTrack field allows to perform cross-zone scripting, leading to potential remote arbitrary code execution.” I understand that this is Apple bugs, and again this makes sense, even though the proof of concept “uses Microsoft Text Driver ADODB connection which requires an anonymous FTP login to the exploit location, for an unknown reason“. After all, Quicktime is Apple software. It’s like Microsoft patching flaws in Microsoft Office for Mac.
How many actual flaws do they have that are Apple software / OS X bugs? I would like to know, as it seems to me they have little. Displaying a flaw in an a open-source and cross-platform (Windows & Linux included) which is not even developed by Apple on the second day is really shoddy. I for one am quite annoyed, not for the fact that they are displaying Apple bugs, but because they don’t! Granted we have only seen three, and 2 out of these 3 were Apple software (Quicktime) related. I am saying this for all the Diggers and those alike who like to skim read articles and are a lot of time miss-informed by such things.
Get your act together MOAB, this is not a good start (a pretty bad one at that).