The Month of Apple Bugs project—a follow up to a Month of Kernel Bugs and A Month of Browser Bugs—vowed to release details of bugs and securty exploits in Apple’s Mac OS X operating system and popular Mac OS X applications…and the project is off and running, publicizing the details of a possible security exploit in Apple’s QuickTime software by overflowing buffers with specially crafted
rtsp:// URLs. The bug impacts QuickTime 7.1.3 for both Mac OS X and Windows.
The Month of Bugs projects have been the center of some controversy; many software developers and security analysts feel it is irresponsible to publish the details of working security vulnerabilities in widely-available software, arguing that only feeds the ever-active malware communities lurking on the Internet’s dark underbelly and the possibility of real-world exploits. The responsible thing to do, they argue, is report the issues to the software vendors and security agencies, and publicize the details only when a patch or fix is available.
On the other hand, the “report and keep quiet” methodology rubs some people the wrong way: if their computers are vulnerable, they want to know the details now, regardless of whether a patch or fix is available, so at least they know what they’re up against. The participants in the Bug a Month projects—such as the “mysterious” programmer operating under the tag “LMH”—have also expressed frustration at the amount of time software developers like Apple and Microsoft take to patch seemingly trivial vulnerabilities.
In any case, it would appear that Apple’s Mac OS X and key applications—certainly not immune to security problems but thusfar spared the malware pain of the Windows world—are under a very public microscope.