MoAB Is My Washpot
Two hackers wanted to show the world that Apple’s much-vaunted operating system wasn’t as secure as it was cracked up to be. The Month of Apple Bugs (MoAB) ran from 01-Jan-07 to 31-Jan-07, with the final day promising a future serious bug. Instead, they may have turned the Mac smugness dial up a notch.
MoAB backers “lmh” (who does not reveal his or her real name) and Kevin Finisterre appeared to want to tweak Mac users, who often revel in the so-far absence of attacks on Mac OS X that are plausible, persistent (not quickly patched), and spreadable. In particular, the pair appear to take issue with the zealots and “fanboys” who, when presented with credible information that shows Apple or Mac OS X in a bad light, reject it out of hand. But lmh and Finisterre also seemed to have a chip on their shoulders before, during, and after MoAB.
The coincidence of the abbreviation MoAB and the biblical figure of the same name led me to Jeremiah 48:29-30: “We have heard of the pride of Moab, pride beyond bounds: His loftiness, his pride, his scorn, his insolence of heart. I know, says the Lord, his arrogance; liar in boast, liar in deed.” (More famously, the poetry of Psalms disses the people of Moab by stating, “Moab is my washpot,” Psalm 108:9, indicating a thing of low esteem, fit only for holding water that has cleaned one’s feet – it’s also the title of Stephen Fry’s excellent autobiography.)
Now that seems a little harsh. The original Moab was a problem, no doubt, but this MoAB wanted to shake the Apple tree a bit, perhaps with too high an aim. I suspect the developers had a set of exploits up their sleeves, but hoped that other folks would come forward with goodies they’d been saving up, and no such luck emerged.
The zealots and fanboys that lmh and Finisterre railed against aren’t strawmen. They exist. In fact, we at TidBITS occasionally get email from them, too. But it’s clear that the vast majority of Mac users have better things to do than violently defend the platform and company against legitimate criticism. If anything, the average Mac user may have perhaps too great a belief that Mac OS X is completely secure, especially in contrast with Windows XP.
However, it seems that MoAB may have unintentionally given more ammunition to the extremists in the Mac faith, while making the larger community even more blase. None of the bugs released had any real potential of a vector – spreading from computer to computer as a worm through an Internet- or LAN-exploitable flaw – and as far as I have seen, no in-the-wild exploit was released for any of the bugs, despite the fact that MoAB refused to notify Apple or third-party developers before releasing the bug details to the public.
As of last week, Apple and the other developers who had exploits posted against their products had updated all but one matter. Timothy Luoma posted a rundown of his disappointment with the outcome of MoAB. The Macalope weighs in with his own, slightly surprised discomfiture at not seeing more serious attacks released. (The remaining Apple flaw relates to Software Update, which could be exploited by a local user or a malicious Web site visited via Safari with default download options checked.)
In fact, MoAB revealed one of the best aspects of the larger Mac developer community: generosity. Landon Fuller took it on himself to release patches to the vulnerabilities revealed at MoAB and ultimately received help from many others. While he couldn’t fix every problem completely, nor do so on the same day the exploit was released, he and his colleagues had a remarkable track record.
MoAB received the most criticism about its disclosure policy – the authors said that typically no notice was given to Apple or affected companies before they posted the details of their exploit. They wrote, “‘Responsible disclosure’ exists when the vendor doesn’t deploy any harmful tactics against the source of the vulnerability reports, and requires confidence by all parties involved. At the moment, we don’t trust Apple on these matters due to the track [sic] of incidents and unpleasant situations surrounding their policy on product vulnerability handling.”
(Oddly, they offered to give only Fuller a heads-up each day in advance of the public; he declined, in a transcript the MoAB backers posted, to avoid the “appearance of collusion,” since he enjoyed demonstrating that exploits could be fixed without any insider or advance knowledge about them.)
Apple has, at times, been criticized for its lackluster response to serious exploit reports, or its long delays in responding to known problems. But I haven’t heard that criticism lately, with one exception. The MoAB project is clearly referring to how Apple allegedly treated David Maynor and Jon Ellch, two researchers who seem to have gotten stuck in a trap partly of their own devising. (We covered this in a series of articles we dubbed “To the Maynor Born: Cache and Crash” from August 2006 to January 2007.)
The short story is that Maynor and Ellch appeared to have said that they had a successful root exploit for Mac OS X, relying on a flaw in Wi-Fi handling that required a proximate user to launch the attack. Maynor and Ellch were apparently never allowed to release their proof directly, and Apple patched flaws similar to those described, but which Apple claimed were not based on any specific information provided by the two. In the security note accompanying the Wi-Fi fixes, Maynor and Ellch weren’t acknowledged.
It’s unclear whether the facts will ever be untangled in that case, and it appears that few people outside of Maynor, his employer, Apple, and Ellch have all the facts to make a judgment. Thus it’s always frustrating to me to see unrelated parties make the assumption that Apple “deploy[ed] harmful tactics” when what happened is rather ambiguous.
In contrast to the Maynor/Ellch situation, even with no disclosure, Apple apparently decided lmh and Finisterre played by the rules, and MoAB and the two were credited in the several bugs that Apple has patched (see related story, “Security Update 2007-002 Squashes MoAB Bugs“).
What did the “pride of MoAB” lead to? Not much. I, for one, am fully aware that the possibility of a true, widespread, system remote exploit of Mac OS X remains. And almost all MoAB’s exploits required either (or both) an attacker with local access or a computer owner who engaged in unusual behavior, such as downloading and opening an unknown file.
It’s a testament to the Mac community as a whole that MoAB’s irresponsible disclosure, coupled with childish taunts and tactics, was met with quick, civil responses by Apple and the other Macintosh developers. Generosity and cooperation will provide far more overall security than a bunch of ill-mannered hackers.