20 zero-day security holes in Mac OS X to be revealed

These security debates always make me laugh.

First, I will say that I totally agree that OS X is not bulletproof, and is certainly vulnerable to attacks. But when I hear all of this stuff about how Apple should be paying more attention to these problems, or how a big attack on OS X is coming soon, I just have to laugh, and here is why:

People keep saying a big attack is coming. Did you hear that? "A" big attack, as in ONE. Wow, that's pretty scary. How many Windows exploits are out there? How many of them could cause serious data loss or steal your personal data? Millions? Yeah, now that I think about it, that one exploit for OS X sounds pretty scary.

Secondly, I remember three years ago, when everyone warned that OS X was going to have some serious viruses or exploits coming out soon, and Mac users were going to have to start using antivirus software soon.

Then, I remember two years ago, when people were saying the same thing.

Then, I remember one year ago, when people were saying the same thing.

Here we are today. How many ACTUAL viruses or exploits do I have on my machine? Zero. In the meantime, I have cleaned up about 4 PCs from family members that have gotten nasty viruses and spyware, and in most cases, reinstalled Windows completely to solve the problem. Some of them lost data.

So, I ask you this, do you REALLY think we'll have a major exploit on Macs within a year? Because three years ago people were sure we would, and two years ago people were sure, and one year ago people were sure...

I can't see how informing just the vendor, or informing the vendor first, is responsible behavior. The people who need to know are those who have bought and are using the affected products, and the only way to do that is to make the information public.

With such information we can fix the problems, implement workarounds or, at the very least, know the risks.

Yes, it's to be hoped that the vendor may eventually move to fix some of the problems. But its foolish to count on them doing so, especially in any sort of hurry. Remember, they're the folks who botched it in the first place.

Ideally, at some point we'll have laws requiring the disclosure of security flaws (or any flaws, for that matter) in computer software and related products as soon as they become known. Until that time, this sort of open presentation is the best we have.

It's interesting to read these blogs. When a 0-day in a non-Apple OS/app is revealed it's all about how unsafe it is and yada yada. But when a 0-day for Apple is released, it's all about how bad manners it is for the sec. consultant to reveal them. Get with the program Applers, this is the way it's being done all the time, time to exit the glass bubble of sleek design and half eaten fruits.

Considering that these were Zero-day flaws, and considering that NOWHERE (except in the TUAW article, which is just an opinion piece based off a linked article) is it mentioned that Charles Miller has never before released this data to anyone, I'm going to make a wild (read: educated) guess that such an assertion is false.

First: Miller does not have a history of behaving in anything other than a responsible (if egotistical) manner. He's always released exploit information to the software vendor first, and after an appropriate time period (in which a patch can be developed), he releases it to the public.
Second: CanSecWest is taking place almost exactly 7 months after the latest iteration of OS X was released. That's 7 months for ANYONE ELSE to find and exploit any of these flaws. If Apple indeed hasn't been notified (I sincerely doubt this) and hasn't managed to find the vulnerability itself, it's almost guaranteed that someone (a "hacker" or a security consultant, doesn't matter) HAS, and has done something about it. Making the information "public" (CanSecWest is hardly a walk-in event) isn't going to have a resounding negative effect.

"...and no matter how much more secure Mac OS X is than Windows..."

You might want to re-think that statement. I'm sure Steve will blame it on Flash or something else though. I'm also sure it will take at least 2 months to get the holes patched.

It's always hilarious to see that the osx users- like me- that NEVER have nary any issue running our machines are somehow in computing dreamland.

So if i say, like: "My mac runs flawlessly, as did all my mac for the past 10 years and ill never give this up for winblows."

The typical dick reaction form the smart asses is:

"You smug osx users, thing you have some bulletproof os, well its not u wait one day so we chumps can post to these blogs more insulting tirades and laugh at you. Then you will see the light, and apple will fall. Cant wait!"

Just Patheticâ„¢.

dude, please go buy a winbox. You are practically saying it yourself.

Charlie Miller reminds me some of Barney Fife and his over-developed sense of self-importance.

@sam.durbin
Get your "facts" straight.
Microsoft was the fastest to fix the bugs, while Apple was the one who took quite some time to get them fixed.
http://www.internetnews.com/security/article.php/3667201
"The report found that Microsoft Windows had the fewest number of patches and the shortest average patch development time of the five operating systems it monitored in the last six months of 2006."

"Symantec found 43 vulnerabilities in Mac OS X and a 66 day turnaround on fixes. "

If this is anything like the previous two occasions, Apple will release the OS update just before the vulnerabilities are announced.