blog.washingtonpost.com/securityfix/2006/12/january_2007_month_of_apple_bu.html

Coming in January: “Month of Apple Bugs”

A pair of security researchers has picked January 2007 as the starting point for a month-long project in which each passing day will feature a previously undocumented security hole in Apple‘s OS X operating system or in Apple applications that run on top of it.

The “Month of Apple Bugs” project, currently slated to begin on Jan. 1, is being orchestrated in part by a security researcher who asked to be identified only by his online alias “LMH.” This is the same researcher who in November ran the “Month of Kernel Bugs” project. LMH’s partner in this project is Kevin Finisterre, a researcher who has reported numerous bugs to Apple over the past few years.

The current craze for featuring a new bug each day for a specific time period began this summer with researcher HD Moore‘s “Month of Browser Bugs,” which highlighted unpatched security holes in Microsoft’s Internet Explorer, Mozilla’s Firefox, Apple’s Safari browser, and even Opera. With most of the browser bugs, Moore alerted the affected software vendors prior to publishing his findings.

To the chagrin of some security experts, however, LMH declined to give affected vendors advance noticed before posting evidence of kernel bugs on his Web site last month. Eleven of those kernel bugs were related to Apple software and applications, including a serious security hole that prompted a software update from Apple just two weeks later. As with the kernel bugs project, Apple will be given no advance notice with the Month of Apple bugs, LMH said in an interview conducted over instant message.

LMH said that while his upcoming project had the potential to at least temporarily make security more tenuous for the average Mac user, he believes that in the long run the project will improve OS X security.

“Right now, many OS X users still think their system is bulletproof, and some people are interested on making it look that way,” LMH said.

It should be interesting to see whether Apple does anything to try and scuttle this pending project. In November, a researcher who focuses most of his attention on bugs in database giant Oracle‘s software announced his intention to launch a “Week of Oracle Database Bugs” project during the first week of December. The researcher abruptly canceled the project shortly after the initial announcement, without offering any explanation.

By Brian Krebs | December 19, 2006; 9:50 AM ET