Oracle to release pre-patch notifications; Drama from MOAB.
Two interesting things to comment one:
First: Oracle is duplicating Microsoft with a pre-patch notification. These updates include:
- Number of Patches and Number of Fixes
- Applications and Versions affected
- Highest CVSS Score
- Number of Remote Unauthenticated Exploits
- Number of local Client Side fixes.
The January 2007 edition is now available.
Secondly it seems there's been some interesting activities spurred from the MOAB project. Apparently some "enterprising" individuals were scanning the directories where the new MOABs were being posted. To put a stop to this LMH put up a backdoored exploit ( Article 1 | Article 2 ). I'm not sure I'm impressed with this... After reading LMH's blog post on the subject and seeing this line, "It's just that you've been caught doing a rather unethical business.", yet I would say that backdooring the "pre-release" file is much worse. There are those that would say that putting something on a public website, whether or not you provide a link to it, makes it publicly available. If you don't want people to have it, don't add it to the website. In the first article I linked, there was mention of MOAB saying, "We didn't install it, the user did"... and as the first article says, this is how plenty of malware spreads... Blaming the user is just wrong.
MOAB in general has reminded me of two kids at a playground fighting over who's toy car is shinier... I had expectations when the project started... Bugs in various OS X core components, bugs in software produced by Apple... Yet what are we seeing released... multi-vendor, multi-platform bugs... That doesn't demonstrate the insecurity of Apple... That doesn't demonstrate the insecurity of OS X.... that demonstrates the insecurity of Third Party Products... The Mac Zealots argue that this isn't hampering OS X security... In a way I agree... It's like saying a vulnerability in Winzip is a Microsoft vulnerability... Yes there have been OS X bugs... yes they have been legit... but this is just a pissing contest now and it's one I'm getting tired of.
I, for one, would like to see an end to the MoXB (X = Anything)... MoBB was cool... it introduced new and exciting things and it was the first time it'd been done... MoKB was interesting at first... but quickly lost my interest... WoOB failed before it even started and MoAB has been a disappointment as well... These projects aren't benefiting anyone anymore... at most they are stroking people's egos.
About the backdoored “pre-release,” I can’t say I agree with what LMH did but neither do I agree with what those “enterprising” individuals were doing. LMH just applied the “eye for an eye, tooth for a tooth” principle, and he didn’t do anything malicious per se… And he’s right in saying that they voluntarily installed his software (which had not been linked to, and even if it was on a public server only those who were doing something unethical themselves found the backdoored exploit) – it’s not like he actively attacked their systems.
I also think that MoAB is an interesting project (along with the other MoXB) because it has brought a few zealots down a notch and at the same time it’s teaching people like me what kind of things to look for when trying to find bugs in OSs or software. Looking at Landon Fuller’s patches is also quite interesting, because they show how those specific vulnerabilities can be patched (but the techniques used may be appropriate elsewhere).