Dulling Apple's Polish
Lisa Lerer, 01.03.07, 5:36 PM ET

Mac users love to gloat about their bug-free machines. So does Apple, which likes to portray its computers as paragons of cyberhealth. Now, some hackers want to take them down a notch.

Make that 31 notches: A Month of Apple Bugs, a new project organized by two security researchers, plans to expose one flaw in the Mac operating system or Apple (nasdaq: AAPL - news - people ) software each day in January. So far, the two have published a successful exploit of Apple's QuickTime Version 7.1.3 and in a Mac version of the free video software made by VideoLAN. (When this article went to press Wednesday afternoon, the duo had yet to release a third flaw.)

The two researchers, Kevin Finisterre, founder of security start-up Digital Munition and his partner, who goes by the pseudonym "LMH," describe themselves as Apple fans who own Mac laptops. They started the project they say, to improve the system by raising awareness about security dangers. "There are a lot of smug folks that think their Macs are wearing a suit of armor," says Finisterre.

According to the duo's Web site, the Quicktime exploit could install unwanted software on a users computer by altering the Real Time Streaming Protocol--a communications standard used in media streaming programs. The VideoLAN problem could also open up the computer to malicious programs through a flaw in the program's format string.

The simplicity of the discovered flaws has been surprising, the two say. "Some of the issues are something we wouldn't expect from a company with minimal quality assurance requirements," says LMH, who says he works at Info-pull.com in an e-mail. "It's like going back to the '90s."

VideoLAN developers plan to release a software update soon, according to the project's Web site. Apple wouldn't comment on the project specifically. "Apple takes security very seriously," says spokeswoman Lynn Fox. "We always welcome feedback on how to improve security on the Mac."

Security vendors McAfee (nyse: MFE - news - people ) and Symantec (nasdaq: SYMC - news - people ) are less open to the project, believing that it opens up Mac users to new dangers. "They're releasing the vulnerability to the public at the same time as they are releasing it to [Apple]," says McAfee Security Researcher and Communications Manager David Marcus. "That puts users at risk." The ethical way to disclose vulnerabilities, says Marcus, is to inform the computer or software maker first, and give them a chance to publish a patch while crediting the researchers with the find. "Then the vendor fixes it, the researcher gets credit, and no users are hurt," he says.

Other Apple fans agree. "The supposition that there are some people who take the security of Mac OS X more seriously than the [Berkeley Software Distribution, a Unix variant] professionals and Apple engineers is stupendously arrogant and self-serving," wrote former Apple manager John Martellaro, in an editorial on the Apple news site, The MacObserver. LHM says that the project plans to release some of the hate e-mail and "other hilarious feedback" received by the researchers.

Former Apple engineer Landon Fuller published fixes to both problems on his Web site on Tuesday. "Part brain exercise, part public service, I've created a runtime fix," said Fuller, formerly of Apple's BSD Technology Group. Fuller was a major developer of the Darwin port system, an open source operating system that works alone or as a core set of components for Mac OS X.

Over the past year, hackers and researchers have increasingly targeted Apple systems and software. In February, Finisterre released three versions of the InqTana worm, a proof-of-concept worm that exploited a vulnerability in Apple's Bluetooth software. Finisterre says he created InqTana to expose problems in Mac security--the worm posed no actual threat to users. The same month Leap-A, a malicious virus that sent an infected file through Apple's iChat, spread among Mac OS X users.

At a security conference last August, SecureWorks' David Maynor and independent researcher Jon Ellch claimed to discover a flaw in the MacBook's wireless software driver that allowed malicious codes to be run on the laptop.

This isn't the first "Month of" project to sweep the security community. In November, LMH held a Month of Kernel bugs, which exposed several flaws in Apple's OS X operating system. Apple released a security update late in the month that addressed some, but not all, of the vulnerabilities. In July, well-known hacker H.D. Moore ran a Month of Browser bugs, unearthing problems with popular browsers including Microsoft's (nasdaq: MSFT - news - people ) Internet Explorer and Apple's Safari.

That article sounds like it was ghost written by Apple. These guys set out to find flaws in Apple's software and that's the best they've come up with? Meanwhile, how many viruses, worms, and whatever else have come out for Windows? And that's not even counting the bugs that Microsoft products have before they leave the factory.