SiriusAddict.com

According to news on the web, January 2007 will be Apple’s busiest month fixing bugs for their OS X operating system; the latest publicly released version stands at Tiger, 10.4. A security researcher, who asked only to be identified as “LHM” online claims a new bug will be introduced every day in the month of January and that these bugs have not been publicly disclosed. More on the article can be found at the Washington Post: Month of Apple Bugs.

But can you take this “security researcher” seriously? I don’t see the point of hiding behind an alias if you want attention, nor do I see a point if you’re a well-known security researcher to do such. If you revealed your identity, it wouldn’t mean that Apple would sue you for stating that OS X Tiger has bugs. No company would do that. Sure, they’d like to talk to you about the bugs before being publicly disclosed so they can work on a patch internally to release to users worldwide.

Frankly, I don’t see that it’s ethical to release such security holes into the wild because they could be exploited, if someone wanted to do that. If no warning is given to Apple and the researcher doesn’t contact Apple before the holes are released on the internet, which “he” won’t and has no plans of doing, how does “he” expect Apple to react? Of course they are going to be a bit angry because they could have actively been working on the fixes in house and then able to release the patch in one file. Does “LHM” want a new security patch each day, or more than one a month, which to my knowledge has not been done by Apple yet as there was no need to? If so, that’s unreasonable. No company would push out a new patch unless it was seriously critical every week. It doesn’t make sense from a company’s standpoint because of bandwidth and possible negative press and because there are still users on dial-up throughout the world that it would take hours to download a single patch.

I’m not sure what this “security researcher” is expecting Apple to do nor why he’s being so unethical about it all. If he wanted press and credit for finding the bugs, he’d release his name initially and give a brief but un-exploitable overview of the bugs, submit them to Apple via their security web page and then when Apple released the security updates, he would be credited (as are all persons who discover bugs or security holes in their security update notes).

While I am a fan of Apple, I would say the same thing of Windows, Linux, Solaris, you name it. It’s not right to publicly disclose bugs and cause a headache as well as possible bad press for a company. There’s an ethical way of telling Apple about the supposed security holes in their operating system, and the way it’s being done with the “Month of Apple Bugs” in January 2007 isn’t the right way.