MOAB Loses all Credibility on Day Two


You’ve heard the hype…everyday in January…everyday for a FULL MONTH the team at “the Month of Apple Bugs” Project were going to expose a new Apple bug…they started out with a bang…

A Quicktime vulnerability.

Admittedly, that’s a decent start. Then came day two…that’s right 48 hours into the FULL MONTH of Apple Bugs we get the second Apple Bug…

A VLC Media Player vulnerability. Wait…what?

The VLC Media Player? The Open Source Media Player that is available on Windows, Mac OS X, BeOS, Debian GNU/Linux, Ubuntu Linux, Mandriva Linux, Fedora Core, Familiar Linux, YOPY/Linupy, Zaurus, SUSE Linux, Red Hat Linux, WinCE / PocketPC, Slackware Linux, and ALT Linux…THAT VLC Media Player?

You’ve got to be kidding me, right?

Well…apparently not. Now, I’m not saying that OS X is perfect. I’m not saying that Apple is perfect, and I’m not saying that if you tried really hard and were really, really smart that you couldn’t find a month’s worth of exploits in Apple Software…but I am saying this:

If you’re calling your project “A Month of Apple Bugs” then have A Month of Apple Bugs. Don’t come out swinging, and then fall on your ass on day 2. VLC is probably the absolute WORST POSSIBLE APP that you could have “exposed” on day 2. Do you know the ONLY app I can think of that would have been WORSE than this? IE for Mac. That’s it. You are literally that close to the bottom of the barrel.

Now, in their defense on their site it CLEARLY states:

Are Apple products the only one target of this initiative?
Not at all, but they are the main focus. We’ll be looking over popular OS X applications as well.

Now, for me, this is the exact point where it became a publicity stunt. The thing is called A Month of Apple Bugs because the team behind it knows that is a high profile, attention getting claim. Hey, I’m with you guys on Apple being High Profile on the web…but if you can’t follow through with actually having a Month of Apple Bugs…then you are going to get SLAMMED for it. On Digg, on blogs, on forums, in comments, and anywhere else where words can be typed. That’s just the way it is.

Now, the team here has a nice dose of sarcasm on their site, which I both like and appreciate…and I agree that somebody digging in, looking for flaws in Apple products and pointing those flaws out is a good thing. It makes them even more secure than they already is…but there is one bit on the site that makes the hair on the back of my neck stand up…

John Doe has written a ‘post’ in his blog, saying he debunks the XXX bug, what’s that?
No worries. It’s probably someone begging for attention or PR-brainwashed. Like good old Dirty Harry said…

De Georgio: You need any help?

Harry Callahan: Go on out and get some air, fatso.

“Begging for attention” that’s the line that chaps my ass. PR-brainwashed…I’ve seen that…I know it exists…but I don’t know that I’ve ever seen a bigger case of the “Pot calling the Kettle Black” as a team put together with a misleading name that is designed only to gather publicity, taking a preemptive strike against those that might actually call them out for what they are doing.

But you know what the WORST part is? The WORST part? They might actually have some REALLY important vulnerabilities lined up for the rest of the month…but I’m not going to be paying attention…and I don’t think most other people will either…because “exposing” the VLC vulnerability on day 2 throws all credibility to the project right down the tubes.

Am I crazy here? Am I wrong? You tell me…if so, I’ll shut up…

Subscribe to the Apple Gazette RSS Feed and stay up to date with Apple News, Site Contests, and Live Macworld Coverage!


Kossi Adzo

Kossi Adzo is a technology enthusiast and digital strategist with a fervent passion for Apple products and the innovative technologies that orbit them. With a background in computer science and a decade of experience in app development and digital marketing, Kossi brings a wealth of knowledge and a unique perspective to the Apple Gazette team.

31 Comments

Your email address will not be published. Required fields are marked *

  1. No, they lost all professional credibility when they used the word “pwnage” excessively, such as the phrase “welcome to pwnertino” or

    “Workaround or temporary solution

    The only potential workaround would be to disable the rtsp:// URL handler, uninstalling Quicktime or simply live with the feeling of being a potential target for pwnage.

    You’re the PC now, Mac (YTPNM). ”

    You’re the PC now, Mac? Is this a campaign to promote increased security or a anti-Apple PR campaign? I can understand that many hackers live in a world of leet-speak and such, but come on, look professional – it’s not hard.

    Pff, forget it, doesn’t matter. Coupled with this VLC exploit and the other things listed in the original post, I couldn’t care less. And yeah, it IS sad – that if these guys DO have some good vulnerabilities to share that can raise awareness at Apple HQ – most people will still think of the VLC exploit and how badly these guys just made themselves look. Attacking a cross-platform, open source app such as VLC….. pathetic for calling a site “Month of APPLE Bugs”.

  2. No, you’re not crazy, I agree with you 100%. The night is still young, there are many days remaining for them to release serious and legitimate exploits, but you’re absolutely right that their stance looks sad from the perspective of Day 2.

    After Day 1, I was like, “Hmm. This will be an interesting month.” Now after Day 2, I’m wondering how much of a third-party-app-bashing session this will become, which will do nothing but make MOAB look stupid and tick off some developers.

  3. I guess I hang around with a younger crowd, or maybe I just like to pretend I’m down with the young peoples today, but l33t speak like “pwn” doesn’t bother me.

    I do have to say that, after 20, 25 years in the profession that destroyed company dress codes, where wearing a tie has long been considered proof that you can’t code, where I had to grow a pony tail at one point just to fit in with my coworkers, complaining that people don’t act “professionally” just amuses me to no end.

    Now, with that said, they had better come up with some really good bugs or they’re going to look really stupid…

  4. @ Michael H.: It’s not so much the l33t speak itself that bugs me. I play games like Counter Strike, a lot. Gaming is the haven for all l33t speak. Hell, I use the word “pwn” from time to time, written or verbal. It is just the impression they are putting out about themselves that is immature. Security should be about addressing issues and getting them fixed, not an anti apple PR campaign.

  5. So, more paid Swiftboating from M$! Puhleaze! I am happy that Apple software is as superior to Windows as it is, but trying to pin a 3rd party beta shareware inadequacy shared by all platforms on Apple’s OS is truly a cheap shot. FOR SHAME!!

  6. I completely agree with you, Michael. If they’re calling it a month of “Apple bugs”, then expose bugs or problems in Apple software, not third-party cross-platform apps like VLC. The whole project has lost any credibility it had.

  7. @Matt –
    Curiouser and Curiouser… how does one verbalize “pwn”? Do you spell it, like the canonical bored usage of the phrase “El – Oh -El, Dave, El-Oh-El” to represent the facetious use of the online “LOL”, or does one say “pawn” or “pone”? I mean, everyone I know that uses “pr0n” or “prn” in email correspondence started doing so to avoid triggering email filters (since many use free services like yahoo or gmail via corporate proxies), but they still *say* “porn”.

    On topic – You’re dead on, brother. Next they’ll trot out a vulnerability in mplayerOSX. Or Lamenc. I think your discussion and that included in the commentary persuades me that the MOAB site is nothing more than a PR stunt, with little to offer; they’re looking for more bugs that haven’t already been found, and used VLC as filler, IMO.

  8. Ok, I’m not a big fan of month of whatever bugs I think its too much showboating, but at the same time Microsoft has had to deal with third party application’s vulnerabilities being transfered on to their shoulders. Also keep in mind that this is just two days into it and I don’t believe they have all 30 days of vulns stored up so VLC was just the low hanging fruit that may give them time to explore other sec issues more in depth. VLC is a pretty weak bug I’ll give you but it is a popular OS X application so i think its valid.

    Also ignoring all other bugs that come out for apple because you don’t think the first one is “hardcore” enough is, in fact, retarded.

  9. I absolutelly agree !
    I think it is even worse: it is CLEARLY a campaign that tried (tried … once again) to tarnish Apple image in people’s minds … but failed as all previous ones because of an evident lack of real arguments behind the tittle.

  10. For some reason(s) I think this may not be taken all that seriously. Oh, well ok, you twisted my arm.

    1) Anyone with a GED can tell that applegazette.com would obviously be a biased site.
    2) Anyone who has been exposed to computing culture knows of Apple zealots.
    3) Taking the light-hearted “pwn” usage seriously is ridiculous.
    4) Concerning the last para: I’m sure that the industry will ignore bugs released by this project because of the second release… riiight.

  11. I do not understand why you have lost faith with the entire MOAB project. So the VLC media player vulnerability was not an impressive choice; plenty of chances for redemption. Although I wouldn’t suggest you “shut up”, why not wait until the month is over before making a judgment?

    Furthermore, your accusation that MOAB is merely a ploy for attracting attention is overstated. Surely, MOAB is intended to build public confidence in Apple’s software prodcuts and help establish the viability of OS X as a secure and robust platform but it’s hardly qualifies as a “stunt” or even an “advertisement”. MOAB serves the dual purpose of improving, and drawing attention to, OS X.

    If there’s one thing Apple doesn’t need to do, it’s “beg for attention”. If you are going to cry foul at least do so after MOAB is complete.

  12. Surely that headline should read “Apple Gazette loses all credibility with a terribly written and poorly reasoned rant” 🙂

  13. So a bug in third party software is being blamed on the Apple OS itself? Thats not fair!! Oh wait, that has been the case with Windows for better than 10 years. Welcome to the OS market, the more market share Apple gets, and the more third party (I consider open source to be third party) software you get, the more this will happen. The same people jumping on MS in the old days for blue screening on a poorly written third party driver are defending apple for the same set of circumstances.

  14. It’s only day 2 guys. I wouldn’t go starting a victory dance just yet. In fact I think this lame bug is a ruse to get all the Mac fanboys to stick their collective necks out for later when the big guns are brought out.

    There will be some red faces and retractions from the Mac fanboy camp yet.

    Reports of MOAB’s demise are greatly exaggerated.

  15. I just can’t belive that the VLC bug came out the second day in the month of apple bugs, this wont end well :p

  16. @Kevin

    Agreed. Ignoring a severe vulnerability would be retarded. If they find one, I won’t ignore it…but someone will probably have to tell me about it, because I’m not going to be checking their site daily.

    @Bawaaah-huh?

    1) agreed.
    2) agreed, but what’s your point? Anyone who has familiar with ANYTHING knows that there are fansboys. There are Nintendo Fanboys, Star Wars Fanbody, Democrat Fanboys, Republican Fanboys, Sony Fanboys, Apple Fanboys and anything else you can think of…
    3) again, agreed. I don’t take issue with using the term “pwn”
    4) once more, agreed. That was the late night fury talking.

    You should stop by more often, I think we see eye to eye on a lot of things. 🙂

    @Hmmm

    funny how you snarky fellas never leave an email address or name.

    @Tommo

    I don’t think this kind of crap is fair when it happens to Microsoft either.

    @Tom

    If there are some “red faces and retractions from the Mac fanboy camp” they won’t be from this site. As I stated in the article, I’m not saying that Apple or OS X are perfect. If they find a HUGE flaw in OS X or any product on OS X I will gladly report it to the Apple community that reads this site because I want to make sure that they know about it…I’ll be surprised if they do, but mainly because of their terrible planning on because Apple is invincible.

    @ everyone

    I’m glad to see people leaving their opinions here, whatever they may be, keep ’em coming. 🙂

  17. @Arjun –

    I actually responded to your article on your blog…it said my comment had been flagged as spam and was sent to you for moderation…did you get it?

  18. @Micheal

    You said: “If there are some “red faces and retractions from the Mac fanboy camp” they won’t be from this site.”

    You entitled your article “MOAB Loses all Credibility on Day Two”.
    My point is that perhaps you should have waited until day 30 judge its credibility or lack thereof. After all, the headline acts are never on first.

  19. @Tom

    You do make a good point Tom, and you are right, there could be some major things that discover, but my primary problem with the entire MOAB event is the fact that it’s been promoted as a Month Days of Apple Bugs…and they’ve already proven that to be wrong.

  20. Consider this: up until now I’ve never heard of or been to MOAB. But thanks to your post, and Digg, I have.

    Could it be within the realm of possibility that this screwup was planned? Because it’d ruffle the feathers of the mac community?

    Or am I absolutely giving MOAB waaaay too much credit?

  21. Sorry Michael, My Spam Karma was weirdly strict today… purged all of my comments I got… will get back to you.

  22. Sounds like Michael can be described affectionately as a ‘fanboi’. Face reality Michael, it’s an exploit that works on a Mac, therefore it definitely qualifies as an Apple bug. You can also call it a Linux bug, a Windows bug, or whatever operating system is affected bug, nevertheless you can’t deny it’s an Apple bug just because it exists on other platforms.

    By your logic we should exclude yesterday’s bug too since it affects other platforms.

  23. @ Moto

    I disagree, sir. You can call it a VLC bug that affects OS X, Windows, and Linux. If you went by your logic you could even say it’s an OS X bug, which STILL doesn’t make it an Apple bug.

    Apple didn’t make the software so it isn’t an Apple bug. Microsoft didn’t make the software so it isn’t a Microsoft bug either…etc…etc…

  24. Is it ran on an apple os/hardware setup? yes
    Is it a bug? yes

    I fail to see how this is even worth getting upset about.

    Pretty much every exploit out there is accessed via a piece of vulnerable software.

    The OS *by itself* is nearly impervious across the board. Linux and Windows included.

    The main point in OS security is : Can the OS detect this kind of attack and block it from functioning?

    This particular example is done via putting in string data into program text sections. It’s something that the no-execute bit was supposed to prevent. Someone should look into how the OS is handling this ‘data as code’ issue and improve the support for no-ex. (This applies to all OS’s that are affected by this exploit).

    -zade

  25. can we all get along here?

    okay maybe not. it is still sad to read all the comments here. people are nitpicking each others opinion. its an opinion not a fact. but as long as it gets attention on both end of the “issue” then lets get pwned.