OK, we'll admit to not having been hugely impressed at first by the Month of Apple Bugs website, and the exploits it showed against Apple's OS X - largely because it got off to a poor start, detailing exploits against third-party products.
However, perusing the fixes in Apple's latest security update shows that the MOAB hit the target quite a few times. Of 30 security tightenings in the new code (download it now!), 7 of the fixes relate to MOAB postings (in fact to 9 of the postings, since some attacked the same flaw) while another 4 emerged from the related Month of Kernel Bugs. That's getting on for one-third of the fixes, not all of which apply to the OS X client (MySQL is also in there, which is only officially for the server).
So, let's say it: the MOAB exposed important flaws.
Conclusions? While publicising weaknesses in the manner of MOAB is principally ego, and isn't the done thing among security researchers, they did turn up some interesting gaps in security. Unless someone has had their OS X box hacked in the meantime through those (get in touch, of course, if you have..), the net effect is a stronger OS.
Ryan Naraine at ZDNet has weighs in too:
Apple's marketing department gets a kick out of kicking sand in Microsoft's eye on security but, truth be told, Apple has a long way to go to match Redmond's seriousness around security. This is an issue that was raised almost a year ago by Microsoft's Stephen Toulouse and it's worth repeating.
His top recommendation (of five):
pple desperately needs a security czar to who is empowered to face the reality that there are serious problems with its code quality.
All of which prompts Paul Thurrott to ask: Does the smug stop here?
I don't know, you'd have to read this week's letters to decide.
