Some of you may have heard about the "Month of Apple Bugs" campaign mounted by some security researchers. It has been covered by a number of mainstream news sources, including the Washington Post, as pointed out in Nick's comment in the Patch your Mac posting. This is not the first event of its kind. August 2006 was the Month of Browser Bugs, November was the Month of Kernel Bugs, and January 2007 is now the Month of Apple Bugs. Should we be worried about this?
Revealing 30 bugs about a product is not necessarily bad. Many of the exploits only provide a proof of concept, and not actually code that can be used to exploit a vulnerability. Some flaws would only cause a program to crash; they don't necessarily put your computer or your data at risk. Revealing that these bugs exist does usually lead to them being patched quickly. Some people argue that vulnerabilities should be disclosed privately to the software company, often called "responsible disclosure," and give them time to release a patch before any public disclosure. However, Microsoft is notorious for taking a very long time to patch issues revealed in this way, and Apple is notorious for denying any problems exists, but then releasing patches a few weeks later. Whether people support these public bug campaigns or not, the goal is to end up with more secure software.
What does this mean for Emerson? Most of these bugs can only be fixed by the software company, which means we have to wait for them to release a patch. To stay safe, we need to make sure we are always following best practices: keep your software patched and up to date, try to avoid phishing scams, and be careful where you browse. For information, see Computer Maintenance & Security on the Help Desk web site and keep watching this blog for updates.