Microsoft may not be the only software company that uses secret techniques to make its own applications work better with its operating system - a Mozilla Firefox developer has discovered similar practices at Apple.
While looking for ways of speeding up the performance of the upcoming Firefox 3 browser, developer Vladimir Vukicevic said this week that he came across dozens of secret tweaks built into WebKit - the software at the core of Apple's own Safari browser.
Separately, security researchers said this week they have found a way of locally bypassing the security of Mac OS X's Keychain password system.
Vukicevic was able to use a publicly documented technique to get the efficiency gain he wanted, but noticed that WebKit has its own, undocumented way of getting around the problem.
"Apparently, there is a way to do this programatically, along with some other interesting things like enabling window update display throttling - but only if you're Apple," he wrote in a blog post. "All these WebKit methods are undocumented, and they appear in binary blobs shipped along with the WebKit source."
He said there are more than 100 such undocumented techniques in the WebKit library. "Would any other apps like to take advantage of some of that functionality? I'm pretty sure the answer there is yes, but they can't," he wrote.
Safari is based on open source software, but the concealments are a demonstration that that Apple isn't fully committed ot open source, Vukicevic argued.
"Despite my frustrations with Linux, this type of hiding isn't really possible in a real open source environment," he wrote. "I don't think this is malicious, it's just an unfortunate cutting of corners that is way too easy for a company that's not fully open to do."
David Hyatt, a WebKit developer, responded that the undocumented parts of Safari are kept hidden for a reason.
"Many of the private methods that WebKit uses are private for a reason. Either they expose internal structures that can’t be depended on, or they are part of something inside a framework that may not be fully formed," he wrote on Vukicevic's blog. "As you yourself blogged, there was a totally acceptable public way of doing what you needed to do."
Separately, Apple confirmed a security bug that could allow local users to get access to a Mac OS X user's passwords.
The problem was discovered by programmer Jacob Appelbaum, one of the researchers who last week published methods for cracking hard disk encryption systems.
The password problem, which is specific to Mac OS X, is down to a programming error that stores the user account password in the computer's physical memory even after it's no longer needed.
That means the same techniques published last week for extracting the key to an encrypted filesystem from a computer's memory chips can also be used to extract the account password from a Mac's memory, Appelbaum said in a CNET News.com blog.
The problem is only exploitable by an attacker with physical access to the machine, but its scope is serious - it could allow access to OS X's Keychain system, which also stores passwords for online accounts, wireless networks, websites and the like.
Apple said it is working on a fix to be distributed in an upcoming update.