Wednesday, January 13, 2010

Security FAIL:
When Apple Deserves A *WAKE UP!* Slap

Apple are pulling an 'Adobe'. Got a security problem? Sit on it.

Even worse, there's already a solution! So are Apple either (A) OBLIVIOUS or (B) LAZY or (C) STUPID or (D) DGAS? Any one of the above is worth a good *WAKE UP!* slapping.

Here is the story, as presented by SANS in their NewsBites newsletter, Volume 12, Number 3. (Emphasis is mine):

--Proof-of-Concept Code Posted for Mac OS X Flaw
(January 8 & 12, 2010)
Proof-of-concept exploit code for a vulnerability in Mac OS X has been posted on the Internet. The buffer overflow flaw affects versions 10.5 and 10.6 of the Apple operating system and can be exploited remotely. The flaw lies in the libc/gdtoa code in a variety of software products. Apple has known about the vulnerability for seven months, but has not fixed it yet. It has already been fixed in OpenBSD, FreeBSD, NetBSD, Google and Mozilla.

Why this inexcusable? Because Apple incorporates code from FreeBSD and OpenBSD into Mac OS X. IOW, it is almost as easy as CUT & PASTE to repair this security hole in Mac OS X.

So what does it take to kick Apple into action? Proof-of-concept code! Let's watch how quickly Apple respond.

Cranial Cogitation:
A lot of people get upset at hackers who FUD Mac OS X, myself included. The thumb-in-your-eye juvenile arrogance some hackers spew is worthy of revulsion. Nonetheless, hackers remain a critical part of the computer community. I look at hackers as part of the essential diversity of the natural world. There is no such thing as a monoculture in nature. Without diversity, any natural system immediately fails. Similarly, without hackers, computer security would FAIL.

So thank you to hackers who take their free time to demonstrate skills in order to improve our computer community. Thank you for kicking Apple in the bollocks when they need it!

The volley is to Apple...


No comments:

Post a Comment