<<< Date Index >>>     <<< Thread Index >>>

Re: Mac OS X vulnerabilities ['Virus checked"]



In-Reply-To: <20031029180349.GA85446@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>


@stake's policy has been the same since June, 2002 which was its last revision. 
 Our policy is in line with the OIS guidelines.  Assuming Mac OS X 10.2 is 
supported, Apple is not following the OIS guidelines which require a vendor to 
release a remedy for *all supported platforms* and to make an effort to deliver 
them simultaneously.


From: http://www.oisafety.org/reference/process.pdf

7.1.4

The Vendor shall ensure that a remedy is available for all supported products 
affected by the Flaw

7.3.9 

If multiple products or versions are affected by the Flaw, the Vendor shall 
exercise reasonable efforts to simultaneously deliver all remedies.  


It may come as a surprise to many people on the list that the OIS guidelines 
require/recommend vendors to do a lot of things that many vendors do not do now 
and are very good for customers.

When we reported these issues to Apple they told us that they would have them 
fixed in the Panther release timeframe.  To be honest, I assumed there would 
also be a patch for 10.2.  We certainly didn't dictate any specific way of 
releasing the fixes.  

The DMG file issue was reported in June, 2003 and the core overwrite issue was 
reported on 7/25/2003.  I don't have a recorded notification date for the long 
argv issue.

Whether or not a vendor makes a customer pay for a security remedy is a 
business decision but they should make it clear that they are not supporting 
older versions if they are not releasing free patches for them.  I think 
security fixes should be separate from feature updates since new features often 
introduce new vulnerabilies.

Cheers,

Chris



> Adam Shostack wrote:
>
>@Stake is being pretty up front that they are moving far away from
>full-disclosure.  Weld has been up-front and vocal about this shift
>and the reasons for it.
>
>It seems fairly clear that DaveG reported these issues to Apple (along
>with many others over the past while), and for this subset of the
>DaveG issues, Apple said "these are complex to fix, we'll get to them in
>the next major release."
>
>Which is roughly where we were 10 years ago in some ways: Vendors got
>bug reports, and as much time as they wanted to fix the issues.  If
>there's independent rediscovery of issues (and I think for some of
>these, that's likely), then customers are SOL as the issues are
>exploited.  On the plus side, 10 years ago, vendors might have said
>"fixed security issues," without enumeration or acknowledgment.  So
>that's improved.
>
>I think that announcing a set of security issues, and saying "the fix
>is to upgrade your entire OS" is not a great disclosure strategy.  If
>that's @Stake's new plan, I would give the new OS 30-90 days before
>making the announcements.  But I believe that the general risk of
>independent discovery of issues is substantial enough that this sort
>of long delay from discovery to fix is a poor practice, and one that
>we as an industry had been moving away from.
>
>Adam
>
>-- 
>"It is seldom that liberty of any kind is lost all at once."
>                                                      -Hume
>
>
>