> An updated version of the software has been released to address the > vulnerability: > http://support.apple.com/kb/HT1222 Unfortunately, Apple makes no mention of patches for USB device in this support article.
> NCC Group is going to withhold details of this flaw for three months. As you probably know, Apple is not responsible actor in this arena. Confer: the number of vulnerabilities left to rot and fester while waiting for the iOS 6/iPhone 5 press release (http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html), the removal of the toxic Dignotar certificates from the root CA list, etc. Jeff On Thu, Sep 27, 2012 at 4:22 AM, NCC Group Research <[email protected]> wrote: > High Risk Vulnerability in Apple Mac OS X Lion > > 27 September 2012 > > Andy Davis of NCC Group has discovered a High risk vulnerability in Apple OS > X Lion v10.7 to v10.7.4, OS X Lion Server v10.7 to v10.7.4. > > Impact: Arbitrary Code Execution (bug triggered by USB device insertion) > > Versions affected: > Mac OS X Lion v10.7 to v10.7.4, Mac OS X Lion Server v10.7 to v10.7.4 > > An updated version of the software has been released to address the > vulnerability: > http://support.apple.com/kb/HT1222 > > NCC Group is going to withhold details of this flaw for three months. This > three month window will allow users the time needed to apply the patch before > the details are released to the general public. This reflects the NCC Group > approach to responsible disclosure. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
