With the complexity of OSX and iOS I think if somebody figures out the
right combination of tweaks to bypass security they should tell Apple
right away and hold off a bit before telling the world. At least give
them a chance to fix it before giving a free hand up to the bad guys. Of
course that lead time needs to be kinda short as the vulnerability needs
to be fixed before some bad folks find it and/or continue to use it.
With Apple's automatic updates it can also be a while before a
reasonable chunk of the population has installed the patch. So I'd guess
90 days would be pretty reasonable. If a patch hasn't been released by
then then it's time to put public pressure on Apple.
That said, the oasis of pulchritude hasn't entirely dried up. Yes, there
are issues and the popularity of the platform has attracted unwanted
attention from certain quarters but at least there seems to be a
reasonably good attempt to put locks on all the doors. They just
sometimes forget and leave a window open.
CB
On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote:
I don’t agree with the author. Of course, this is MacWorld—some amount of
Apple butt-kissing is to be expected—but I find his attitude very worrying.
First, “Responsible disclosure” vs “Full disclosure” is a choice of
researchers, and privileged authors of the press shouldn’t be using their
personal ethical judgements about it to suppress public information about flaws
simply on that basis. That alone is reason enough to simply distrust any
further writings of the author. I am personally of the opinion that we are
well past the usefulness of “Responsible disclosure” as a strategy; giving
companies rope, but not quite enough to hang themselves with, isn’t moving
security forward any faster.
Second, and more important, a privilege escalation vulnerability isn’t a
problem for advanced users, who already know what Glen is suggesting, i.e.
don’t run dodgy software. It is precisely those people who have been trained,
per the standard advice, not to type in their passwords when they are
suspicious who will be most hit by the root bypass. Obviously, better advice
would be “Just don’t trust anyone”, but that’s not how the world works, sadly.
I think it’s time for us to acknowledge that the Mac, once a peaceful
neighbourhood with only the occasional bit of easily-preventable rogue badness
that you could get rid of by just clicking “No” or “Cancel” or whatever, is now
increasingly occupied by bad software that is well-advertised, easily installed
and hard to recognise by a lot of inexperienced people, and anybody giving a
Mac to somebody to keep them (the recipient) quiet and out of their (the
donor’s) hair now needs to hold Apple’s once glorious patch turnaround times to
account. This is *especially* true if the donor has delivered the Mac with a
limited user account and all necessary software already installed or only
accessible from the Mac App Store, because as soon as Flash becomes the vector,
we’re all finished.
Microsoft have learned their security lessons the hard and painful way, and now
it’s Apple’s turn. Please don’t give apologists fodder for their absurd
denials.
--
¯\_(ツ)_/¯
--
You received this message because you are subscribed to the Google Groups
"MacVisionaries" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to macvisionaries+unsubscr...@googlegroups.com.
To post to this group, send email to macvisionaries@googlegroups.com.
Visit this group at http://groups.google.com/group/macvisionaries.
For more options, visit https://groups.google.com/d/optout.
