[t_hah]

Some news site has brought the following security document up... it dates 2004 June 22, but was released to the public only these days.

In the document they reffer to Mac OS X 10.3.4, but what about 10.3.7?

http://www.immunitysec.com/downloads/nukido.pdf

t

[Millennium]

If it's that old, then the bugs listed therein are quite likely to have been fixed.

[t_hah]

So why is Immunity making such a deal out of this? They released it yesterday on their site.

http://www.immunitysec.com/resources-advisories.shtml

Does anyone know about these security problems and if they still exist in the current OS? The current kernel version is: xnu-517.9.5, the document talks about xnu-517.7.7

[Person Man]

Originally posted by t_hah:
So why is Immunity making such a deal out of this? They released it yesterday on their site.

http://www.immunitysec.com/resources-advisories.shtml

Does anyone know about these security problems and if they still exist in the current OS? The current kernel version is: xnu-517.9.5, the document talks about xnu-517.7.7

No they are not fixed because ImmunitySICK (sic) did not tell Apple about their findings when they discovered them in June (or July). They only told people on their "private list." Apple found out about them the same time as everyone else... when they went public.

What kind of fcuking "security" company sits on vulnerabilities they've discovered for six months and DOESN'T EVEN TELL THE OS VENDOR ABOUT THEM? Now the hackers have a leg up on Apple...

See this article.

[t_hah]

So let me get this straight... this security company finds out about these issues, then notifies some people and companies, then half a year later notifies Apple!?

And this is a security company???? WTF!!!

[t6hawk]

How many of these threads do we need? There are 3 so far in this forum. Shouldn't these be in the OSX forum?

[t_hah]

Sorry if there was already a thread on it... I did not find any, but of course I did not find any info on this anywhere else, so I gave a try here first...
since you are being so helpful, could you post a link as well.

Thanks and have a great day,

t

[recogniser]

I'd be willing to bet the reason they didn't mention this until now is because they did tell Apple when they discovered the security issues, but Apple requested they not release the info until they (Apple) could fix them.

[Person Man]

Originally posted by recogniser:
I'd be willing to bet the reason they didn't mention this until now is because they did tell Apple when they discovered the security issues, but Apple requested they not release the info until they (Apple) could fix them.

No. Read the article I linked to in the post I made, above. If there were a fix, Apple would have said so.

[Person Man]

Originally posted by t_hah:
since you are being so helpful, could you post a link as well.

Already posted a link, see my post above.

[t_hah]

Originally posted by Person Man:
Already posted a link, see my post above.

That message was not for you. :-)
Thank you for the article link. That clarified many things...

[recogniser]

Originally posted by Person Man:
No. Read the article I linked to in the post I made, above. If there were a fix, Apple would have said so.

I reread the article, but I don't understand your point. Do you remember last summer there were something like 3 consecutive Security Updates in the span of like a week? All the descriptions ever say is vague stuff like, "This security update fixes several vulnerablities, etc etc."

I don't think Apple would go out of their way to say "Hey, we had massive security issues with our OS but we fixed them."

[Millennium]

Frankly, I wonder if Apple has grounds for a lawsuit here. They should have been the first people Immunity notified, not the last. Could this be considered a kind of fraud?

[t_hah]

Well, according to ZDnet this is still an issue. I have not seen anything official on this from Apple.

[Person Man]

Originally posted by recogniser:
I reread the article, but I don't understand your point. Do you remember last summer there were something like 3 consecutive Security Updates in the span of like a week? All the descriptions ever say is vague stuff like, "This security update fixes several vulnerablities, etc etc."

I don't think Apple would go out of their way to say "Hey, we had massive security issues with our OS but we fixed them."

Apple always lists in detail the specific vulnerabilities fixed by their security updates. They can be found here.

Also, from the article I linked to, above:

The company originally found the flaws in June and published them to a private list of customers but did not notify Apple. It published the flaws on Monday, after presenting them at a seminar.

Apple confirmed that it had not been told of the flaws and said it was analyzing the vulnerabilities but would not elaborate.

This tells me that Apple had not been told of the flaws beforehand. If they had a fix they would have said so (or at least that they would be releasing a fix soon). They said they were "analyzing the vulnerabilities," which suggests that they haven't even started working on fixes yet (which makes sense if they weren't told about the flaws until now).

[Millennium]

Originally posted by recogniser:
I don't think Apple would go out of their way to say "Hey, we had massive security issues with our OS but we fixed them."

Certainly they would; it's good PR.

Every OS will have security issues discovered in it, sooner or later. It's the nature of software development. What matters is how quickly these issues are fixed once they've been discovered. Apple has been very good about jumping on top of problems which have been discovered, and this would be another feather in its cap.

The only reason to delay notifying Apple is to delay a fix. That's got to be a kind of fraud.

[Cadaver]

Originally posted by t_hah:
Well, according to ZDnet this is still an issue.

And we all know that ZDnet is an expert on all things Mac

[Rev-O]

Originally posted by Person Man:
No they are not fixed because ImmunitySICK (sic) did not tell Apple about their findings when they discovered them in June (or July). They only told people on their "private list." Apple found out about them the same time as everyone else... when they went public.

What kind of fcuking "security" company sits on vulnerabilities they've discovered for six months and DOESN'T EVEN TELL THE OS VENDOR ABOUT THEM? Now the hackers have a leg up on Apple...

See this article.

The kind of fcuking "secuirty" company that uses potential security vulnerablities as marketing tools to bolster enrollment in their "Immunity Vulnerability Sharing Club"

Just a guess, but to me it seems a move to create a bit of fear/uneasiness in people so that people will join "The Immunity Vulnerability Sharing Club" for that added bit of security.

And I agree, it is a load of crap.

[yukon]

Fraud? I don't suppose so. If they were using it as an exploit, then that's against the law. Users generally aren't under any obligation to report security issues they discover.

There is a debate going on though, as te whether quiet disclosure to the company is best over just a public release....Linus Torvalds seems to think that public release is best (at least with OSS) and many would agree, some think that the vulnerability should be reported to the company and not published until fixed....I personally think that, without a whole lot of knowledge about the issue, that the companies should be given maybe a week or two advance knowledge, and if the fix isn't rapidly made then the public should know about it - especially if there's something a user can do to fix the problem, like that one where removing help.app fixed an exploit. If an exploit is given to Apple (read: Microsoft) a year in advance and is never fixed or published, then someone else will probably figure out the vulnerability quickly enough and be silently exploiting it. While you can't secure something with holes you don't know about, it's no better to proclaim to the world your insecurity until it's fixed...add in a timelimit, you stay vulnerable for a shorter time and there's a motivation for the vulnerability to be fixed (the press).

Back on track, the exploits I've heard of on OS X have been downright lame. Apple is doing a damn good job so far IMHO, but they haven't fixed a few issues that bother people.

[Person Man]

Originally posted by yukon:
I personally think that, without a whole lot of knowledge about the issue, that the companies should be given maybe a week or two advance knowledge, and if the fix isn't rapidly made then the public should know about it

[snip]

add in a timelimit, you stay vulnerable for a shorter time and there's a motivation for the vulnerability to be fixed (the press).

A week or two doesn't cut it for many security vulnerabilities. You not only have to have time to fix the problem, you first have to study the problem thoroughly to be able to create a proper fix (not just a bandaid solution that your proposal would force companies to do) that will not cause major headaches down the road in some other part of the operating system.

Operating systems are extremely complex a little change here may seriously affect something over there, and then you'd have people refusing to install the security update because it would break their systems (we already have that anyways), and the reasons behind giving a time limit would be a moot point then. The most time is spent testing the update, both to fix unforseen bugs, and to make sure the fix is "good enough."

Now, many would claim that Apple doesn't test their updates anyway, but the fact is that the majority of people (myself included) haven't had any problems with updates and that is because they have already undergone lots of testing.

If Apple only had a week or two to fix a security vulnerability, the resulting band-aid solution would break enough things that people wouldn't install it anyways (It broke my system!) And you might say, "well, turn off that function as a workaround until a fix is found." Not every problem has an easy solution like the "help.app vulnerability" did. Sometimes the area is in a "mission critical area" and you can't just "turn it off or bypass it until a fix is found."

Besides, most security companies *do* give vendors a time limit before going public. That is, if they even notify the OS vendors in the first place, which SecuritySICK [sic] did NOT do. How do you expect Apple to fix something they DIDN'T EVEN KNOW ABOUT?

How do you set a time limit? The answer is "a reasonable amount of time," determined by the complexity of the problem.

The question should not be "how can we force companies to fix their products faster?" but "how can we get companies to design their products responsibly the first time?" While there will always be bugs in software, if you design something from the start to be secure, you won't have anywhere near as much problems down the road. As development proceeds, people (preferably an independent team) need to be auditing the code from an exploit perspective from day one, and fixing problems before the product is shipped out. "But it costs more money to do it that way!" Tough. In this day and age you can't afford to not do it that way, and "lawsuits might end up costing you more money in the long run," so think of it as money well spent, rather than potential profit lost.

[yukon]

Of course some fixes can take more than a week or two, there's a lot of testing involved (hopefully). I actually personally believe it should be a single week, but I said "or two" in anticipation of such a reply. I'm in favor of making it public, if I don't know that iFail.app has a buffer overflow, I can't work around that, I remain vulnerable. And if one person can figure out the vulnerability, then another can.

While Apple's Macintosh was aimed at the average person for some time, people who wouldn't do any work-arounds for security, but now they're trying to move into servers, business/enterprise type gear. Having someone sit on information on vulnerabilities might be fine for the companies that use MS products, but for UNIX administrators that are used to open source or simply rely heavily on the security of their servers, being wide open for more than two weeks is scary.

Of course, I don't like what this company has apparently done. They did not inform Apple, or even the public first, they informed a group of people they knew, like it's some kind of secret. I don't believe that's illegal, but I'd say that's still wrong.....informing apple at the same time as the general public, may not be nice to apple but I think (IMO) it's fair enough.

[Person Man]

Originally posted by yukon:
I actually personally believe it should be a single week, but I said "or two" in anticipation of such a reply.

When you're talking about something as complex as an operating system, fixes rarely, if ever take 1 or 2 weeks to investigate, come up with a solution, test the hell out of it, and if it doesn't work, try again.

Perhaps it should be "a month or two." I also think that if a company can prove that they are actively working on the problem (but it's taking longer than they expected) then the original reporter should hold off on making it public until they can release a (properly working) fix.

These things are not as easy to do as you might think, which is why I said the better approach is to think security from the start, rather than starting with something that was "good enough" in the days before the internet and then grafting on fixes after the fact. (which is what Microsoft is STILL doing... Apple is a bit better than they are with the open source stuff, but some of the proprietary stuff is still legacy code from NeXT).

[Millennium]

Originally posted by yukon:
Fraud? I don't suppose so. If they were using it as an exploit, then that's against the law. Users generally aren't under any obligation to report security issues they discover.

Indeed not, but this is not your average user. It is a business which claims to be dedicated to improving security by finding vulnerabilities and advocating that they can be fixed. Since bugs can't be fixed if the makers are not notified, delaying vendor notification stands directly counter to the business' stated purpose. That is the fraud.

There is a debate going on though, as te whether quiet disclosure to the company is best over just a public release....Linus Torvalds seems to think that public release is best (at least with OSS) and many would agree, some think that the vulnerability should be reported to the company and not published until fixed....I personally think that, without a whole lot of knowledge about the issue, that the companies should be given maybe a week or two advance knowledge, and if the fix isn't rapidly made then the public should know about it - especially if there's something a user can do to fix the problem, like that one where removing help.app fixed an exploit.

Oh, I quite agree with you. But the point is: the makers must be told. Hiding the vulnerability from the maker, which appears to have happened in this case, makes it impossible to fix the problem.

If an exploit is given to Apple (read: Microsoft) a year in advance and is never fixed or published, then someone else will probably figure out the vulnerability quickly enough and be silently exploiting it.

Yes, but the exploit, or even notification of the problem, was never given to Apple. This is what the debate is about. It's not just that they didn't tell Apple first; it's that they knew about this bug for a year and never told Apple, thus ensuring that it would not be fixed.

[yukon]

I know it may take quite a while to find a bug and prepare a fix that doesn't cause problems...many Windows fixes used to simply disable the functionality with the problem way back when, of course they'd just say it fixed a problem, caused fun for many people. I like what Apple does, but I don't care much about their reputation (I'm sure Apple cares), I'd rather know now that some system componant has a vulnerability even if there isn't a fix prepared. Of course, the obscurity of a just-discovered vulnerability, paired with the developers knowing about it and working to fix it on a deadline, I think merits a week of silence, I think that's even generous (IMHO) to keep a secret from the public

I guess then that I agree with Millennium, this is fraud. I don't think they had anything to gain by concealing the vulnerability though (other than use of it of course, but that's illegal). They still did notify eventually....dunno really. In any case, I'd think this would be very bad for a security company's reputation, knowing of a vulnerability, telling a few people and keeping it hush-hush. I wouldn't want them looking at my home network, let alone pay for anything of theirs.....

Just looking at their company page, it looks like it's just a few young guys, the CEO/Founder is from l0pht (well, it says @stake, same difference). It seems they sell access to news about vulnerabilities and exploits, have their clients sign NDA contracts...if that's what they do, find exploits and sell the knowledge of them, the NDAs keeping the software creators from patching so that the info stays valuable, that's a somewhat dastardly business plan. I don't think I'd want anything to do with them, a relationship with them seems like more of a liability than anything else.

[Person Man]

Originally posted by yukon:
Just looking at their company page, it looks like it's just a few young guys, the CEO/Founder is from l0pht (well, it says @stake, same difference). It seems they sell access to news about vulnerabilities and exploits, have their clients sign NDA contracts...if that's what they do, find exploits and sell the knowledge of them, the NDAs keeping the software creators from patching so that the info stays valuable, that's a somewhat dastardly business plan. I don't think I'd want anything to do with them, a relationship with them seems like more of a liability than anything else.

They shouldn't be called a security company, then.

It's a matter of time before something happens and they get taken to court.