OS X Flaws Put Mac Users At Risk

Good write-up over @ CNET.com dealing with the recent information disclosure of several serious Mac vulnerabilities.

Looks like at several key quotes.

1) Apple believes the public disclosure of security flaws doesn't help anyone, a position shared by most software makers. "We don't feel that our customers are better served by public disclosure of potential issues," Tribble said. "We think that in the general case, people who need to know about issues are the ones that can actually fix the bugs."

While Apple may not agree with Tom, I bet his action will get the problems fixed faster. Apple would have sat on them for as long as they could, all along claiming they weren't a danger. Which brings me to quote number 2.

2) Apple's vice president of software technology told CNET News.com. "I think it is important to note that although these are potential vulnerabilities, there are no known exploits to them and they are not affecting customers today."

There are no exploits in the public, maybe...but that doesn't mean that they aren't being exploited. This could be of no importance to Apple; these are very serious vulnerabilities and should be fixed. IMHO, only companies that are using Apple products should be focused on whether exploits are public or not. Since this fact does alter the patch management cycle in most cases.

3) Apple silently fixed one of the flaws related to the handling of TIFF image files in update 10.4.6, Ferris said. The other bugs remain unpatched, he said, adding that he reported the issues to Apple earlier this year.

Umm...this issue sounds very familiar. As I stated before, we need to hit Apple on this exact issue as well. Microsoft isn't the only one not doing the right thing in my view.

4) Apple expects to address the issues in an upcoming security update but could not say when that fix might be released. "Our target is to do it promptly," Tribble said. "How quickly that can be done depends on a lot of variables, in terms of how much information we get and how complex the things are to address."

This quote only supports my comment on quote #2. They have known about the issues all year and they are going to fix them "promptly"....umm..and people say public disclosure doesn't work. =)