Apple annoy me or rather their security attitude annoys me. I told them about a vulnerability months ago, I persisted and told them again. I got a generic reply from them saying:-
——————————–
Hello,
Thank you for filing this issue via Apple’s bug reporting system. Apple takes every report of a potential security problem very seriously.
After examining your report we do not believe that this issue is a security exposure.
When filing a bug report, other Classification values are available to describe the type of issue: “Performance”, “Crash or Data Loss”, “Serious Bug”, “Other Bug/Has Workaround”, “Feature (New)”, and “Enhancement”. For the request you filed, we will change the classification from “Security” to the appropriate one to assist the engineering teams in handling it.
If you have any questions or concerns please feel free to let us know.
Thank you,
Apple Product Security team
[www.apple.com]
PGP Key ID: 0xB8469E6D
Fingerprint: FD20 40DB F7BC 37B9 6E78 4C3B C800 A2AB B846 9E6D
Then after posting it to sla.ckers I actually talked to someone at Apple, you can view the thread here:- sla.ckers thread
I was annoyed, Apple clearly don’t understand security I knew when I discovered the flaw it was a major one because local zones shouldn’t be able to access external domains it’s bloody obvious. Then I get this guy from Apple telling me that it isn’t serious, well mate you have to remember attacks get better not worse and now the same flaw can access domains from anywhere. Serious? Damn right it’s serious! It’s a good job I’m a good guy because bad guys wouldn’t be telling anyone that’s for sure and when it came out of beta then boom! All your domains belong to the bad guys.
-----------------------------
Gareth Heyes added in his comments that the exploit works in the current Safari 3.0.3 beta.Apple's really needs to re-think its tight lip security policy. In my mind, it give the that they [Apple] do not believe their own customers are capable of handling security information (or assessing its risk).
While I understand that companies need to communicate carefully to a population that may not be security geeks...it doesn't make sense to hide this type of security information from those in the world that know what to do with it.
No comments:
Post a Comment