Dailydave mailing list archives
OS X and patching being hard.
From: dave aitel <dave () immunityinc com>
Date: Thu, 24 Mar 2016 15:09:52 -0400
One thing I find quite interesting is that people who are not in our community often think vulnerabilities are very simple to fix, if only they get reported. For example, assuming the FDA gets its way and has some level of regulatory-like effort that demands a response time for fixing software security issues in medical equipment in lieu of offering a recall. But even the biggest software company on Earth, Apple, finds this hard to do. For example, the recent P0 blogpost <http://googleprojectzero.blogspot.com/2016/03/race-you-to-kernel.html>on an OS X local Ian Beer found demonstrated how hard this can be in the real world. The issue is not a simple miscalculation, but rather a design flaw in how the OS X (and iOS) kernels work. And so you'll note they did not fix every kernel (Maverick is still vulnerable and the CANVAS exploit works fine on it, as it does on all old OS X versions), and even the fix leaves the Use-After-Free bugs in the same code. (Please don't run the CANVAS exploit for this issue on patched systems or you will trigger a UAF). But the strategic issue is this: If you try to regulate by enforcing a security response, you are going to run into the fact that nobody has gotten that right yet. Another great example of this is how Sharepoint and similar systems struggle with their feature of uploading HTML files and other active content (which is a universal XSS), and for example, browser based SSL-VPNs are all broken by design <https://www.kb.cert.org/vuls/id/261869>. Sometimes the answer is "We can't fix it. Sorry." -dave
_______________________________________________ Dailydave mailing list Dailydave () lists immunityinc com https://lists.immunityinc.com/mailman/listinfo/dailydave
Current thread:
- OS X and patching being hard. dave aitel (Mar 24)