Re: Mac OS X vulnerabilities ['Virus checked"]

[Chris Wysopal <cwysopal () atstake com>]

In-Reply-To: <20031029180349.GA85446 () lightship internal homeport org>


@stake's policy has been the same since June, 2002 which was its last revision.  Our policy is in line with the OIS 
guidelines.  Assuming Mac OS X 10.2 is supported, Apple is not following the OIS guidelines which require a vendor to 
release a remedy for *all supported platforms* and to make an effort to deliver them simultaneously.


From: http://www.oisafety.org/reference/process.pdf

7.1.4

The Vendor shall ensure that a remedy is available for all supported products affected by the Flaw

7.3.9 

If multiple products or versions are affected by the Flaw, the Vendor shall exercise reasonable efforts to 
simultaneously deliver all remedies.  


It may come as a surprise to many people on the list that the OIS guidelines require/recommend vendors to do a lot of 
things that many vendors do not do now and are very good for customers.

When we reported these issues to Apple they told us that they would have them fixed in the Panther release timeframe.  
To be honest, I assumed there would also be a patch for 10.2.  We certainly didn't dictate any specific way of 
releasing the fixes.  

The DMG file issue was reported in June, 2003 and the core overwrite issue was reported on 7/25/2003.  I don't have a 
recorded notification date for the long argv issue.

Whether or not a vendor makes a customer pay for a security remedy is a business decision but they should make it clear 
that they are not supporting older versions if they are not releasing free patches for them.  I think security fixes 
should be separate from feature updates since new features often introduce new vulnerabilies.

Cheers,

Chris



> Adam Shostack wrote:
>
> @Stake is being pretty up front that they are moving far away from
> full-disclosure.  Weld has been up-front and vocal about this shift
> and the reasons for it.
>
> It seems fairly clear that DaveG reported these issues to Apple (along
> with many others over the past while), and for this subset of the
> DaveG issues, Apple said "these are complex to fix, we'll get to them in
> the next major release."
>
> Which is roughly where we were 10 years ago in some ways: Vendors got
> bug reports, and as much time as they wanted to fix the issues.  If
> there's independent rediscovery of issues (and I think for some of
> these, that's likely), then customers are SOL as the issues are
> exploited.  On the plus side, 10 years ago, vendors might have said
> "fixed security issues," without enumeration or acknowledgment.  So
> that's improved.
>
> I think that announcing a set of security issues, and saying "the fix
> is to upgrade your entire OS" is not a great disclosure strategy.  If
> that's @Stake's new plan, I would give the new OS 30-90 days before
> making the announcements.  But I believe that the general risk of
> independent discovery of issues is substantial enough that this sort
> of long delay from discovery to fix is a poor practice, and one that
> we as an industry had been moving away from.
>
> Adam
>
> -- 
> "It is seldom that liberty of any kind is lost all at once."
>                                                      -Hume