toggle

AAPL Stock: 433.26 ( 0 )

http://www.macnn.com/articles/05/01/18/darwin.audit.finds.flaws/

Darwin audit finds flaws that affect Mac OS X Panther

updated 09:45 pm EST, Tue January 18, 2005

 

Darwin audit finds flaws


A source-code audit of the open-source released by the ImmunitySec says the bugs mostly affect remote systems with multiple users and that since Mac OS X is most often used on the desktop, the flaws will not be overly important on most people's systems. The company originally found the flaws in June, but only published them to a private list of customers and not notify Apple. On Monday it publicized the flaws, which include "a bug in Mac OS X's SearchFS function, several kernel memory overflows and a logic bug in the AT command, which is used to schedule tasks by the operating system."


by MacNN Staff

Post tools:

TAGS :

 troubleshooting
toggle

Comments

  1. Person Man

    Professional Poster

    Joined: Jun 2001

    0

    WTF??

    The company originally found the flaws in June, but only published them to a private list of customers and did not notify Apple.

    A security firm conducts an audit of an operating system and DOES NOT NOTIFY THE OS MAKER OF THE FLAWS THEY FOUND????

    And then later they go public without even giving the company a chance to fix the problems first?

    Is that f**ked up or what?

  1. vasbinde

    Fresh-Faced Recruit

    Joined: Jan 2005

    0

    Is this correct?

    I have been in the information security field for over 10 years and I have NEVER heard of a company that would NOT notify the vendor before making a vuln public. Should that line really read, "and notified Apple"? Was "not" just someone accidently typing notify twice?

    I certainly hope so - for otherwise, this seems rather insane.

    -Eric

  1. vasbinde

    Fresh-Faced Recruit

    Joined: Jan 2005

    0

    After checking...Wow!

    After checking the original CNET article, it seems as though they really did NOT notify Apple. That is the height of hubris and based on the information on their web site seems to fit with their mentality. They seem to be a group of "grey hat" hackers that try to push the envelope of legality for computer security.

    In this case, they seem to have left the flaws in place for six months without notifying Apple for the pure reason of showing their prowess to those companies that have signed up for their service and to flex their muscles to the rest of the hacking community. "Street Cred" is key to crackers/hackers and on its face, this seems designed to provide that.

    However, respectibility is key to getting and keeping the large customers that are crucial to long term survival. Unfortunately for "Immunity", they seem to lack the proper concern for protection, valuing self-promotion instead.

    No respectable researcher would act in this irresponsible of a manner.

    -Eric

  1. Person Man

    Professional Poster

    Joined: Jun 2001

    0

    Look at original article

    The actual linked article itself states it this way: "The company originally found the flaws in June and published them to a private list of customers but did not notify Apple."

    The word "but" in the above suggests that they really didn't notify the vendor before making the vulnerablities public.

  1. Ganesha

    Senior User

    Joined: Jul 2002

    0

    Ransom...

    The want Apple to pay to be on the list...

  1. LenE

    Fresh-Faced Recruit

    Joined: May 2004

    0

    Who is on the list?

    Microsoft? Sun? Red Hat? Microsoft has done stuff like this in the past, at least with "independent" testing labs.

    Who subscribes to audits of operating systems that they didn't write?

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

toggle

Most Commented