Unfixed Mac OS X security holes

So yet another "security" company finds some alleged holes, notifies Apple and then makes them public, with the purpose of what, informing the malevolent that a new door needs kicking? When are the activities of so-called "security companies" going to become a matter of oversight and regulation. Their activities, including the development of proof-of-concept malware which they judiciously don't release into the wild, is bordering on criminal!

CFAllocatorAllocate() has absolutely nothing to do with parsing GIFs at all. It's just there to allocate memory.

These people wrote up all these security advisories yet clearly do not understand what is going on.

Having submitted a possible security hole to Apple for consideration, I can give you the wording that Apple puts in emails thanking for such notifications: -- Because of the potentially sensitive nature of security vulnerabilities, we ask that this information remain between you and Apple while we investigate it further. Our disclosure policy as stated on our web site is: "For the protection of our customers, Apple does not publicly disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." -- Which part of this did these clowns not understand?

The so-called security companies do it to Microsoft too. Unfortunately, when they do it to Microsoft and post zero-day exploits available for download they are doing all the legwork for cyber terrorists and criminals who use the information to infect, hose, or steal information from innocent computer users. Then the other effect of these companies is the sensationalism of E-Week, C-Net or ZD Net broadcasting the security problems as well as linking to exploits and a boatload of FUD to go with it. Personally these people should be shut down. If Tony Sopranno tells a businessman that his business could burn down when it's full of customers if he doesn't pay a certain amount of money, it's called extortion. If general motors has a problem with their Corvette engine that makes it easy to steal and you approach them with the threat that you will tell every car thief in the state if they don't pay you money it would be called blackmail and possibly extortion as well. Why is this legal for so-called security companies?

There are issues with every operating system. Yes, you can find them if you look really hard. If you are the kind of person to look really hard then you have two options 1) keep it to yourself or 2) report it. Everyone is critical of HOW these issues are reported and some feel they aren't even worthwhile, but I would MUCH rather that bugs are at least reported. Apple security doesn't screw around. I would be willing to be a lot of things are reported and they go unfixed for so long that people feel the need to publish. It's not that they get a 'works as intended' type of answer, merely that there's as workload and lines get crossed. These will be addressed, if not they are probably not security issues (not in the 'user stupidity so we won't even try' category). Keeping it to themselves is worse because someone else is gonna find it and not necessarily do something nice.

Whimper about going public quickly, don't say anything if you have mail that it will be addressed in the next security update. If it is NOT and it's considered a security matter then publish. Just don't keep it to yourself. People know Mac OS X isn't windows. It's inherently more secure and one little dent here that gets buffed out is better than a major collapse.

Assuming he actually knows what he is talking about, he just blogs to the whole world about it. Gee that's smart; I feel I can really trust this moron. My guess is that he doesn't have a clue and this is yet another covert attempt to make it appear that Mac OS X is not secure, when all real world evidence says the opposite.

Remember, we've had (1) the so-called "concept" viruses that were harmless out in the real world, (2) the Apple doesn't care about security because it doesn't employee a "Security Czar" angle, (3) the let's call any bug we find safari a "security threat" ploy, and now (4) the unknown "security professional" declares that there are "a slew" of vulnerabilities that he personally reported to Apple story. Yet still no actual harm caused by ALL of these menacing threats. Makes me feel safer than ever to be a Mac user. And I'm starting to really enjoy these desperate ramblings about Mac OS X security issues as a source of daily humor.

Security vulnerabilities should NOT be kept private. That's just plain stupid and insecure. If one person finds a problem, who's to say others haven't already found it. I know most of you just assume "There's no problems because there's no viruses, ergo I'm 100% safe!".

I guess all you idiots would have been much happier if you didn't know that safari had such a huge whole in it that you could click a link on a web page and see your entire user directory be deleted. Yeah, I'd much rather not know such problems exist.

Of course, even if someone does release a virus or trojan for the mac, you all will just say its a blip, and no one's too stupid to do that, so it doesn't count and all that crap.