troubleshooting/tutorials/security

01/18/2005, 9:45pm, EST

Tuesday, January 18th

Darwin audit finds flaws that affect Mac OS X Panther

A source-code audit of the open-source Darwin revealed four vulnerabilities of varying severity, according to ImmunitySec, the security firm who conducted the audit. CNET News.com reports that the flaws affect Mac OS X 10.3 Panther, which is built around Darwin. A security advisory released by the ImmunitySec says the bugs mostly affect remote systems with multiple users and that since Mac OS X is most often used on the desktop, the flaws will not be overly important on most people's systems. The company originally found the flaws in June, but only published them to a private list of customers and not notify Apple. On Monday it publicized the flaws, which include "a bug in Mac OS X's SearchFS function, several kernel memory overflows and a logic bug in the AT command, which is used to schedule tasks by the operating system."


Filed under: troubleshooting

, , 6comments, del.icio.us, slashdot, digg, buzz


6 comments
Reader Reactions (Please use <i></i> for italic text)

subscribe to comments
for this article




Expand All   Global Settings
Person Man
WTF??
0
01/18, 10:26pm, EST
The company originally found the flaws in June, but only published them to a private list of customers and did not notify Apple.

A security firm conducts an audit of an operating system and DOES NOT NOTIFY THE OS MAKER OF THE FLAWS THEY FOUND????

And then later they go public without even giving the company a chance to fix the problems first?

Is that f**ked up or what?
Professional Poster
Joined Jun 2001
User is offline
vasbinde
Is this correct?
0
01/18, 11:09pm, EST
I have been in the information security field for over 10 years and I have NEVER heard of a company that would NOT notify the vendor before making a vuln public. Should that line really read, "and notified Apple"? Was "not" just someone accidently typing notify twice?

I certainly hope so - for otherwise, this seems rather insane.

-Eric
Fresh-Faced Recruit
Joined Jan 2005
User is offline
vasbinde
After checking...Wow!
0
01/18, 11:21pm, EST
After checking the original CNET article, it seems as though they really did NOT notify Apple. That is the height of hubris and based on the information on their web site seems to fit with their mentality. They seem to be a group of "grey hat" hackers that try to push the envelope of legality for computer security.

In this case, they seem to have left the flaws in place for six months without notifying Apple for the pure reason of showing their prowess to those companies that have signed up for their service and to flex their muscles to the rest of the hacking community. "Street Cred" is key to crackers/hackers and on its face, this seems designed to provide that.

However, respectibility is key to getting and keeping the large customers that are crucial to long term survival. Unfortunately for "Immunity", they seem to lack the proper concern for protection, valuing self-promotion instead.

No respectable researcher would act in this irresponsible of a manner.

-Eric
Fresh-Faced Recruit
Joined Jan 2005
User is offline
Person Man
Look at original article
0
01/18, 11:23pm, EST
The actual linked article itself states it this way: "The company originally found the flaws in June and published them to a private list of customers but did not notify Apple."

The word "but" in the above suggests that they really didn't notify the vendor before making the vulnerablities public.
Professional Poster
Joined Jun 2001
User is offline
Ganesha
Ransom...
0
01/19, 11:38am, EST
The want Apple to pay to be on the list...
Senior User
Joined Jul 2002
User is offline
LenE
Who is on the list?
0
01/19, 2:25pm, EST
Microsoft? Sun? Red Hat? Microsoft has done stuff like this in the past, at least with "independent" testing labs.

Who subscribes to audits of operating systems that they didn't write?
Fresh-Faced Recruit
Joined May 2004
User is offline
Your Comments

In order to post comments: If you are a registered member, please login with your MacNN Forums username and password otherwise please uncheck the checkbox below.


Registered Member?
macnn forums login:

macnn forums password:

Not a member of the MacNN forums? Register now for free.

MacNN iPodNN Electronista
top searches
1. apple
2. iphone
3. apple TV
4. ipod
5. mac
6. BBC
7. icons
8. icon
9. macbook
10. leopard
search for more ..
RSS Feeds

Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.



  MacNN -all

  MacNN Reviews

  MacNN Podcasts

  iPodNN

  Electronista

  Left Lane News
Turn your laptop into CASH: Sell us your used laptop. Working or not. Get money FAST. Instant online quote. Shipping is FREE.

Check Out the VIERA from Panasonic!: Enter a New Visual Era with Panasonic VIERA HDTVs. An Enhanced Experience.

DVD/CD Duplicators - All Free Shipping: Simple Disc-to-Disc Duplication. 2 Year Warranty & Free Shipping.

-software: -software, Try 4 Different Flavors Today, Pay Only Shipping Fee.

Indiepix: 3000 Great Independent Films: Foreign Films, Festival Favorites, Order or Download exclusive DVDs." bid="0. Buy from The Apple Store, iTunes.com, Amazon.com, TechDepot, OfficeDepot, Computers4Sure, or donate.