macnn news
Text Size

Darwin audit finds flaws that affect Mac OS X Panther

updated 09:45 pm EST, Tue January 18, 2005

Darwin audit finds flaws

A source-code audit of the open-source released by the ImmunitySec says the bugs mostly affect remote systems with multiple users and that since Mac OS X is most often used on the desktop, the flaws will not be overly important on most people's systems. The company originally found the flaws in June, but only published them to a private list of customers and not notify Apple. On Monday it publicized the flaws, which include "a bug in Mac OS X's SearchFS function, several kernel memory overflows and a logic bug in the AT command, which is used to schedule tasks by the operating system."

By MacNN Staff

Article Tags :

E-Mail
Print
Comments (6)
digg
buzz up
slashdot
del.icio.us
tweet

Related Articles

Recent Articles

 
Previous Comments

WTF??

01/18, 10:26pm reply

The company originally found the flaws in June, but only published them to a private list of customers and did not notify Apple.

A security firm conducts an audit of an operating system and DOES NOT NOTIFY THE OS MAKER OF THE FLAWS THEY FOUND????

And then later they go public without even giving the company a chance to fix the problems first?

Is that f**ked up or what?

Person Man

Professional Poster

Joined: Jun 2001

0

Is this correct?

01/18, 11:09pm reply

I have been in the information security field for over 10 years and I have NEVER heard of a company that would NOT notify the vendor before making a vuln public. Should that line really read, "and notified Apple"? Was "not" just someone accidently typing notify twice?

I certainly hope so - for otherwise, this seems rather insane.

-Eric

vasbinde

Fresh-Faced Recruit

Joined: Jan 2005

0

After checking...Wow!

01/18, 11:21pm reply

After checking the original CNET article, it seems as though they really did NOT notify Apple. That is the height of hubris and based on the information on their web site seems to fit with their mentality. They seem to be a group of "grey hat" hackers that try to push the envelope of legality for computer security.

In this case, they seem to have left the flaws in place for six months without notifying Apple for the pure reason of showing their prowess to those companies that have signed up for their service and to flex their muscles to the rest of the hacking community. "Street Cred" is key to crackers/hackers and on its face, this seems designed to provide that.

However, respectibility is key to getting and keeping the large customers that are crucial to long term survival. Unfortunately for "Immunity", they seem to lack the proper concern for protection, valuing self-promotion instead.

No respectable researcher would act in this irresponsible of a manner.

-Eric

vasbinde

Fresh-Faced Recruit

Joined: Jan 2005

0

Look at original article

01/18, 11:23pm reply

The actual linked article itself states it this way: "The company originally found the flaws in June and published them to a private list of customers but did not notify Apple."

The word "but" in the above suggests that they really didn't notify the vendor before making the vulnerablities public.

Person Man

Professional Poster

Joined: Jun 2001

0

Ransom...

01/19, 11:38am reply

The want Apple to pay to be on the list...

Ganesha

Senior User

Joined: Jul 2002

0

Who is on the list?

01/19, 02:25pm reply

Microsoft? Sun? Red Hat? Microsoft has done stuff like this in the past, at least with "independent" testing labs.

Who subscribes to audits of operating systems that they didn't write?

LenE

Fresh-Faced Recruit

Joined: May 2004

0

Popular News