Re: Mac OS X vulnerabilities ['Virus checked"]

[Adam Shostack <adam@homeport.org>]

On Wed, Oct 29, 2003 at 06:18:40PM +0100, Steve Clement wrote:
| -----BEGIN PGP SIGNED MESSAGE-----
| Hash: SHA1
| 
| All this issue depends on how suspicious you are really.
| 
| One could say that @stake waited till Panther 10.3 came out to release
| the Security alert and therefore push the sales of the new system. Or
| you could argue that it was an unlucky coincidence that with the new
| release there were quite a few security bugs apearing.

@Stake is being pretty up front that they are moving far away from
full-disclosure.  Weld has been up-front and vocal about this shift
and the reasons for it.

It seems fairly clear that DaveG reported these issues to Apple (along
with many others over the past while), and for this subset of the
DaveG issues, Apple said "these are complex to fix, we'll get to them in
the next major release."

Which is roughly where we were 10 years ago in some ways: Vendors got
bug reports, and as much time as they wanted to fix the issues.  If
there's independent rediscovery of issues (and I think for some of
these, that's likely), then customers are SOL as the issues are
exploited.  On the plus side, 10 years ago, vendors might have said
"fixed security issues," without enumeration or acknowledgment.  So
that's improved.

I think that announcing a set of security issues, and saying "the fix
is to upgrade your entire OS" is not a great disclosure strategy.  If
that's @Stake's new plan, I would give the new OS 30-90 days before
making the announcements.  But I believe that the general risk of
independent discovery of issues is substantial enough that this sort
of long delay from discovery to fix is a poor practice, and one that
we as an industry had been moving away from.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume