> The more surprising it is to see a vendor's > response downplaying the importance of the issue found in its code that can > actually contribute to the full blown attack against the users of its > software.
This is apple you're talking about, are you really that surprised? Cheers Ramo On Jun 26, 2012 4:57 AM, "Security Explorations" < [email protected]> wrote: > > > Hello All, > > Security Explorations decided to release technical details and accompanying > Proof of Concept code for a security vulnerability in Apple QuickTime > software. > This move is made in a response to Apple's evaluation of a reported issue as > a "hardening issue" rather than a security bug [1]. > > Security Explorations does not agree with the results of Apple's evaluation. > It does not support the approach of a "silent fix" either [2]. > > A vulnerability that was reported to the company on Apr 12, 2012 allows to > bypass two security checks in Apple's code. That vulnerability (Issue 22) > leads to a serious violation of Java VM security. When combined with Issue > 15 affecting Oracle's Java SE [3], it can lead to a complete compromise of > a Java VM environment on a fully patched Windows OS with latest Java SE > (1.6.0_33-b03) and Apple QuickTime (7.72.80.56) software installed. > > The case of an attack against Apple QuickTime software illustrates a common > trend in attacks against technologies such as Java VM where more than one, > partial security bypass issue usually needs to be combined together to > achieve > a complete security compromise. The more surprising it is to see a vendor's > response downplaying the importance of the issue found in its code that can > actually contribute to the full blown attack against the users of its > software. > > Security Explorations is publishing the following materials in a hope that a > wider public could conduct an independent evaluation of Apple QuickTime > issue > and deliver an unbiased judgment of both companies claims: > - Short write-up presenting vulnerability details, its impact and a summary > of vendor's response, > - Proof of Concept code for Issue 22. > > Download links for the above-mentioned materials are provided below: > > http://www.security-explorations.com/materials/se-2012-01-22.pdf > http://www.security-explorations.com/materials/se-2012-01-22.zip > > Thank you. > > Best Regards, > Adam Gowdiak > > --------------------------------------------- > Security Explorations > http://www.security-explorations.com > "We bring security research to the new level" > --------------------------------------------- > > References > [1] SE-2012-01 Vendors status > http://www.securityexplorations.com/en/SE-2012-01-status.html > [2] About the security content of Java for OS X 2012-004 and Java for > Mac OS X 10.6 Update 9 > http://support.apple.com/kb/HT5319 > [3] SE-2012-01 Project, Security Vulnerabilities in Java SE > http://www.securityexplorations.com/en/SE-2012-01-press.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
