Good point. On a positive note, one of the reasons they rewrote Quicktime was to get rid of this stuff. The new quicktime is much less susceptible (allegedly) to the nonsense that the Quicktime < 10's were.
J On Mar 27, 2010, at 8:27 AM, Larry Seltzer wrote: > Yeah, I did point out that Apple does do this work. I think Dino Dai > Zovi (Charlie's co-author on their book) noted that. > > Obviously if Charlie can find 20 critical bugs in OS X just by fuzzing > for 3 weeks on a few computers then Apple's not doing enough. Perhaps > the problem is that they're *only* looking at the source code. > > LJS > > -----Original Message----- > From: Joel Esler [mailto:[email protected]] > Sent: Saturday, March 27, 2010 8:20 AM > To: Larry Seltzer > Cc: Juha-Matti Laurio; [email protected] > Subject: Re: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to > find their own bugs > > Apple does too. Ever read the security vulnerabilities for the "Credit" > line? Look how many say "Apple". A bunch. > > Perhaps they just aren't looking the same places as Charlie. That's > all. You know, they only have access to the multiple millions lines of > code they maintain for all their products... > > J > > On Mar 27, 2010, at 7:58 AM, Larry Seltzer wrote: > >> I wrote about this myself a little while ago: >> > http://blogs.pcmag.com/securitywatch/2009/12/does_microsoft_look_for_vul >> ner.php >> >> Microsoft puts a lot of effort into security research for products > under >> development. But once the product ships they stop looking. Alex > Sotirov >> pointed out that Microsoft's customers, by paying iDefense and >> TippingPoint and the like, end up paying for research Microsoft should >> be doing. Perhaps Microsoft is also a customer of these companies, I >> don't know. >> >> LJS >> >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] >> On Behalf Of Juha-Matti Laurio >> Sent: Saturday, March 27, 2010 7:24 AM >> To: [email protected] >> Subject: [funsec] Miller, Pwn2Own's winner tells Apple, Microsoft to >> find their own bugs >> >> > http://www.computerworld.com/s/article/9174120/Pwn2Own_winner_tells_Appl >> e_Microsoft_to_find_their_own_bugs >> >> "The only researcher to "three-peat" at the Pwn2Own hacking contest > said >> today that security is >> such a "broken record" that he won't hand over 20 vulnerabilities he's >> found in Apple's, >> Adobe's and Microsoft's software. >> >> Instead Charlie Miller will show the vendors how to find the bugs >> themselves. >> >> Miller, who yesterday exploited Safari on a MacBook Pro notebook > running >> Snow Leopard to win $10,000 in the hacking challenge, >> said he's tired of the lack of progress in security. "We find a bug, >> they patch it," said Miller. >> "We find another bug, they patch it. That doesn't improve the security >> of the product." >> >> Juha-Matti >> _______________________________________________ >> Fun and Misc security discussion for OT posts. >> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >> Note: funsec is a public and open mailing list. >> >> _______________________________________________ >> Fun and Misc security discussion for OT posts. >> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec >> Note: funsec is a public and open mailing list. > > -- > Joel Esler > http://blog.joelesler.net > > -- Joel Esler http://blog.joelesler.net _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
