Chris you’re right of course. This is the general way it’s done. Someone finds an exploit, submits to the company and depending on how they react and if they take it seriously or not determines your next steps.
I’m with the original author though, I think most of this is noise and designed to sell security software that people don’t need and aren’t qualified to use. > On Aug 13, 2015, at 2:10 PM, 'Chris Blouch' via MacVisionaries > <[email protected]> wrote: > > With the complexity of OSX and iOS I think if somebody figures out the right > combination of tweaks to bypass security they should tell Apple right away > and hold off a bit before telling the world. At least give them a chance to > fix it before giving a free hand up to the bad guys. Of course that lead time > needs to be kinda short as the vulnerability needs to be fixed before some > bad folks find it and/or continue to use it. With Apple's automatic updates > it can also be a while before a reasonable chunk of the population has > installed the patch. So I'd guess 90 days would be pretty reasonable. If a > patch hasn't been released by then then it's time to put public pressure on > Apple. > > That said, the oasis of pulchritude hasn't entirely dried up. Yes, there are > issues and the popularity of the platform has attracted unwanted attention > from certain quarters but at least there seems to be a reasonably good > attempt to put locks on all the doors. They just sometimes forget and leave a > window open. > > CB > > On 8/13/15 1:21 PM, Sabahattin Gucukoglu wrote: >> I don’t agree with the author. Of course, this is MacWorld—some amount of >> Apple butt-kissing is to be expected—but I find his attitude very worrying. >> >> First, “Responsible disclosure” vs “Full disclosure” is a choice of >> researchers, and privileged authors of the press shouldn’t be using their >> personal ethical judgements about it to suppress public information about >> flaws simply on that basis. That alone is reason enough to simply distrust >> any further writings of the author. I am personally of the opinion that we >> are well past the usefulness of “Responsible disclosure” as a strategy; >> giving companies rope, but not quite enough to hang themselves with, isn’t >> moving security forward any faster. >> >> Second, and more important, a privilege escalation vulnerability isn’t a >> problem for advanced users, who already know what Glen is suggesting, i.e. >> don’t run dodgy software. It is precisely those people who have been >> trained, per the standard advice, not to type in their passwords when they >> are suspicious who will be most hit by the root bypass. Obviously, better >> advice would be “Just don’t trust anyone”, but that’s not how the world >> works, sadly. I think it’s time for us to acknowledge that the Mac, once a >> peaceful neighbourhood with only the occasional bit of easily-preventable >> rogue badness that you could get rid of by just clicking “No” or “Cancel” or >> whatever, is now increasingly occupied by bad software that is >> well-advertised, easily installed and hard to recognise by a lot of >> inexperienced people, and anybody giving a Mac to somebody to keep them (the >> recipient) quiet and out of their (the donor’s) hair now needs to hold >> Apple’s once glorious patch turnaround times to account. This is >> *especially* true if the donor has delivered the Mac with a limited user >> account and all necessary software already installed or only accessible from >> the Mac App Store, because as soon as Flash becomes the vector, we’re all >> finished. >> >> Microsoft have learned their security lessons the hard and painful way, and >> now it’s Apple’s turn. Please don’t give apologists fodder for their absurd >> denials. >> > > -- > ¯\_(ツ)_/¯ > > > -- > You received this message because you are subscribed to the Google Groups > "MacVisionaries" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/macvisionaries. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "MacVisionaries" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/macvisionaries. For more options, visit https://groups.google.com/d/optout.
