Reseller News (NZ) reports that yesterday's Security Update 2008-003 patches 40 vulnerabilities in 25 components and apps, including Flash Player, iCal and Apache.
According to their write up, 16 of the 40 patches in Wednesday's update were tagged by Apple with its "arbitrary code execution" phrasing, putting them into a category other vendors would call "critical."
As noted, Flash Player was updated (v9.0.124.0), but this is a fix (actually seven issues) that IGM readers read and knew about back on April 9.
Apple's version of Apache received the most attention with eight issues patched.
iCal fixed?
Apple also patched the most-serious of three issues identified and publicly revealed, including a how to, by Core Security.
"Yes, I can say that they patched the most serious of the vulnerabilities, but I cannot confirm that they have patched, or haven't patched, the other two," Ivan Arce, chief technology officer, Core Security.
Two other iCal issues, which could be used by attacker to crash but not take over a Mac, were apparently left unpatched.
"But that doesn't mean that they're not security bugs," said Arce.
Apple and Core disagreed over the relative severity of these two potential problems.
Editor's note: Core Securities disagrees with Apple about issues with an Apple application, iCal. The result? When Apple didn't cave to their demands, Core not only published information about two arguably non-critical vulnerabilities (the bones of contention), but they also published information on the critical issue about which there was no argument between the two companies.
Core Security crossed the line between whistle blowers and bitter, vindictive bastards with their actions...
bvb Posted by Guest Poster #1 on 05/29/08 11:29 PM
Do you really think that these jerks keep their secrets/knowledge to themselves?? It's all about fame. And these aren't the type of people to hide their light under a bushel!
Their usefulness is dubious at best... Posted by Cyberdog on 05/30/08 3:10 AM
my take is that you did not even care to read the advisory's timeline before leveling your accusations of Core of being "vindicative bastards".
The advisory was published because Apple missed their own timeline for the update 4 times in a row and there was no indication that it would do differently on the fifth attempt, which is what ended up happening. LINK
you're wrong Posted by Guest Poster #3 on 05/30/08 2:59 PM
Would you rather have the vulnerabilities be undisclosed when they are (more than likely) already being abused by hackers? I'd rather know that there is a vulnerability, and be able to review the exploit code myself than blindly trust someone else to fix it. Grow up.
Idiot Posted by Guest Poster #4 on 05/30/08 5:40 PM
I didn't make an accusation. It was a statement of fact.
Before Core told the world that there was an issue, it was a matter of debate whether or not anyone was in immediate danger let alone that anyone had actually been harmed. After they told the world, and included a handy "how to" just for giggles, there was absolutely no question that millions of users were in danger and perhaps some even harmed directly as a result of what Core, not Apple, did.
Moreover, Core didn't just expose the two non-critical issues that were in dispute, they exposed everything, including a critical zero-day exploit.
The bottom line, regardless of any time line, remains the same—"Do what we say [and pay us for the trouble] or we will hurt you [and your users]."
That's not a business model, that's blackmail.
Fire inspectors aren't allowed to sell fire insurance, and good reason.
M
Statement of fact Posted by M Sharp on 05/30/08 6:45 PM
Where did you get the idea that Core Security was demanding money from Apple to keep quiet about the issue? You are seeing things that just aren't there. Get a clue about how security works in the real world before spouting off your nonsense.
Get a clue Posted by Guest Poster #6 on 05/30/08 7:22 PM
GP #4 I want to know about security issues, too. Up front, out in the open. But that's not what we've got. This "process" is defined by opacity with disclosure as a weapon.
Victims don't come forward. Perps aren't caught.
GP #6 Core evaluates a network / site or is called in to find how hackers are getting into a network / site. Core goes to Apple with the vulnerability, demands action on behalf of... the client (victim?), themselves, users?
And, here's the rub for me, the fire inspector demands action or else they'll show the arsonists where / how to set fires in millions of homes and businesses.
This is "security" in the real world?
You're right that the relationship between threat and payment isn't direct. Perhaps that's the nut of this issue...
Posted by Guest Poster #7 on 05/31/08 12:09 AM
Guest Poster #7, you are delusional. Core Security is NOT extorting Apple. Yes, Core Security gets paid by clients to secure a network. This has nothing to do with Apple "being held hostage" or anything about fire marshals. While I understand the point you are trying to make, I'm telling you that that isn't the way it works in the real world. Are you a security professional? Didn't think so. Stop trying to stir up trouble with your delusions.
Delusional Posted by Guest Poster #8 on 05/31/08 12:26 AM
A point-by-point rebuttal would be more informative than "you're delusional."
And, what exactly is wrong with stirring up trouble?
Posted by Guest Poster #9 on 05/31/08 12:59 AM
Since applying the 2008-003 update, I seem to be having wake from sleep issues on my dual 2.0Ghz G5 running OS X.4.11. Either the monitors won't wake from sleep, or it will wake and then have a kernel panic five to fifteen minutes later and tell me to shut down my machine, or it will just shut down on its own with no warning.
The only thing that has changed in the past couple of weeks is the 2008-003 update.
Anyone else experiencing anything out of the ordinary?
Anyone with issues? Posted by Guest Poster #10 on 05/31/08 2:05 PM
If I was having the same problems, I'd install the X.4.11 combo and then the security update.
M
Posted by M Sharp on 05/31/08 9:58 PM
I've been running X.4.11 since the middle of last November when it came out. Are you saying you'd reinstall it?
Posted by Guest Poster #10 on 06/01/08 8:56 AM
Not the whole OS, just install the X.4.11 combo update, then run the software update to install recent security patches, etc.
M
Posted by M Sharp on 06/01/08 4:10 PM
That is what I'm asking - reinstall the update that I installed in Nov. 2007?
Posted by Guest Poster #10 on 06/02/08 4:36 PM
Yes, install the X.4.11 combo update.
Posted by Guest Poster #15 on 06/02/08 5:21 PM
Still no luck. Tried re-installing the X.4.11 combo as suggested and then tried re-installing the 2008-003 update. Also went through the Tech Tool Pro Suite to check the hardware just to see if something had gone flakey and the 2008-003 update was just a coincidence. Nope, no memory, processor, drive, or other issue that I could find...
Posted by Guest Poster #10 on 06/04/08 5:27 PM
Have you checked MacFixIt or Apple's forums? You might want to seek professional at an Apple Store, etc...
M
Posted by M Sharp on 06/04/08 6:13 PM
I have the question posted a couple places to cover different bases. This has gotten the most response, but still no viable solution anywhere.
