|
 |
|
ComputerWorld is reporting comments by Charlie Miller, the person who "won" this year's CanSecWest Pwn2Own hacking contest, by taking control of a MacBook Air. As part of the deal, which netted him $10,000 and the aforementioned Mac, he disclosed the exploit he used, which was based on a flaw in WebKit—the open-source underpinnings of Apple's Safari. At the time, Apple asked Miller if the flaw affected the iPhone and he said he believed it was, though he hadn't actually tested his assumption. Experts at ZDNet, sponsors of CanSecWest, told the mothership they didn't think the flaw affected the iPhone. For its part, Apple says that it did test the iPhone and found the underlying memory flaw, but not an issue that affected security. Fast forward several months, in a Washington Post, Miller slammed Apple for not patching the vulnerability, which he says he told the company about. Yesterday, Miller again attacked Apple's security practices in general and specifically about the issue he uncovered with WebKit vis-a-vis the iPhone. "They got all mad, and sent me a nasty e-mail," Miller said. "They said I should have reported this to Apple security rather than to The Washington Post. I told them 'I gave you the exploit, what else do you want me to do?'" Apple patched the exploit last week with the release of the iPhone 2.0 software. Editor's note: Much like the case of CoreSecurity, we have a case where the facts were in dispute, yet the "security expert" involved chose to expose users. Moreover, just like CoreSecurity, which exposed millions of Mac users in order to make their point, Miller released details of a vulnerability because he doesn't agree with how Apple does things. Wag the dog...
| |||||||||||||
|
|||||||||||||
