On Sun, Jul 27, 2008 at 8:10 PM, Chris Barker
<email@hidden> wrote:
> On Sun, Jul 27, 2008 at 3:10 PM, Jaime Magiera
> <email@hidden> wrote:
>> On Jul 25, 2008, at 8:30 PM, Chris Barker wrote:
>>>
>>> This email sent to email@hidden
>>>
>>> Submitted mine around the same time as yours (6103700), under security for
>>> 10.4.11 server.
>>>
>>> Be interesting to see what their response time is on a friday afternoon.
>>
>> Hi,
>>
>> Interestingly enough, I got a response this morning (Sunday). Apparently,
>> they are well aware of the problem, but ran into difficulties with the patch
>> that rendered some BIND installations unusable. They are currently working
>> out the issues and will have an update shortly. Fair enough. As I mentioned
>> previously, when the truth comes out, we see the problem was not an issue of
>> "elected", but one of unintended problems.
>>
>> I don't want to pick apart someone's words, particularly when they are not
>> here to defend themselves, but there was one thing in the response that
>> tweaked me the wrong way. Essentially, words to the effect of "It would be
>> worse to break this functionality than to rush out a 'fix', especially since
>> we have received no report of any actual exploit against our installed
>> base." IMHO opinion, this is a security vulnerability whose remedy precludes
>> known exploit attempts against the user base. I know that isn't what the
>> Apple person meant literally, but it is likely indicative of a mindset that
>> Apple needs to shake. Now that the vulnerability's details have been
>> published from here to Timbuktu, we know that at least a marginal amount of
>> script kiddies will attempt to exploit it. This fact puts the
>> vulnerability's remedy in the category of "preventative measures".
>>
>> At any rate, I feel much better knowing that Apple is in fact attempting to
>> remedy the situation. It is not off their radar so to speak.
>>
>> So, that's the scoop. Continue to have a great weekend,
>>
>> Jaime Magiera
>>
>> Sensory Research
>> http://www.sensoryresearch.net
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Macos-x-server mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>>
>
> That reply is just, well, WOW.
>
> It would be nice if that is the state, that they make a statement as
> such to the CERT team, so there is atleast something more than just
> "no response" listed on the cert page.
>
> I'll see what I get on my response.
>
> --
> Chris Barker
> Purveyor of Fine Suggestions
> ACSA
>
Got my response, entirely generic, including the choice phrase:
For the protection of our customers, Apple does not publicly disclose,
discuss or confirm security issues until a full investigation has
occurred and any necessary patches or releases are available.
--
Chris Barker
Purveyor of Fine Suggestions
angrydome.org
ACSA
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
