TELECOM Digest OnLine - Sorted: When "Full Disclosure" Equals Collusion, Users Are in Danger

When "Full Disclosure" Equals Collusion, Users Are in Danger

Monty Solomon (monty@roscom.com)
Sat, 30 Sep 2006 16:55:32 -0400

By: Joe Barr

Gone are the days when "full disclosure" meant the immediate public
release of information about vulnerabilities or exploits uncovered by
security researchers. Whatever it means today is the result of a
collaboration -- some might call it collusion -- between the
researcher or firm finding the flaw and the vendor or project
responsible for the code. Recent patches from Apple illustrate the
dangers of this practice when proprietary software is involved.

Last week, Apple announced three security patches for its wireless
component across virtually its entire platform line.

The first patch (CVE-2006-3507) is for two stack overflow
vulnerabilities in Airport, Apple's wireless driver. The second patch
(CVE-2006-3508) fixes a heap buffer overflow in Airport. The third
patch (CVE-2006-3509) addresses an integer overflow in Airport code
which handles third-party wireless card connections. All are ranked as
"high" severity in the National Vulnerability Database.

According to Apple, there are no known exploits for any of these
vulnerabilities. Of course, this is the same firm that denied its
customers were at risk from wireless vulnerabilities last month.

One bad Apple spoils the barrel

The problem is that Apple's claims that there are no known exploits
are false. Not only have exploits been found, they've been
demonstrated, explained, and widely publicized.

http://software.newsforge.com/article.pl?sid=06/09/26/1828244

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: David Wolff: "Re: Did The "System" Work Correctly, or Not?"
Go to Previous message: Associated Press News Wire: "Wireless Providers Ask For Anti-Pretexting Law"
TELECOM Digest: Home Page