*Sigh*

Came across this tidbit while catching up on some stuff. Not good at all, really. The only positive thing about all of this is that at least security guys are giving Apple's stuff an actual look... but isn't this the 2nd exploit regarding inadequate checking over input fields in like 2 months, both different?

Yeah, I know the first was a system-wide problem with cocoa text fields, and this is application specific. But come on- this is input checking on the keychain, the jewels to most of what the user might hold dear.

Basically, two things are coming to mind:

  • Apple seems to not being real thorough on some of these things, which could bode ill. For every MS exploit out there, the other platforms (*nix, including osx) gain some positive brainwidth. When that starts getting overwhelming, you've got something. For every one Apple has to patch, they erase a lot more brainwidth than they gain through MS having a bad day. After the first cocoa text field exploit, I'd have hoped they'd been going nuts reviewing all others... as I'm sure that's what turned this guy onto looking into it.

  • Apple doesn't seem to have any set policy regarding security issues- the left had doesn't seem to know what the right hand is doing. In both of the last few cases, if I recall correctly, the researchers waited a bit over a month after notifying Apple to go public, usually because they simply couldn't get any word from Apple. They're in a whole different world with a lot of these guys, and are really going to need to adopt a strategy that doesn't end with security guy after security guy going public because they couldn't get a straight answer out of Apple.
yummy alcohol posted button Posted by drunkenbatman
    January 01, 2004, at 10:16 PM


Comments (1)




Post a comment



Anonymous comments are allowed, but please enter something for a name.

And do endeavor to appear sane.









Remember personal info?