7/2/2023 0 Comments Hands off mac os 10.10.5Of course I understand the reason this may not be the best way for it to be reported, but maybe we should be glad this was found and reported at all, for free, by someone in "the community." It almost seems entitled, to expect someone else to do you a favor for free, and for you to also dictate the terms. It's interesting that you seem to rely on "the community" to notice whether this was being exploited by malware, but are mad at somebody from "the community" reporting it without it having been exploited by malware. Are they inherently more capable of making a good decision just because they're a corp? You can question whether he knows enough or has the right to make that call, but if he disclosed responsibly, you'd be trusting Apple in the same way. But, if it were only in narrow use and the discloser has determined this was the fastest way to warn people, do those narrow victims deserve security less than everyone else? Some of the discloser's statements make me wonder if he does know of other exploiters. Maybe not "widespread" use since, as you say, it doesn't seem to be publicly known. > certainly doesn't mean we should adopt a policy based on the idea that the exploit is currently in widespread use. But, it could depend on whether some OS X servers were patched, or company-managed OS X workstations, or virus-scanner definitions updated, which could simultaneously protect many users. > The question here is has the public availability of the exploit secured more users from realistic attack than it has exposed? You are right that my argument is sort of philosophical and not practical. Apple got a few hours' head-start, some people can patch early, malware authors will have to spend some time reverse-engineering a complete exploit. I guess it's down to one's own values and possibly omniscience to conclusively determine whether the downsides outweigh that.Ī more responsible version of this might be to release the source of a kext that patches the issue concurrently with confirmation from Apple. This release both lights a fire under Apple and helps a few people patch early or at least be extra-careful about what they execute. There are people in this thread more secure today than they were yesterday, and they owe it to this "irresponsible disclosure." Do they have less of a right to security than the "unelite"? We don't know whether this is already being exploited by someone else, and as you said, it could be weeks before an official patch. I'm counting on the press and community to distribute the information about the no_shared_cr3 workaround and any kext that comes out, just as Apple's fix is most effective when everyone's being told they should be sure it gets applied.
0 Comments
Leave a Reply. |