[Dailydave] OS X and patching being hard.

[dave aitel]

One thing I find quite interesting is that people who are not in our
community often think vulnerabilities are very simple to fix, if only
they get reported. For example, assuming the FDA gets its way and has
some level of regulatory-like effort that demands a response time for
fixing software security issues in medical equipment in lieu of offering
a recall.

But even the biggest software company on Earth, Apple, finds this hard
to do. For example, the recent P0 blogpost
<http://googleprojectzero.blogspot.com/2016/03/race-you-to-kernel.html>on an
OS X local Ian Beer found demonstrated how hard this can be in the real
world. The issue is not a simple miscalculation, but rather a design
flaw in how the OS X (and iOS) kernels work. And so you'll note they did
not fix every kernel (Maverick is still vulnerable and the CANVAS
exploit works fine on it, as it does on all old OS X versions), and even
the fix leaves the Use-After-Free bugs in the same code. (Please don't
run the CANVAS exploit for this issue on patched systems or you will
trigger a UAF).

But the strategic issue is this: If you try to regulate by enforcing a
security response, you are going to run into the fact that nobody has
gotten that right yet.

Another great example of this is how Sharepoint and similar systems
struggle with their feature of uploading HTML files and other active
content (which is a universal XSS), and for example, browser based
SSL-VPNs are all broken by design
<https://www.kb.cert.org/vuls/id/261869>. Sometimes the answer is "We
can't fix it. Sorry."

-dave
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20160324/381a1d1c/attachment.html>