<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
One thing I find quite interesting is that people who are not in our
community often think vulnerabilities are very simple to fix, if
only they get reported. For example, assuming the FDA gets its way
and has some level of regulatory-like effort that demands a response
time for fixing software security issues in medical equipment in
lieu of offering a recall. <br>
<br>
But even the biggest software company on Earth, Apple, finds this
hard to do. For example, the <a
href="http://googleprojectzero.blogspot.com/2016/03/race-you-to-kernel.html">recent
P0 blogpost </a>on an OS X local Ian Beer found demonstrated how
hard this can be in the real world. The issue is not a simple
miscalculation, but rather a design flaw in how the OS X (and iOS)
kernels work. And so you'll note they did not fix every kernel
(Maverick is still vulnerable and the CANVAS exploit works fine on
it, as it does on all old OS X versions), and even the fix leaves
the Use-After-Free bugs in the same code. (Please don't run the
CANVAS exploit for this issue on patched systems or you will trigger
a UAF).<br>
<br>
But the strategic issue is this: If you try to regulate by enforcing
a security response, you are going to run into the fact that nobody
has gotten that right yet.<br>
<br>
Another great example of this is how Sharepoint and similar systems
struggle with their feature of uploading HTML files and other active
content (which is a universal XSS), and for example, <a
href="https://www.kb.cert.org/vuls/id/261869">browser based
SSL-VPNs are all broken by design</a>. Sometimes the answer is "We
can't fix it. Sorry."<br>
<br>
-dave<br>
<br>
</body>
</html>