Stan's List

ChannelWeb reports on the Black Hat Briefings conference In spite of Apple’s Security update, Charles Miller did a presentation at the Black Hat Briefings. He even demonstrated the iPhone Safari vulnerability that existed prior to the iPhone update. What was a bit shocking was his analysis of Apple’s security practices. Here are some snippets:

Miller listed a number of what he considers to be specific bad development practices on Apple’s part, the most egregious of which is Apple’s regular inclusion in the OS X platform of older, outdated versions of open source code, much of which has known security bugs.

“Here’s my formula for finding a zero-day [vulnerability] on a Mac; here’s what you do,” said Miller in his presentation. “First, find an open source package that they use that’s out of date — there’s plenty of those. Read through the changelog for the current version of that software, find a usable bug that’s been fixed in the newer versions. And you’re done. You don’t have to worry about static analysis or fuzzing or any of that stuff.” More …

After the announcement that there would be a non-disclosure of a worm that targets the vulnerability in Mac OS X’s mDNSResponder may have caused Apple to completely disable mDNSResponder with the recently released Security Update 2007-007. Berkerming surmises the possibiltiy that this gives Apple opportunity to correctly address the problem. More …

Some members of the press have been invited to a presentation, at which Steve Jobs will take the stand, focusing on Apple’s computers. Most writers have suggested that Steve Jobs will announce a new long over due iMac (e.g. this Dow Jones Newswires article). More …