Comments on: Safari 3.01 released

By: kimblim

kimblim — Sat, 23 Jun 2007 03:39:30 +0000

And now 3.02 is out - while I think it is great that Apple reacts so quickly to all the security issues, it also gives a clear signal that their beta was more of an alpha… 3.0 simply was not ready to hit the users, but I guess Apple had to deliver something for their conference. Apple can pretty much get away with everything these days because (for some crazy reason) everybody is believing the hype surrounding the company.

By: Thor Larholm

Thor Larholm — Sun, 17 Jun 2007 19:47:09 +0000

“Anon Ymous” is partially right, Apple will only credit researchers in their security updates if those researchers have given them advance notice and not released any information about that vulnerability until Apple has released a patch for the vulnerability.

Whether or not that is the definition of ‘responsible disclosure’ has been debated for many years. One thing that is certain is that the length of that time window for the patch release, whether it be days, weeks, months or years, is entirely up to Apples own discretion.

There are not that many enticing reasons for following a vendor procedure that is lacking in definition and can be changed at will.

I have definitely received proper credit for the discovery of this vulnerability by the security community at large.

Regards
Thor Larholm

By: Anon Ymous

Anon Ymous — Sun, 17 Jun 2007 16:49:32 +0000

I believe Apple’s policy is not to credit researchers in security updates unless they practice responsible disclosure. Those that let Apple know about a security issue and provide some time window for a fix to be released before publishing details to the public are credited as you can easily see by looking at the details of Apple’s past software and security updates.

By: Charlie

Charlie — Sat, 16 Jun 2007 23:16:32 +0000

Cool, keep up the bug finding! It’s super super easy to do URL encoding, I’m somewhat shocked that they didn’t just use that function. And thanks for the extra explanation in the comments of the previous article, it became much more clear.

By: Trancer

Trancer — Sat, 16 Jun 2007 01:44:32 +0000

They fixed five security issues, without crediting anyone of the bug finders.
There are additional vulnerabilities that has disclosed, reported to Apple (with no reply), and hasn't been fixed:
http://www.rec-sec.co.il/2007/06/12/apple-safari-for-windows-vulnerabilities/#one
I see no point in that.

By: Nueva versión beta de Safari para Windows « Un poco de mucho

Nueva versión beta de Safari para Windows « Un poco de mucho — Fri, 15 Jun 2007 09:30:25 +0000

[...] siendo “tan inestable y poco fiable como su predecesora”. Por su parte, Thor Larholm comenta en su blog que se encuentra ahora mismo en el trabajo y aún no dispone de tiempo para echar un vistazo a la [...]

By: hackd » Tame Safari

hackd » Tame Safari — Fri, 15 Jun 2007 04:10:28 +0000

[...] impressive - 3 days after the original release and the justified shit-storm that followed, 3.0.1 got out. Thor Larholm mentions his finding is no longer exploitable on this version [but still very much so [...]

By: No tío, contra Mozilla no le resulta at </nerdpride>

No tío, contra Mozilla no le resulta at </nerdpride> — Fri, 15 Jun 2007 03:13:19 +0000

[...] …dijo tío Steve en algún lugar de la WWDC, y quizás contra Internet Explorer le resulte (en fallos, como contó pancho) pero contra firefox, un poco difícil. Cuatro días después de haber lanzado el primer ehhrgrg uhmm ¿beta? de Safari para windows, y haber parchado los no uno, ni dos, si no tres bugs con esta nueva -y mejorada versión- se vuelve a poner en duda. [...]

By: After hacker dissection, Safari beta is patched « Connect Fans

After hacker dissection, Safari beta is patched « Connect Fans — Fri, 15 Jun 2007 01:53:43 +0000

[...] Apple for fixing a serious security vulnerability in such a short time frame,” he wrote in a blog posting. “Their usual response time can be counted in weeks to [...]

By: Johnny Not My Name

Johnny Not My Name — Fri, 15 Jun 2007 01:11:14 +0000

You rule dude! Just found your blog.. dig the way you are real.