Wednesday, March 21, 2007

» How Apple orchestrated web attack on researchers | George Ou | ZDNet.com:

When I finally got Fox back on the phone, I asked her some questions about how MacWorld and the unofficial Apple blog got the information on the so-called confession. I got all my questions answered, but I can't disclose what she said since Fox refused to speak on the record. But the bottom line is that Lynn Fox played Jim Dalrymple, David Chartier, and the rest of the Mac press/blogosphere like a violin, though it was clear they were all willing participants. When I pointed out the flaws in their stories, Chartier and Dalrymple simply ignored me and stuck to their guns and Chartier erased all of my comments on his weblog.

So what was the end result of all this? Apple continued to claim that there were no vulnerabilities in Mac OS X, but came a month later and patched its wireless drivers (presumably for vulnerabilities that didn't actually exist). Apple patched these "nonexistent vulnerabilities" but then refused to give any credit to David Maynor and Jon Ellch. Since Apple was going to take research, not give proper attribution, and smear security researchers, the security research community responded to Apple's behavior with the MoAB (Month of Apple Bugs) and released a flood of zero-day exploits without giving Apple any notification. The result was that Apple was forced to patch 62 vulnerabilities in just the first three months of 2007, including last week's megapatch of 45 vulnerabilities.


5:48 AM