Hall's First Law of Security Stories

« Some Context on Cisco's Bad China Week | Main | When Poor Deprovisioning Practices Attack »

May 27, 2008

Hall's First Law of Security Stories

Apple irritated a security company over some vulnerabilities in iCal:

“Critical vulnerabilities remain in Apple Inc.’s iCal calendar program, a security company said Wednesday in an advisory that showed months of back-and-forth between Apple and the researchers over whether bugs were serious enough to warrant patches, and if so, when Apple would patch them.

“After several delays requested by Apple, the security vendor put its foot down and told the company’s security team it would release information about the vulnerabilities May 21, whether Apple had issued patches or not.

“In a bulletin posted to the Bugtraq and Full Disclosure mailing lists and on its own Web site, Core Security Technologies detailed three bugs in iCal that attackers could remotely exploit using compromised servers, malicious Web sites or e-mailed .ics file attachments.

“‘The vulnerabilities may allow un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeatedly execute a denial of service attack to crash the iCal application,’ said Core Security.

There’s a steady flow of bugs and vulnerabilities exactly like the one ComputerWorld is reporting on here: Seemingly small things that aren’t dangerous all on their own … just when they’re combined with a followup of some sort that takes advantage of an app crashing or misreading data or what have you.

The appropriate response to a security researcher mentioning such a thing from anyone, end user or vendor, will usually be “thank you.”

Unless operating system fan boys are involved. In which case the appropriate response is either stone silence lest rival OS zealots learn of a flaw, or scorn and derision over how petty the vulnerability seems.

(Link)