Friday, October 5, 2018

Finding and Exploiting Safari Bugs Using Publicly Available Tools

Ivan Fratric (Hacker News):

The original advisories most likely didn’t include all the issues because Apple wanted to wait for the issues to also be fixed on MacOS before adding them. However, this practice is misleading because customers interested in the Apple security advisories would most likely read them only once, when they are first released and the impression they would to get is that the product updates fix far less vulnerabilities and less severe vulnerabilities than is actually the case.

Furthermore, the practice of not publishing fixes for mobile or desktop operating systems at the same time can put the desktop customers at unnecessary risk, because attackers could reverse-engineer the patches from the mobile updates and develop exploits against desktop products, while the desktop customers would have no way to update and protect themselves.

2 Comments RSS · Twitter

isn't Apple fuzzing the hell out of their own stuff? why does google find these first?

Don't know, but it makes you wonder why Google took three years to figure out their security/privacy bug in Google+, especially given their apparent prowess in this field.

Leave a Comment