By: Joe Barr
Gone are the days when "full disclosure" meant the immediate public release of information about vulnerabilities or exploits uncovered by security researchers. Whatever it means today is the result of a collaboration -- some might call it collusion -- between the researcher or firm finding the flaw and the vendor or project responsible for the code. Recent patches from Apple illustrate the dangers of this practice when proprietary software is involved.
Last week, Apple announced three security patches for its wireless component across virtually its entire platform line.
The first patch (CVE-2006-3507) is for two stack overflow vulnerabilities in Airport, Apple's wireless driver. The second patch (CVE-2006-3508) fixes a heap buffer overflow in Airport. The third patch (CVE-2006-3509) addresses an integer overflow in Airport code which handles third-party wireless card connections. All are ranked as "high" severity in the National Vulnerability Database.
According to Apple, there are no known exploits for any of these vulnerabilities. Of course, this is the same firm that denied its customers were at risk from wireless vulnerabilities last month.
One bad Apple spoils the barrel
The problem is that Apple's claims that there are no known exploits are false. Not only have exploits been found, they've been demonstrated, explained, and widely publicized.