Свежие публикации
/ / Users warned Apple about a serious security issue in macOS High Sierra

Users warned Apple about a serious security issue in macOS High Sierra

Dave Smartier03.12.20173 6813 голоса +3 рейтинг

A bug bounty wouldn’t have helped Apple spot the macOS root flaw, but Apple should consider a bug bounty or better vulnerability reporting anyway. Earlier this week, Turkish developer Lemi Orhan Ergin tweeted about a serious flaw in macOS High Sierra, that let anyone access your computer by logging in with root and no password. Apple issued a patch the next day.

Responsible disclosure advocates immediately piled on Ergin, calling his tweet “idiotic”, “a little foolish” and “completely irresponsible”. Responsible disclosure is the idea that if you spot a vulnerability, you should alert the company first and give it enough time to bash together a patch before going public.

© Article’s author: Nicole Kobie.
© Source: Wired UK

But Apple has an invite-only bug bounty program for iOSDespite the Twitter abuse, Apple was apparently warned about the flaw before Ergin tweeted it out. In a Medium post, Ergin claimed that the issue was spotted by staff at the company he works for – and they did disclose it to Apple before taking it public. “Wired UK” asked Apple for confirmation of the disclosure, but the company hadn’t responded at the time of publication.

“A week ago the infrastructure staff at the company I work for stumbled on the issue while trying to help one of my colleagues recover access to his local admin account,” he wrote. “The staff noticed the issue and used the flaw to recover my colleague’s account.”

Ergin explained that his colleagues reported the flaw to Apple on November 23 and noticed that it had been discussed in the Apple Developer Forum as far back as November 13. “It seemed like the issue had been revealed, but Apple had not noticed yet.”

Ergin didn’t tweet about the flaw until five days later, on November 28. Regardless of whether five days is enough to qualify as responsible disclosure, Ergin’s intent in tweeting was well intended. “The issue was very serious. It has already been mentioned in forums and revealed publicly few weeks ago,” he wrote on Medium. “I have no intention to harm Apple and Apple users. By posting the tweet, I just wanted to warn Apple and say ‘there is a serious security issue in High Sierra, be aware of it and fix it’.”

Following the public attention, Apple immediately issued advice on a workaround, and had a patch ready the next day. While that’s good news for macOS users, it’s raised the question of whether Apple could do more to encourage security researchers to watch out for issues on the Mac operating system.

Responsible disclosure is encouraged by so-called bug-bounty programs, when companies pay security researchers for reporting such flaws. They’re popular across the tech world and in 2016 alone Google paid out $3 million. Facebook, Tesla, Microsoft and Uber all have similar programs. Even non-tech companies are using them: Bugcrowd’s State of Bug Bounty report revealed enterprise adoption of such programs was up 300 per cent last year.

Google’s bug bounty program pays out $3 million, mostly for Android and Chrome exploits:

If you’re willing to hunt for flaws within its vast array of software and services, Google’s happy to pay up. Over the course of its 2016 Vulnerability Rewards Program, the company paid out $3 million–a third of the total $9 million that enthusiastic researchers have earned since the initiative, more colloquially known as a bug bounty program, launched in 2010.

The latest round of bug bounties yielded 1,000 individual rewards to 350 participants, with the largest single reward totaling $100,000. Last March, Google doubled the bounty for a Chromebook hack from $50,000 to $100,000, after no one managed to pull one off.

Among 2016’s bug bounty exploits:

Google awarded $3,134 to researcher Tomasz Bojarski for an XSS vulnerability identified on its events site (events.google.com). Bojarski has been hunts for Google exploits from a small town in Poland for the last three years and he claims to do it for the “sheer enjoyment.” Maybe also for the glory, because he’s killing it on Google’s bug bounty leaderboards.

A “bug chain bonus” of $5,000 and another $7,500 for a jаvascript exploit targeting the Google account recovery page.

A Chrome OS vulnerability involving a one byte DNS library overflow, detailed at the Project Zero blog. Sounds like someone finally cashed in on Google’s Chromebook call to action.

But while Apple has an invite-only bug bounty programme for iOS, it doesn’t pay out for flaws found with macOS. Critics suggest that means researchers are less likely to dig about in macOS code looking for flaws. “Bug bounty programs help further incentivise hackers to spend more time looking for bugs,” says Alex Rice, co-founder and CTO of HackerOne. “Bounties can help attract more attention from a broader audience, meaning you’ll have more people testing the security of your software.”

Keith Hoodlet, Bugcrowd’s trust and security engineer, agrees. “I think (Apple) would likely benefit from having a bug bounty program that’s a little bit broader than just iCloud or iOS infrastructure,” Hoodlet says. “Large companies usually see a lot of savings from having a bug bounty programme, and that’s usually a time-cost savings.”

On the other hand, the high value of Apple flaws may make them a special case – a report by Motherboard last year suggested researchers are much more likely to sell iOS vulnerabilities to the highest bidder as they’re too valuable to hand over to Apple.

Apple is certainly wealthy enough to pay for flaws, so why doesn’t it?

“Apple has had a history of somewhat closed doors when it comes to dealing with or responding to vulnerabilities that have been reported to against their systems,” Hoodlet says. “Historically speaking, Apple does not credit researchers for their findings when it comes to vulnerabilities being fixed, so to that end it may just be a company culture.”

Rice notes that not having a bug bounty doesn’t mean Apple is weak on security, saying such programs are “by no means a silver bullet” for security. “Vulnerabilities are always inevitable and Apple should be applauded for their exceptional security response – the issue was fully resolved in a matter of days,” he adds.

Even without a bug-bounty program, Apple does take flaw reports over email, and Rice says it’s more important to have such a vulnerability disclosure program than it is to pay for reports. “This tells the world, ‘If you know of a vulnerability we’d like you to share it with us so we can fix it,” Rice says. “It’s providing a safe and secure channel for friendly hackers to disclose what they find and ensuring they won’t face a response from a lawyer or law enforcement.”

If you do spot a bug, Apple’s vulnerability disclosure details are here.

Infotolium confirmed this security flaw exists on macOS High Sierra 10.13.0.

3
0
0комментариев Комментировать
Оставить отзыв
Ваш комментарий будет первым!
Информация! Обратите внимание
Чтобы добавить комментарий к этой публикации, вам необходимо зарегистрироваться или войти на сайт.

Прочтите похожие статьи по теме

Девайсы и гаджеты
4 467 2
Apple HomePod $349 smart speaker - big focus on music and sound quality

As expected, Apple unveiled an Amazon Echo and Google Home-competitor of sorts with the new HomePod, bringing Siri into the living room for voice commands at home.

Девайсы и гаджеты
11 580 5 7
21 фото. United States of Apple. iPhone - неужели это культ?

Соединенные Штаты Apple (US Apple). Оборот в 380 миллиардов долларов не был достигнут компанией Apple за одну ночь. С поступлением в продажу нового Apple iPhone 4S, мы...

Фото новости
4 646 3
What you missed: Apple’s smartphones speed limit, Snowden security, 5G strategy

Apple admits it puts a speed-limit on older smartphones. Edward Snowden lends out security reputation. IDC forecasts decline of cash in India.

Девайсы и гаджеты
3 612 2
Apple admits: iPhone 6 started running slowly, and the battery drained quickly

What did Apple say about this? What happens to iPhone batteries when they get older? Is this the first time Apple has tweaked its software to boost battery life?

Ноу-хау и полезные советы
4 918 2
Home Security System: Honeywell Lyric is now certified for use with Apple HomeKit

Smart Home Technology has made consumers more reliant on mobile devices to manage their homes. The home security system can be purchased on Amazon in the US.

Фото новости
3 952 1
You invested $1,000 in favorite stocks? Now see what you’d have

Investing in the stock market has been shown to be the most efficient way of turning money into more money. Investing can be a big step, but it can also pay off.

Ноу-хау и полезные советы
20 846 1 7
14 фото. Проект нового кампуса Apple от Стива Джобса

Архитектурное бюро "Foster and Partners" создало еще до смерти Стива Джобса невероятный по своему размаху проект новейшего кампуса для компьютерной компании Apple. Как...

Девайсы и гаджеты
3 693 3
Vivo - the first smartphone with the Synaptics in-display fingerprint sensor

Synaptics made an announcement with Vivo that we believe improves further on the smartphone UI experience. It’s big for the smartphone industry and consumers.

С этой публикацией также смотрят
Девайсы и гаджеты Motorola Moto Z2 Force is fighting for relevance in the high-end smartphone market
3 546 2
The Motorola’s latest effort takes many of features found in the original Z Force, such as Moto Mods add-ons and unbreakable screen, and further builds on them.
Девайсы и гаджеты 12 больших фото. Красавец Apple iPhone 4S
18 777 2 3
В новейшем Apple iPhone 4S за скорость работы отвечает 2-ядерный процессор Apple A5, знакомый по iPad 2, который имеет в несколько раз более производительной графической подсистемой, обеспечивая…
Фото новости Retail tricks: they make you psychological splurge this holiday season
4 825 3
Watch out for retail strategies when shopping! Treat you like a long lost friend, offer comparatively pricey luxury items and offer to solve your life problems.
Ноу-хау и полезные советы Secure ultra-fast 5G internet - America first National Security Strategy
4 659 6
5G wireless isn’t a specific method, but rather a set of standards and technologies that interoperate in the millimeter wave spectrum to meet the needs of users today.
Девайсы и гаджеты 13 Cool Tech Gifts you must have and don’t have to spend a fortune on them
3 785 2
We have some real deals for less than $50. If you’re a generous type and have a big family or lot of friends, the holidays can be a financially taxing time.
Девайсы и гаджеты Tips: How to Improve your iPhone Battery Life and Performance
3 819 3
The revelation would appear to lend weight to a popular conspiracy, though the tech giant says it throttles performance on the mobile phones as a precautionary measure.
Девайсы и гаджеты Best cutting-edge products: the 10 most popular Gadgets of 2017
4 514 3
Technology companies like Microsoft, Samsung, Apple are constantly finding new ways to improve their cutting-edge products. There are several big changes in 2017.
Прямой эфир: последние комментарии
Вчера, 18:08
Свежие новости: Huawei получила временную лицензию на работу в США для поддержки своих сетей и устройств (лицензия действует 90 дней, до августа 2019 года). Правительство США выдало китайской Huawei...Гаджеты Huawei без обновления Android! Новые смартфоны без доступа к сервисам Google
Вчера, 17:54
Я хочу надеяться, что здравый смысл все же восторжествует и ситуация не получит развития в стиле: кто кому больше чего запретит / кто кому больше навредит. Если говорить предметно, то сегмент...Гаджеты Huawei без обновления Android! Новые смартфоны без доступа к сервисам Google
Вчера, 17:49
Кто платит, тот и заказывает музыку. Америка в этой ситуации может крутить руки китайцам, что успешно и делает. Разница в торговом балансе более, чем в два раза, при этом, более 15% экспорта из США в...Гаджеты Huawei без обновления Android! Новые смартфоны без доступа к сервисам Google
Вчера, 17:16
Китай ответил на отключение смартфонов Huawei от Android бойкотом Apple! В связи с обострением торговой войны с США в Китае на днях начали массово призывать в местной социальной сети Weibo...Гаджеты Huawei без обновления Android! Новые смартфоны без доступа к сервисам Google
Вчера, 16:39
А знаете, читаю везде комментарии, и тут приходит осознание, как народ нихрена не разбирается в ситуации. И как построена работа в Хуавей, конкретно в Китае, который делает докапитализацию своих...Гаджеты Huawei без обновления Android! Новые смартфоны без доступа к сервисам Google
Вчера, 14:23
Foxconn напрягся вместе с Apple. Реально. Продажи моделей старше 8-го iPhone в ответ на американские санкции были запрещены. Запретить продажу ещё и 8-ки, и Яблочникам будет уже намного грустнее. И...Гаджеты Huawei без обновления Android! Новые смартфоны без доступа к сервисам Google
Популярные комментарии
07.03.2017, 00:45
Очень сильное фото. До глубины души. "Бессмертный полк" в деревне Нижние Адам-Учи, Удмуртия....Великая Отечественная война: лучшие летчики - герои Советского Союза
13.03.2017, 00:32
Гигабайты секретных материалов доказывают, что ЦРУ вламывается в каждый дом, заставляя даже бытовую технику шпионить за своими хозяевами. Если у вас телевизор, например, Samsung последней модели, -...Глобальная слежка в Windows 10: как запретить сбор данных?
20.09.2016, 01:32
Эта Америка как стервятники, все выискивают себе добычу, только те сжирают мертвых, а эти жрут живых. Еще Александр Невский сказал, что кто с мечом к нам придет, от меча и погибнет. Им все неймется...Стратеги назвали 5 причин почему армия США проиграет войну с Россией
24.12.2014, 10:24
У моей мамы в 50-е годы (ей было тогда чуть больше 20) ко всем шелковым платьям были подобраны туфли и сумочки, я прекрасно помню часть из них - когда ее не было дома, я наряжалась и ходила по...Кристиан Диор в Москве: 30 уникальных фото 1959 года
12.10.2016, 14:53
"Главная проблема США состоит в том, что Америка тратит значительно больше, чем зарабатывает. Норма сбережений в стране фактически равна нулю, поэтому мы вынуждены занимать деньги за границей,...США: деньги создаются из воздуха. Доллар поддерживается слабой экономикой
22.03.2016, 00:53
Много пишут-обсуждают-говорят, результат – ноль. Сейчас, может и временно на какой-то срок, работает принцип – любым путем успеть набить мошну, даже не боясь наказаний, при получении любой должности....Сравниваем! Обсуждение почасовой минимальной зарплаты в разных странах
Самые комментируемые публикации
Рейтинговые публикации
Продукты питания и кулинарные рецепты с фото
Популярные публикации за месяц
Популярные теги фоторепортажей
Apple Instagram Nat Geo wild Китай Новый год Путин Россия СССР США Украина Япония автомобили архитектура дети дикая природа дикие животные домашние животные жесть животные инфографика искусство космос кошки кошки фото креатив лучшие матрасы лучшие фото матрасы мобильные телефоны обзор матрасов отзывы о матрасах пейзаж позитив политика приколы природа природа фото продукты питания птицы путешествие сатира смартфон собаки спорт фото животных фотография дня фотоконкурс фоторепортаж фотосюжет юмор