TidBITS on Security Update 2008-005

Glenn Fleishman and Adam Engst:

Twenty-four days after the rest of the industry mobilized to patch a serious flaw in the domain name system (DNS) protocol that’s core to the functioning of the Internet, Apple has at long last released Security Update 2008-005, which includes its fix for the regular and server flavors of Mac OS X 10.4 Tiger and 10.5 Leopard. If 24 days doesn’t sound like a long time, note that Apple was notified privately on 05-May-08, nearly 3 months ago, and this is for a vulnerability with significant exposure that had the potential to be disastrous for Apple’s business and hosting customers, as amply described in an opinion piece for Macworld by Mac system administrator John Welch.

Today’s issue of MDJ had this to say:

In the face of theoretical zero-day exploits, the question had remained: can Apple produce a zero-day patch if a real exploit shows up? Now we have the answer: no. The company’s deliberative and opaque security process can benefit customers by not rushing ill-considered patches out the door that might need subsequent patches a day or two later. Yet when a real zero-day exploit arrives, Apple has shown it has no mechanism for dealing with it.

Monday, 4 August 2008