I know they're not using play store, but it is not because they have dumped anything. AOSP doesn't have any Google thing and in China there is no Google play or services
Perhaps the one that has to do the browsing and informing better is you.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple's OS X 10.10.2 to Fix Security Vulnerabilities Exposed by Google's Project Zero
- Thread starter MacRumors
- Start date
- Sort by reaction score
I know they're not using play store, but it is not because they have dumped anything. AOSP doesn't have any Google thing and in China there is no Google play or services
Perhaps the one that has to do the browsing and informing better is you.
That's FALSE. Cert gives doesn't have a standard number of days. Read the whole disclosure document. How long depends on complexity, severity and if vendor is actually doing anything about it. If the vendor is contacted and then refuses to interact with them, well then without any info to go on, they'll release it after 45 days.
Their goal is to increase security, not follow dogmaé
BTW' CERT is NOT a standards body, so even there using them as the ultimate arbitrator is exceeding their own influence.
At least they're not robots and releasing things in an automated way like a drone instead of using common sense.
You should read the disclosure policy before saying false, at least you would not show the voluntary ignorance you're showing.
And as bit is clear your position, your biases and your lack of just informing about what you hate, have a day.
Having read all the whining in this thread, the same ridiculous argument redundantly keeps being made. And if it was directly answered this way I missed it. So I'll jump in here.
So, the argument is that 90 days came just 2 days before Microsoft's patch Tuesday. And that Microsoft wanted to wait 2 days until their official Tuesday release schedule. And people think that they should have had that extra 2 days grace period to prevent an announcement from being made.
That's ridiculous.
So, let's suppose that Microsoft had the patch ready on Wednesday of last week. Tuesday has already passed. It's ready for release, but Tuesday is now a week away. Because they only release fixes on a Tuesday, a vulnerability should be left in place for no reason other than because it's not a Tuesday???? That's just stupidity.
Fixes should be made available the moment they are ready. Microsoft apparently had it ready. They just didn't want to give it to us because it wasn't a Tuesday. Ridiculous.
People apparently take their security quite lightly. How about this.... You find out that the locks on your house aren't working properly and the door randomly swings open. You call the locksmith and he says oh yeah, I can fix that. And it'll only take 5 seconds. You can either bring the locks to me or I'll come to you. You say, great, how soon can you be here. He says actually I'm right next door, and I'm not busy at the moment. But my policy is to only fix that particular issue on a Tuesday, and today is Wednesday. I have nothing else going on this week that would prevent me from fixing it, I just only fix that particular problem on Tuesdays.
Now let's see how much you defend that locksmith. Now imagine he's the only guy in town who could possibly fix your door.
Hope you have nothing better to do for a week besides sit at home and lean against the door to hold it closed.
The 90 day policy gives companies plenty of time to fix the issue. A company deciding to sit on a fix just because today isn't Tuesday is ridiculous. There is no reason other than thick headedness to sit providing a software patch because today isn't Tuesday.
So, the argument is that 90 days came just 2 days before Microsoft's patch Tuesday. And that Microsoft wanted to wait 2 days until their official Tuesday release schedule. And people think that they should have had that extra 2 days grace period to prevent an announcement from being made.
That's ridiculous.
So, let's suppose that Microsoft had the patch ready on Wednesday of last week. Tuesday has already passed. It's ready for release, but Tuesday is now a week away. Because they only release fixes on a Tuesday, a vulnerability should be left in place for no reason other than because it's not a Tuesday???? That's just stupidity.
Fixes should be made available the moment they are ready. Microsoft apparently had it ready. They just didn't want to give it to us because it wasn't a Tuesday. Ridiculous.
People apparently take their security quite lightly. How about this.... You find out that the locks on your house aren't working properly and the door randomly swings open. You call the locksmith and he says oh yeah, I can fix that. And it'll only take 5 seconds. You can either bring the locks to me or I'll come to you. You say, great, how soon can you be here. He says actually I'm right next door, and I'm not busy at the moment. But my policy is to only fix that particular issue on a Tuesday, and today is Wednesday. I have nothing else going on this week that would prevent me from fixing it, I just only fix that particular problem on Tuesdays.
Now let's see how much you defend that locksmith. Now imagine he's the only guy in town who could possibly fix your door.
Hope you have nothing better to do for a week besides sit at home and lean against the door to hold it closed.
The 90 day policy gives companies plenty of time to fix the issue. A company deciding to sit on a fix just because today isn't Tuesday is ridiculous. There is no reason other than thick headedness to sit providing a software patch because today isn't Tuesday.
Nice heads-up from a company who has the most buggiest OS of them all.
Let's others report all the bugs and security holes in Android and give them 90 days.........
----------
Because nobody takes Android serious when it comes down to security.
Let's others report all the bugs and security holes in Android and give them 90 days.........
----------
Because nobody takes Android serious when it comes down to security.
Actually, Google is totally cool with that. In fact, they encourage it.
From http://www.google.com/about/appsecurity/ :
"If you believe you have discovered a vulnerability in a Google product or have a security incident to report, go to goo.gl/vulnz to include it in our Vulnerability Reward Program. If you have a vulnerability report for Android, email security@android.com. For Chrome vulnerabilities, use the Chromium bug tracker. Upon receipt of your message we will send an automated reply that includes a tracking identifier. If you feel the need, please use our PGP public key to encrypt your communications with us.
We believe that privately notifying vendors about vulnerabilities in their software, and setting reasonable disclosure deadlines in accordance with the severity of the bugs, is good for the overall security of Internet users."
Apple fans would rather live with these security issues than have Apples reputation tarnished. So pathetic
Not sure if you are being sarcastic or not. Yosemite 10.10.2 has not been officially released yet but is expected soon. However you can download and install it as part of Apples public beta program. Lots of users do to see if their particular issue has been dealt with (like the WiFi issues.)
----------
iMore is now reporting that Yosemite 10.10.2 also fixes the Thunderstrike vulnerability, which also requires physical access to a machine.
Might be worthwhile to take a look at how the computer security industry works and has pretty much always worked before jumping to some sort of conclusions.
Last edited:
The "standard" (there is no such thing) is not a an arbitrary set deadline, no matter it's length. That's not even what CERT does. They routinely go way way beyond that 45 days. There were major Linux bugs that were there for years and CERT knew about and did not reveal. Severity and complexity, and willingness/ability of the vendor to fix enters into the equation. Why? Because, the goal is increased security, not increased dogma.
So, Google's releasing at 90 days (especially with exploit) is not standard and no matter how often they drone it, doesn't make it so. BTW, CERT is not even close to being a standard body.
Google also drop patching even 18 month old OS for very severe security bugs and then blame on the OEM when in fact, even if the OEM wanted to get a fix in, there would be none to be had. That doesn't make me think they actually rare one bit about security.
Focusing once again on the arbitrary and irrelevant rather than on the fact that there are security issues and they should be fixed as soon as possible.
Please read up what CERT actually have to say about releasing information, when they do it, why they do it. There is no *fixed* 90 day, or even 45 day release; it is not how it is done. It is context related. The ultimate goal is security, not following a script. So, please stop that leitmotiv.
Your door analogy is totally off, this exploit needed someone to already be inside to work. It is not a remote exploit. That's more like telling the general public that this type of safe has a particular type of clicks when it is on the right number, despite the fact the safe maker is days away from the fix. The problem with that is that this enables people with bugs you don't even know about that wouldn't be exploitable to root normally, to root a system. A possibly trivial break-in becomes a major theft.
You're not getting better security by doing this on average if the vendor was already putting all their effort to fix it. That Google judged otherwise is a major issue here; who are they to judge that? There is a huge conflict of interest involved here.
CERT routinely extends deadlines way beyond 45 days in collaboration with the vendors on a case by case basis. Only when there are no response from vendors does CERT do the standard 45 day release. The key is security, not dogma.
On the debate about 90 days, I too would argue it's not that long. The reality is most large companies are not that agile, and simply saying "they ought to be" isn't good enough. I've worked with, and for, several very large companies with large and complex software roadmaps. For a typical non-urgent update, you would often be looking at 9-12 months. Of course they aspire to do better, and of course when something critical comes up they do what they can, but believe me the process of designing, testing, and releasing fixes is not straightforward - huge amounts of people and time are involved. When it comes to something as ubiquitous and business critical as a Windows OS, it's no wonder they want to be careful about it. Do we honestly think MS doesn't aspire to be faster and better at this? Say what you like about the number of problems MS have had to fix over the years, they have at least been pretty consistent and reliable at issuing regular updates as problems come up.
----------
And most independent developers are not working on one of the the world's mostly widely used and most widely depended-on operating system. The regression testing on Windows must be a complete nightmare, there will be so many dependancies to consider and potential impacts to work through. There will be 100s of people at MS involved in every update, representing 100s of different functions who want to know any change or update won't break something else. Again, I'm not saying we should consider this good enough, but why do we think MS isn't doing what it can?
----------
And most independent developers are not working on one of the the world's mostly widely used and most widely depended-on operating system. The regression testing on Windows must be a complete nightmare, there will be so many dependancies to consider and potential impacts to work through. There will be 100s of people at MS involved in every update, representing 100s of different functions who want to know any change or update won't break something else. Again, I'm not saying we should consider this good enough, but why do we think MS isn't doing what it can?
oh please OEM's modify Android's source code all the time. There is absolutely nothing preventing an OEM fixing bugs. If the OEM cared they would either fix or upgrade the device to 4.4. Google provides alternative browsers for users to use and Google has also taken steps so they could issue patch's to thing's like WebView directly to user's devices going forward.
It's not just Google either.
http://www.computerworld.com/articl...ort--leaves-1-in-5-macs-vulnerable-to-at.html
Last edited:
So how long do you feel is a reasonable amount of time to fix a null pointer dereference such as the one at issue here?
If three months is too little then at least this way the public is made aware of the fact that the company in question cannot be expected to fix security issues within many months of it being discovered (by good guys or bad guys).
Last edited:
Yes, there is MONEY. Google makes most of it (90% of the rest is made by Samsung). If you exclude Samsung, they make next to no money at all or even lose money! Many are currently in survival mode.
Google could have made the current update process that bypasses part the OEM by splitting off part of the updates, years ago and didn't; no excuses.
Google doesn't even fix 18 months Android so why would you expect financially strapped OEM who didn't write it to do better? If Google is so worried about the abysmal security on its platform, why doesn't pony the money to help those OEM?
Doesn't remote exploits allowing root access that remain years open concern them at all? Right now, closing most holes for users requires throwing away their phones and buying new ones. No other options. How does this instill confidence in Android and Google's security?
Last edited:
I don't think you know what you're saying. This thing has many millions of lines of codes, 15 years of development, thousands of hardware and software dependencies, has been worked by probably thousands of developers, it is used hundreds of millions of users, including tens of millions of businesses.
The scope of those large OS projects, especially one like Windows is staggering.
Even if you had just a few lines to change (doubtful), a few hour release would be essentially a blind release with no testing. Using end users as guinea pigs. That would certainly endear you with your clients.
The testing alone from relatively minor changes will be weeks in the making in some cases. There also possibly other OS changes, other security bugs being worked on at the same time, that will complicate the fix.
Not at all doubtful. Likely, in fact. Most security fixes come down to pretty trivial errors. Complex fixes are definitely the exception.
Actually, the door analogy is quite relevant... you can't walk through my front door whether it be open or closed unless you are already here on my property standing on my porch.
And, Microsoft was not putting all their effort into fixing the bug... the bug fix was done, ready to be delivered, and Microsoft wanted to avoid the announcement of a security problem that was being left unfixed just because today wasn't a Tuesday. Exposing the practice of withholding important security fixes because some guy thought the idea of "Patch Tuesday" was cool sounding, is just as important as exposing that companies aren't taking the urgency of repairing security problems seriously. Actually, it is the same thing.
I'm not going to continue, because it is pointless. You're whole fantasy world about MS's true intentions proves just that. Your analogy was total crap, trying to dig yourself out is not helping at all.
BTW, read what CERT actually does in real life, not your dogmatic interpretation; the Q&A on their site details that.
Bye.