"Apple has not credited the project in their security bulletin, likely because the researchers refused to notify Apple prior to releasing details of the vulnerability."
is false. Apple's bulletin reads:
"A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007)".
There's no link, but that's standard practice for Apple.
You make the further unqualified assertion that "responsible disclosure" is an "important process", as if there is a universal acceptance of it. There's not -- in fact, people disagree over what "responsible disclosure" is.
You further state:
"No specific examples of long response times by Apple have been provided by the researchers on the project site, however."
Which is incorrect. Look for example at the slpd vulnerability (reported August 2nd) or the ffs_mountfs() vulnerability, which was reported publicly in November. What exactly is a "long response time", Kelly? Some arbitrary standard you invented and can use to shoot down any example you're offered?
You also lob some awfully heavy allegations at Kevin and LMH:
"The project has received criticism and mixed reviews from across the security community for downplaying the need for responsible disclosure, and some believe the publicity may in fact make it harder for security researchers to legitimize their work."
If I were them, I'd demand you at LEAST source this crap. That's a serious allegation to raise when you don't even anonymously source a single individual who's made this claim.
Also, Security Update 2007-001 does not provide a direct link for users of iTunes 7.0 + Quicktime on Windows. Mac OS X users can use "Software Update" to download the patch, as can iTunes 7 users who've installed Apple's Windows version of the tool. The correct Windows install link for those without iTunes 7's updater is to the Quicktime or iTunes download pages. The former is here:
"Apple has not credited the project in their security bulletin, likely because the researchers refused to notify Apple prior to releasing details of the vulnerability."
is false. Apple's bulletin reads:
"A QTL file that triggers this issue has been published on the Month of Apple Bugs web site (MOAB-01-01-2007)".
There's no link, but that's standard practice for Apple.
You make the further unqualified assertion that "responsible disclosure" is an "important process", as if there is a universal acceptance of it. There's not -- in fact, people disagree over what "responsible disclosure" is.
You further state:
"No specific examples of long response times by Apple have been provided by the researchers on the project site, however."
Which is incorrect. Look for example at the slpd vulnerability (reported August 2nd) or the ffs_mountfs() vulnerability, which was reported publicly in November. What exactly is a "long response time", Kelly? Some arbitrary standard you invented and can use to shoot down any example you're offered?
You also lob some awfully heavy allegations at Kevin and LMH:
"The project has received criticism and mixed reviews from across the security community for downplaying the need for responsible disclosure, and some believe the publicity may in fact make it harder for security researchers to legitimize their work."
If I were them, I'd demand you at LEAST source this crap. That's a serious allegation to raise when you don't even anonymously source a single individual who's made this claim.
Also, Security Update 2007-001 does not provide a direct link for users of iTunes 7.0 + Quicktime on Windows. Mac OS X users can use "Software Update" to download the patch, as can iTunes 7 users who've installed Apple's Windows version of the tool. The correct Windows install link for those without iTunes 7's updater is to the Quicktime or iTunes download pages. The former is here:
http://www.apple.com/quicktime/download/win.html
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/416/1686#1686