Re: This guy cracks me up.

["Rhys Kidd" <rhyskidd () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

"to generate publicity at the expense of the Mac's renowned reputation for
security" - John Gruber


Renowned reputation?? Let's take the Apple Security Update for 27 June 2006,
http://docs.info.apple.com/article.html?artnum=303973.

The OpenLDAP ( Apple rebrands this OpenDirectory, their core user management
framework ) bug they report was fixed in the OpenLDAP source code on 31st
December __2004__. When a company is getting hit by bugs reported over a
year and a half ago, and fixed in 2004, it says a lot about their code
review department. Sure it's not exploitable, but the version of OpenLDAP in
the www.opensource.apple.com/ tree is that old.

Unfortunately, Apple doesn't commit their security patch fixes into their
OpenSource offerings, so we'll have to wait for OS X 10.8 to see if they
update the entire OpenLDAP version, or simply apply a one off fix to that
file.

Compare:
[1]
http://www.opensource.apple.com/darwinsource/10.4.7.ppc/OpenLDAP-69.0.2/Open
LDAP/CHANGES
[2] http://www.openldap.org/software/release/changes.html

Apple has to make some concerted steps towards ensuring the software they
import from the OpenSource world is secure, and I'd doubt their in-house
software is any better.

- - Rhys
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)

iD8DBQFE+kpX7oK/a/NHBvIRAgFYAJ4uFCS5m/Q5Omog0aU11wFn5w0UwwCeIobv
iXyzsLtN4IuxzCeuMP8HMmM=
=c1oC
-----END PGP SIGNATURE-----

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave