[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] NGS00254 Patch Notification: Apple Mac OS X Lion USB Hub Class Hub Descriptor
From:       Jeffrey Walton <noloader () gmail ! com>
Date:       2012-09-27 19:40:59
Message-ID: CAH8yC8=g1+XiwrJwTsrkEHC5obs0qqcEmUDD31AyNYdep==5Zw () mail ! gmail ! com
[Download RAW message or body]

> An updated version of the software has been released to address the vulnerability:
> http://support.apple.com/kb/HT1222
Unfortunately, Apple makes no mention of patches for USB device in
this support article.

> NCC Group is going to withhold details of this flaw for three months.
As you probably know, Apple is not responsible actor in this arena.
Confer: the number of vulnerabilities left to rot and fester while
waiting for the iOS 6/iPhone 5 press release
(http://lists.apple.com/archives/security-announce/2012/Sep/msg00003.html),
the removal of the toxic Dignotar certificates from the root CA list,
etc.

Jeff

On Thu, Sep 27, 2012 at 4:22 AM, NCC Group Research
<research@nccgroup.com> wrote:
> High Risk Vulnerability in Apple Mac OS X Lion
> 
> 27 September 2012
> 
> Andy Davis of NCC Group has discovered a High risk vulnerability in Apple OS X Lion v10.7 to \
> v10.7.4, OS X Lion Server v10.7 to v10.7.4. 
> Impact: Arbitrary Code Execution (bug triggered by USB device insertion)
> 
> Versions affected:
> Mac OS X Lion v10.7 to v10.7.4, Mac OS X Lion Server v10.7 to v10.7.4
> 
> An updated version of the software has been released to address the vulnerability:
> http://support.apple.com/kb/HT1222
> 
> NCC Group is going to withhold details of this flaw for three months. This three month window \
> will allow users the time needed to apply the patch before the details are released to the \
> general public. This reflects the NCC Group approach to responsible disclosure.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]