Zero-day PoCs on the loose for Mac

Apple fails to fix some serious flaws that were reported in early December and now there are publicly available Proof-of-Concept exploit samples on the loose. Is release of the PoC wrong or is this Apple's fault for waiting so long?
Written by George Ou, Contributor

Several unpatched exploits in Apple's Mac OS X were reported last Friday by Joris Evers, but SANS Internet Storm Center is also reporting that PoC (Proof-of-Concept) code was also posted along with details of the flaw.  These sample exploits are capable of carrying out denial-of-service attacks or remote code execution which means it can potentially be used to root a Mac.

While there are no wide scale attacks that target Mac OS X as a general-purpose zombie platform because Macs offer a much smaller pool of potential zombies and because they're harder to root due to default non-admin privileges unlike the current generation of Windows operating systems.  However, these exploits opens the Mac up for low-profile targeted attacks for data theft and a skilled attacker may eventually escalate their privileges to root if they wish to plant any root-kits.  While the risks aren't as high as a zero-day exploit on Windows XP or earlier, Mac users should be on the lookout for media files from suspicious email or web sources and apply the patches as soon as Apple releases them.

Tom Ferris, an independent security researcher who discovered these flaws, reported these flaws to Apple back in early December of last year but decided to release more information last Thursday.  I've always felt that the immediate disclosure of PoC was unethical, this has been well over four months and Apple has not patched their software.  Holding back on vulnerability details don't do anything to prevent black-market trading and sale of exploits, but it does prevent more wide-scale exploits by less sophisticated hackers and kiddy script attackers.  The problem is that Software companies like Apple (most software companies behave like this) often don't take exploits seriously until there are clear and imminent dangers on the loose.

This is the exact reason I've always argued for a compromise on vulnerability disclosure where there would be a 60-90 day grace period for vendors and customers to patch their software before vulnerability details are disclosed.  If the researcher releases PoC before the grace period is over, the researcher should be held responsible.  If the PoC is released after the grace period and the customer is attacked because they didn't apply the patch, then the customer needs to hold the attacker responsible (if they can find the attacker) and not blame the Software maker or the researcher.

Editorial standards