On the Internet, Everyone Hates you
Our recent article about the difficulty of determining the source of vulnerabilities has drawn some complaint - from the researcher who was responsible for discovering the iPhone Safari problem.
To clear up the confusion for anybody who is still wondering what is going on, the complaint centres on two elements:
- The vulnerability is for Safari BETA (and the iPhone) - All we did was to confirm that the vulnerability did not work on Safari on OS X (something which did not appear to have been done, and which is important when understanding where in the codebase the vulnerability could reside).
- We didn't understand the vulnerability - We'll just let the following stand for itself (from our original article):
Developers need to be cognizant of the risks posed by the user who is double clicking on anything that they come across - something that most developers are aware of, at least as far as it comes to people randomly downloading content from the Internet or other networks.
Where there needs to be more awareness is with how applications should handle poor information being presented from a vector that is not considered a normal attack vector. In the case of the iPhone Safari bug, the argument being made was that it is still a serious problem when the local user opens and interacts with valid HTML / JavaScript content from the local filesystem - there could still be malicious content that passes data out to a remote system.
This isn't the first time that a company or individual has taken umbrage at the information that we have published, and it's sure to not be the last.
Before anybody decides to start slandering us or attacking us for our reporting, stop and think about what we have written. In all of the cases to date, the information presented has been accurate (at least at the time of reporting for volatile information) and the slander has been meritless.
We welcome the sort of discussion and debate that our commentary can initiate (including a fair amount of criticism of our approaches), but when it crosses into slander we are quick to defend our rights.
If you find yourself in a similar position in the future (where you hate what we do and are ready to slander us), please contact us privately before you slander us publicly so that any potential misunderstanding can be cleared up rather than having to be aired in public.
8 October 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.
Subscribe to our feed.