Looks Like 40 Worms Ate My Apple

It appears that Apple dithered about the severity and number of flaws involved for nearly six months before releasing a single fix. Core’s advisory went out more than a week ago, after Apple missed a coordinated patch/vulnerability advisory release date for the fifth time in a row. Reminds me of the movie ‘Holes.’

I guess getting the new features our the door are more important than fixing the problems. I know Microsoft started this whole game or did they? It seems to me that the issues have always been there concerning poor coding practices only now Microsoft’s coding efforts seem to be more mature than most others, while the ‘others’ now have the attention turned towards them. I really liked starting on Mac’s back in the 80’s but it is time to start considering security from inception. From Core Security:

2008-01-30: Core sends an initial notification that vulnerabilities were discovered in the iCal application and iCal server and that an advisory draft is available.

2008-01-31: Vendor acknowledges and requests the draft.

2008-01-31: Core sends the draft, including proof-of-concept files that trigger the bugs.

2008-02-12: Core requests update info on the vulnerabilities and states that wants to coordinate the date of the disclosure.

2008-02-18: Core requests update info on the vulnerabilities.

2008-02-18: Vendor replies that the iCal Server (CVE-2008-1000) vulnerability is tracked for a fix in an upcoming update and the vulnerabilities in the iCal client application will be fixed in an update following the early March software update.

2008-02-19: Core indicated that it will split the report in two security advisories. CORE-2008-0123 will address the vulnerability in iCal server (CVE-2008-1000) and will be published in coordination with the release of the vendor’s March software update. The publication date for the second advisory, will dealt bydealing with the three vulnerabilities in the iCal client application will be coordinated for a date after the March update unless there are clear indications of the vulnerability being exploited in the wild, in which case if Core considers that the information provided in the advisory would help end users to decide how to react the advisory would be published sooner as a “forced release”.

2008-03-03: Core requests update info on the vulnerability, a concrete release schedule and text for the advisory section called “Vendor Information, Solutions and Workarounds”.

2008-03-04: Vendor provides information concerning CVE-2008-1000 and indicates that the bug is in the Wiki server and not the iCal Server.

2008-03-13: Core re-schedules the publication to March 24th and requests the vendor an update on the coordinated date of disclosure. The remaining three vulnerabilities in the iCal client application will be dealt by a second security advisory (CORE-2008-0126) to be published after the release of the March software update. Publication of CORE-2008-0126 is initially slated for March 24th 2008 but the final date estimation can be discussed further with the vendor based on its estimated date for fixes.

2008-03-18: APPLE-SA-2008-0318 software update released.

2008-03-18: CORE-2008-0123 is published.

2008-03-18: Vendor informs that will track the first two issues as crasher-only bugs but still intends to address them. Further details to determine if the null pointer de-reference bugs are exploitable are requested. The vendor will continue to track the third as a security bug and estimates early April for the release of the software update that fix them. Additional timing information will be provided closer to the estimated date.

2008-03-18: Core re-schedules the publication to April 7th and indicates that should any new details about the vulnerabilities become available they will be forwarded to the vendor.

2008-04-04: Core requests a more precise date of release of the fixes to coordinate the publication and recommends the vendor to consider the three as security bugs because it couldn’t be proved that in this case the integer overflows can’t be exploited.

2008-04-07: Vendor requests that Core to postpone the advisory publication until the fix is available.

2008-04-07: Core requests a more precise date of release of the fixes to coordinate the new publication date.

2008-04-07: Vendor informs that the estimated date for the update is near the end of April.

2008-04-08: Core confirms that coordinating the publication of CORE-2008-0126 for April 28th is acceptable.

2008-04-16: Core requests an update on the release date of the fixes.

2008-04-17: Vendor states that end of April is still the estimated date and provides more details that explain why the first two bugs are been considered null-pointer dereference bugs only. A value range verification is performed and out-of-range values branch execution flow to instructions that assign NULL to a pointer which later triggers a null pointer de-reference that causes the application to crash. The root cause of the crash is a NULL pointer de-reference and not an integer overflow.

2008-04-17: Core confirms that the two first bugs can be considered crasher only due to null-pointer dereference. Upon further research it is confirmed that integer overflows are detected and do not cause the actual crashes.

2008-04-17: Vendor asks confirmation that the first two bugs have no security related consequences.

2008-04-17: Core responds that the three bugs still have security related consequences. The first two bugs can be abused to execute denial of service attacks by untrusted and unauthenticated third parties specifically using public servers as attack vector. Core considers bugs that allow unauthenticated third parties to crash an application to be security vulnerabilities. Core indicates that exploitation of null pointer de-reference bugs cannot be ruled out generically, a statement which could be derived from Rice’s theorem.

2008-04-25: Core requests an update on the release date of the fixes and sends detailed information on the analysis of the first bug.

2008-04-27: Vendor estimates early May as the date of the software fixes release.

2008-05-05: Core informs the vendor that it is re-scheduling the publication to May 12th as a final date unless precise information is given on the release date of the fixes.

2008-05-06: Vendor responds precising that the fixes are being released sometime the following week.

2008-05-07: Core states that it is not willing to re-schedule publication date unless the vendor commits to a concrete date.

2008-05-10: Vendor asks Core not to publish the advisory before Apple security update is available. Vendor indicates that fixes will be released on May 19th, 2008.

2008-05-10: Given that the vendor has communicated a concrete date, Core will discuss re-scheduling (for the fifth time) the publication date of the advisory.

2008-05-12: Core communicates the vendor that the publication of the advisory is re-scheduled to May 21th, that date is final.

2008-05-14: Vendor acknowledges reception of the last email and appreciates that Core posponed the advisory publication date.

2008-05-20: Core send the final draft of the advisory to the vendor.

2008-05-21: An edited and corrected final version of the advisory is sent to the vendor.

2008-05-21: Advisory CORE-2008-0126 is published.

2008-05-22: Minor errors corrected and more detailed version information added.