Tuesday Apple released an update for the (now) famous QuickTime flaw which emerged as part of the "PWN_2_OWN" AKA "Hack A Mac" challenge up at CanSecWest. Our advisory is here. The controversial outcome of this particular contest has made great fodder for speculation, conspiracy theory and industry bashing alike. There have also been numerous press articles about this.
I'm going to give you the straight scoop on the whole kit and caboodle because, well, my boss gave me a blog-- so therefore I can!
If you are not already familiar with our program, the Zero Day Initiative, it's a program for rewarding security researchers for responsibly disclosing discovered vulnerabilities.
I want to start by commending the way that Apple handled this situation. Yeah, I know it frustrates the world that Apple chooses not to comment on anything, other than their standard line about how they take security seriously, etc. I've also heard a lot of talk about Apple being hard to work with, unresponsive, etc. They must be getting better at that, because my experiences working with Apple on several (5) vulnerabilities acquired through the ZDI program have been beyond pleasant in comparison to some other vendors.
No mud slinging or law suit threats, not even a nasty email. To the contrary, Apple thanked us for our pursuit of responsible disclosure, and got a patch out to QuickTime users in roughly a week. Not bad, for a component that installs across the three most popularly used platforms out there.
Do I think they would have patched it this fast without all of the media attention? Of course not- but I'm glad Apple had a chance to showcase their Security Response abilities.
The orginal PWN_2_OWN contest at CanSecWest in Vancouver did not include a 10K bounty- the original booty was that you got to own the Mac that you "owned". At the end of the first day, when they were getting ready to relax the rules to allow browser exploits, Dragos and I had a quick conversation that went something like this:
Dragos: "Hey, do you think the ZDI would want to buy the vuln that hacks the mac?"
Terri: "Certainly, that's what the ZDI program does"
We decided to put a set amount on the table to avoid any confusions and speculation over how much a particular discovery would be worth. The announcement of the 10K sponsorship generated a lot of excitement which was further exacerbated when Dino Dai Zovi amazed us all by turning around a truly elegant discovery and exploit less than 10 hours later.
Dino created a user account on our ZDI Portal and submitted the details of his find to us. I called in some of our DVLabs folks to put a rush order on reproducing and further investigating the issue which they worked on over the weekend.
While it was initially brought to my attention late Friday April 20th as an exclusively Safari affecting vulnerability, we quickly learned through our investigation late Sunday evening that the issue had a far wider reaching impact affecting not only Safari/MacOS but rather any Java enabled browser on an OS with Quicktime installed.
Once it was fully vetted, we extended Dino a formal "offer" and contract for the bug, which he accepted.
The specific technical details of the vulnerability were disclosed to Apple on Monday April 23rd within 30 minutes of officially "contracting" it from Dino.
While it's not a general practice of the ZDI program to discuss any vulnerabilities that we purchase, the interest in this one particularly led us to respond to many requests from reporters. I spent 3 full days on the phone with people talking about this issue. I did my best to be factual and forthcoming about what was impacted, without giving away details about the vulnerability itself.
The bottom line? People needed to know that they should disable java in the browser. It only takes a minute, and can save you from a lot of damage. It seemed prudent to me that the mitigation be put out there.
Of course, there has been some criticism of our involvement in the contest, which we strongly disagree with. That said, we followed all processes and procedures we do with all 100+ zero day vulnerabilities in our care, which we believe follow responsible disclosure- but heck, everyone is entitled to their own opinions and there is no hotter debate than that of "Responsible Disclosure."
To that I only say, in the words of author Fred Gratzon, "Don't overemphasize logic. It inhibits creativity."
Security and Vulnerability Research is valuable. It leads to more secure products, and more secure customers. Without supported research many vulnerabilities would continue to remain behind closed doors, and used for nefarious purposes.
A Researchers' time is valuable. They've just provided a really important service to the information technology industry. And as Dino himself said "I have spent way more time not finding bugs many other times." Hard work deserves to be recognized and rewarded.