Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/28/2006
03:46 PM
Tom Smith
Tom Smith
Commentary
50%
50%

Apple, Security, And Disturbing Questions

Troubling questions are being raised by one of the few meaningful security issues to impact Apple. As InformationWeek's Larry Greenemeier points out in a blog entry, "Some say the security research community is more dangerous than the hackers they warn against" because Mac exploits are being placed directly o

Troubling questions are being raised by one of the few meaningful security issues to impact Apple. As InformationWeek's Larry Greenemeier points out in a blog entry, "Some say the security research community is more dangerous than the hackers they warn against" because Mac exploits are being placed directly on the Web soon after the vulnerabilities are discovered. He quotes a security expert as saying that advisories sometimes serve as more of a publicity machine for the issuers than as a service to IT organizations.Meanwhile, analyst Rob Enderle--one of the IT industry's chief pot stirrers--asserts that the security vendor community is, in effect, feeding itself with all the warnings it issues, Apple merely being the latest example. "By telling people about an exposure, you're telling someone else how to [exploit] it. I think security companies should spend more time catching criminals than telling them how to become one," the ever-provocative Enderle says. His view is, in turn, dismissed by Gartner security expert John Pescatore as so much old news. But if security vendors didn't derive at least some benefit from all the publicity surrounding vulnerabilities, they'd be far less proactive in dishing out the information, advice, and expertise every time a new one comes to light.

So all the disclosure of vulnerabilities that's come about in recent years does raise a legitimate issue of whether the availability of too much information--from researchers, vendors, blogs, and news stories by swarming journalists--only makes matters worse. What's your view? Would corporate (and personal) IT security be better served if researchers and vendors weren't so trigger-happy with the bulletins and reports? Or do we need all that information to keep even a half step ahead of the hackers? Weigh in at the comments field below, or respond to our poll.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
babjipemmadi
50%
50%
babjipemmadi,
User Rank: Apprentice
11/30/2014 | 10:51:21 PM
A testimonial
I must say that overall I am really impressed with this blog.It is easy to see that you are impassioned about you writing.Nice post.i was searching for this post from last 30 minutes on google. and i reach to your website,superbly written and well explained.thanks for your article.looking for other posts also.keep it up.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Out-of-Date and Unsupported Cloud Workloads Continue as a Common Weakness
Robert Lemos, Contributing Writer,  7/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16271
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 generates insufficiently random numbers, which allows remote attackers to read and modify data in the KeePass database via a WebSocket connection.
CVE-2020-16272
PUBLISHED: 2020-08-03
The SRP-6a implementation in Kee Vault KeePassRPC before 1.12.0 is missing validation for a client-provided parameter, which allows remote attackers to read and modify data in the KeePass database via an A=0 WebSocket connection.
CVE-2020-8574
PUBLISHED: 2020-08-03
Active IQ Unified Manager for Linux versions prior to 9.6 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service enabled allowing unauthorized code execution to local users.
CVE-2020-8575
PUBLISHED: 2020-08-03
Active IQ Unified Manager for VMware vSphere and Windows versions prior to 9.5 are susceptible to a vulnerability which allows administrative users to cause Denial of Service (DoS).
CVE-2020-12739
PUBLISHED: 2020-08-03
A vulnerability in the Fanuc i Series CNC (0i-MD and 0i Mate-MD) could allow an unauthenticated, remote attacker to cause an affected CNC to become inaccessible to other devices. The vulnerability is due to improper design or implementation of the Ethernet communication modules of the CNC. An attack...