So, here I am working on a vulnerability I discovered in OS X. I am deep into doing the final work of making sure it is exploitable and writing proof of concept code. My fuzzers had identified the issue a week or so ago, but with my busy schedule I just had not had time to pursue what was looking to be a local exploit with a little capability for malicious activity – like perhaps exposing the contents of file vault or other things that are based on user context.
But, low and behold, along comes an update from Apple that patches the vulnerability. Upon deeper research, it appears that they also discovered the issue (or blindly mitigated the hole) while they were repairing another problem included in this patch cycle! Congrats to Apple for fixing what appears to have been an unrelated issue and for seeming to actually be doing the right thing of performing additional testing or mitigation on code they are working on. To me it looks like they may actually have implemented a process where as one issue is found with a piece of code and addressed, the whole piece of code is more deeply inspected, tested and assessed. That’s FANTASTIC news!
So, while I am doing the “poor me” shuffle for spending cycles on an issue that has become NOT AN ISSUE, I am also bouncing around with joy that the right approach to securing code seems to be spreading. That alone, is worth a smile. I really like it when the right thing happens and some part of the world gets a little more secure!
That’s just another part of life as a security researcher. Things continue to break in new and exciting ways, but sometimes, even while you are working on the rabbit hole, someone comes along and fills it in….