Why Apple has to fix the Safari flaw

Remember me talking about Is Security Research Ethical? I made a statement in there when it comes to responsible disclosure of vulnerabilities: And then, what does the vendor do with it? Does the company act on it?

Now, we can debate on what a vulnerability is and what not. Personally I am convinced that a vendor should be transparent when it takes a bug as a vulnerability and when not. There is actually a good essay by Scott Culp about this called Definition of a Security Vulnerability.

Why am I telling this? Well, there seems to be a disagreement between Apple and the rest of the world whether Safari's Carpet Bombing flaw is a security vulnerability or not. Robert Hensing posted already last week on that (Safari "carpet bombing" Fail Open Goat Award) and ZDnet took it up yesterday as well (Why Apple must fix Safari 'carpet bombing' flaw immediately). And I quote: […]but when it comes to responding to legitimate security threats, Apple is light years away from living up to the messages in those commercials(they are referring to the statement Now you can enjoy worry-free web browsing on any computer. Apple engineers designed Safari to be secure from day one in the Security Tab of Apple's Safari Page)

Remember the days of the "Unbreakable" ads (I know it was not Apple but goes in the same direction).

These are exactly to kind of discussions which do not really help to address security as an industry nor to promote responsible disclosure…

Roger