MAC OSX SECURITY UPDATE 2017 001 UPDATE
As is typical for Apple security updates, a restart was required, and the update completed over a 15 to 20 minute period as part the reboot, during which time we couldn’t use our Mac or our phone. When we updated, the download sizes were about 1.5GB for macOS 10.12.4 and 650MB for iOS 10.3. On an iPhone or iPad, use Settings | General | Software Update to make sure you have the latest version. On a Mac, click on Apple Menu | About This Mac | Software Update… and then click on the blue “update arrow” in the App Store app. If you wait for your turn to come around in Apple’s staggered autoupdate process, you might end up several days behind, so we recommend checking for updates manually right away. The TL DR version of this story is this: as Apple patches go, treat these as “first among equals” and make sure you get them as soon as you can.
The high payout for many Pwn2Own bugs reflects that they would be similarly valuable if crooks were to find them instead, so fixes typically follow as quickly as is practicable.
MAC OSX SECURITY UPDATE 2017 001 FULL
The “responsibility” comes from the fact that to claim the prize, the bug finders have to give the affected vendor full details of the attack and keep those details confidential until the vendor has had time to fix the hole. Not everyone approves of the competitive “winner-takes-all” approach, in which vulnerabilities may be kept secret for weeks or even months until showtime arrives.īut whether you like it or not, high-stakes bug bounty contests like Pwn2Own have become part of today’s responsible disclosure scene. Prizes run to hundreds of thousands of dollars each.
In other words, Pwn2Own isn’t just about spotting vulnerabilities that might be exploitable, but also about exploring exploitation techniques to come up with genuine zero-day security holes that will work even on properly-updated systems. Importantly, the iOS and macOS updates close a number of security holes revealed at the recent Pwn2Own contest held alongside the CanSecWest conference in Vancouver, Canada.Īll software on the target computer is patched immediately before the contest, so even an attack that worked fine in the lab the week before might end up stymied on competition day