Apple indicated that this issue required a substantial amount of changes on their side, and that they will not back port the fix to 10.9.x and older.
And 6 months between the first report and a fix. I think that is too long.
Why? We have no idea how much effort it took to fix the bug. Perhaps the fix involved rewriting things. I know of many bugs that the only fix was to throw out the current implementation and start over with the new knowledge.
How about a year for a patch then? Happened to Microsoft this year, well last if you consider it was reported in January 2014.
I think we presume too much when we expect security patches to always come out in 90 days of reporting. Reality might not allow for such thinking.
I think it’s acceptable for a security patch to come out after 90 days of reporting, but I think it is on the company to communicate that. The goal of the time limit is to get a fire under the asses of (sometimes) lazy companies. However, it should be extended if the company contacts the reporter and discusses the limitations they have in fixing the issue. Of course that doesn’t work for companies that just ignore reports or you never hear from again. It did work in this case, however where you can see that Apple and TrueSec discussed the difficulty and increased the disclosure deadline. The lack of older fixes still disturbs me, but Apple’s handling of at least the newest version is nice to see.
While we can presume too much, security researchers who are finding these bugs and reporting them shouldn’t have to guess whether the company is taking timely action on it.
Doesn “backdoor” imply something nefarious? This is bug that causes local privilege escalation.
I think this can be classified as a “backdoor API” because it’s clear that the systemsetup tool uses it to escalate its privileges in a way that was intended by the developers. They attempted to hide it by making it require root with the patch that is referenced, but the API part was still part of the system design. In fact the time/work it took to fix also leads me to believe that this wasn’t a bug but rather functionality never meant to be seen by unprivileged eyes. I think its another side effect of trying to make the command line tools more user friendly, or non-power user friendly rather.
EDIT: The privilege escalation on all users is a bug, but the Admin use case I would argue is still a backdoor.