com.apple.rootless.install.inheritable seems like a bad idea. I’m sure Apple people thought long and hard about it, but it seems near impossible to know that all subprocesses of system.installd can be trusted. Someone somewhere in Apple slips up and alters their install scripts and we have hole again.
An allow-list of the exact subprocesses that may have the privilege seems more reasonable.
But I think the much more important thing is that they found this vulnerability and reported it to Apple, who then fixed it, making all macOS users safer in the process. I think that’s much more noteworthy than whether the vulnerability was given a fancy name after the fact.
com.apple.rootless.install.inheritableseems like a bad idea. I’m sure Apple people thought long and hard about it, but it seems near impossible to know that all subprocesses ofsystem.installdcan be trusted. Someone somewhere in Apple slips up and alters their install scripts and we have hole again.An allow-list of the exact subprocesses that may have the privilege seems more reasonable.
seems kinda tactless to give a fancy name to this vulnerability and release the details only 3 days after the patches went out.
I mean, you know, not an Apple fanboy or anything, but pobody’s nerfect right?
Maybe, maybe not?
But I think the much more important thing is that they found this vulnerability and reported it to Apple, who then fixed it, making all macOS users safer in the process. I think that’s much more noteworthy than whether the vulnerability was given a fancy name after the fact.
Tactless or not, it does feel a bit like the resident owner of a fine glass house has chosen to start a stone-throwing contest.
You mean they should have announced the fancy name a few days in advance before the disclosure like everyone else does?