1. 35
  1. 9

    Citizen Lab forwarded the artifacts to Apple on Tuesday, September 7.

    Six days later Apple’s released a fix — that’s pretty impressive turnaround for a big company, especially for a patch in a vital low level component like CoreGraphics, on two operating systems.

    1. 5

      7 days is good. but it’s also the longest that e.g., Google Project Zero would tolerate for bugs being widely exploited.

      A former Mozilla exec joked “ten f-ing days” in 2007, we’ve since then improved to “within 24 hours” and kept the next-day promise for contests like pwn2own as well as real world attacks.

      Really hoping this will become an industry norm. We should hold the most valuable companies accountable to their responsibilities. Distributed teams allow for a project to continue non-stop for 24hrs without burning anyone out. CI/CD tooling can help providing a certain release-readiness

      1. 2

        It’s a little harder to patch, test and release an OS instead of just an app.

        1. 1

          Totally. Their >10k employees also outsize the ~500 people working on the app.

      2. 2

        Searching for jbig2decode mostly finds prior PDF vulnerabilities. I wonder if Apple tried fixing the vulnerabilities or just removed support for parts of their PDF decoder that have the vulnerability. Given that the attack is in the wild I imagine they took the shortest, safest path to get a patch out.

      3. 8

        If you run macOS, iOS or watchOS you should apply updates and reboot ASAP.