Hacker News new | past | comments | ask | show | jobs | submit login

I got a lot of flak here recently for suggesting that maybe security researchers shouldn't be publishing PoCs or deep vulnerability details literally 1 week after the vendor issues a patch.

Here's to hoping that, now that this happened, someone will give this idea another consideration...

(P.S. for those wondering: apparently this is CVE-2019-8605: https://bugs.chromium.org/p/project-zero/issues/detail?id=18...)




But it's been 3 months since the vendor first issued a patch!


I mean, I'm not suggesting 1 week should've been 1 month or even 3 months. Those are too short to me too.

But regardless, that's already 3 months people had to design, write, test, and perfect an exploit for it...


The exploit was patched in iOS 12.3, not known since 12.3. Apple probably knew for longer, fixed it in 12.3 and reverted the patch (somehow) in 12.4.

If you want to make your point, this is one of the worst examples you can take as it is an old exploit, which has been patched and now works again. The code should be in the public after the patch anyway if a researcher found it.


> The exploit was patched in iOS 12.3, not known since 12.3. Apple probably knew for longer, fixed it in 12.3 and reverted the patch (somehow) in 12.4.

Huh? Am I misreading the timeline? iOS 12.3 was released May 13, and I see the view restriction removed (Label:-Restrict-View-Commit) on May 20... which is almost exactly 3 months ago: https://bugs.chromium.org/p/project-zero/issues/detail?id=18... https://support.apple.com/en-us/HT210118


Gives people opportunity to jailbreak their devices?




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: