Security firm goes public with Apple Safari flaws

Secunia publishes information on two vulnerabilities in browser after Apple reportedly fails to provide status updates

Danish security firm Secunia published information on two unpatched vulnerabilities in Apple's Safari 5 browser on Friday, after the consumer-technology firm allegedly failed to provide status updates on the patch process.

Secunia reported the two vulnerabilities -- one of which could result in remote exploitation of a user's machine under certain circumstances -- to Apple more than six months ago, the company stated in a blog post.

Secunia's policy states that if a software vendor fails to adequately respond to a vulnerability report within six months, the security firm will release limited data on the issue. Apple is the first major vendor to run afoul of the deadline that the company has imposed to make software companies take patching more seriously.

"There are still some major software vendors that do not understand how to properly work with researchers," Carsten Eiram, Secunia's chief security specialist said in a statement. "Hopefully, Apple will in the future strive to work better with researchers to ultimately protect their customers by providing more informative status updates and estimated fix dates instead of prioritizing antiquated internal policies higher."

When researchers report issues to Apple, the company makes clear that it's not its policy to give updates on the status of the fix, but researchers are free to request more information, Eiram wrote in a blog post on Friday. Instead of an update, the company frequently responds with a canned response that provides little information, he said. Specifically, the company failed to provide an estimate on when a fix would be available.

"Naturally, fix dates may be subject to change and most researchers seem willing to push a targeted disclosure date if required in order for the vendor to release a proper fix," he says. "However, after a vendor has had a chance to analyze and start addressing a vulnerability, researchers deserve to know when a fix should be expected."

Very closed-mouthed about its coming products, Apple is even more taciturn when it comes to the security of those products. This behavior has led to a rocky relationship with security researchers. Most other major software vendors -- such as Microsoft, Adobe, and Google -- have made a priority of courting security researchers that find vulnerabilities in their products.

The outing of Apple's Safari flaws is the second time in a month that Secunia has taken a hard line with software companies. At the RSA Conference last month, the company revealed plans to automatically apply software vendor's security updates to its clients' machines, repackaging the patches without seeking permission, a controversial practice.

Apple did not immediately respond to a request for comment.

This story, "Security firm goes public with Apple Safari flaws," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.