Apple Patches Quicktime, Security Firm Still Not Happy

Just days after its discovery during a hacking contest at the CanSecWest conference, Apple has released a Quicktime update that patches a serious zero day flaw. The Quicktime update is recommended for both Windows and Mac users and can be downloaded from the Apple site.

The Apple security note credits Dino Dai Zovi, the hacker who recently discovered the flaw, as well as TippingPoint and the Zero Day Initiative for the discovery of the flaw.

It would seem that everybody wins in this scenario, Zovi took home the $10,000 prize and Apple patched the flaw giving Quicktime users a more secure platform, but security analyst firm Gartner is still unhappy.

A note on the Gartner site reads:

Public vulnerability research and “hacking contests” are risky endeavors, and can run contrary to responsible disclosure practices, whereby vendors are given an opportunity to develop patches or remediation before any public announcements. Vulnerability research is an extremely valuable endeavor for ensuring more secure IT. However, conducting vulnerability research in a public venue is risky and could potentially lead to mishandling or treating too lightly these vulnerabilities — which can turn a well-intentioned action into a more ambiguous one, or inadvertently provide assistance to attackers.

While there is some merit to what Gartner is saying, the fact is the flaws exist, and security through secrecy is nearly always a flawed approach. To argue that vender notification trumps user notification means that Gartner believes users are better off left in dark while the vender attempts to fix the problem.

In fact, notifying users that a problem exists alerts them to potential vulnerabilities. In this case, once users were aware that the flaw existed they could exercise greater caution in downloading untrusted Quicktime media.

It's also worth noting that Gartner has a vested interest in maintaining insider knowledge of attacks, something they lose in public hacking contests.