This is NOT the way a vendor should handle a vuln disclosure.
Stephen has made it a habit of lecturing Apple on its responses to security situations. And yet, when Microsoft does the same or worse, all you hear is the deafening silence.
The animated cursor flaw was reported to Microsoft in October 2004! Cesar Cerrudo, the hacker who found it, got tired of waiting for a fix from Microsoft and published details during the MoKB (Month of Kernel Bugs) project last November. And till the exploit got released Microsoft did NOTHING. And to top it off they REFUSED to credit the researcher because, in Microsoft’s eye, he crossed the “responsible disclosure/full disclosure” line.
“Microsoft’s point is really clear. Once someone puts customers at risk, we can’t credit them. We never have and we don’t intend to change that policy.”
What a crock! And people like Stepto continue to lecture Apple about their response to a third party Wifi driver attack which later morphed into a OSX driver vulnerability and has YET to be proven to do anything more than crash the system. So Microsoft has a “policy” regarding not crediting researchers that put customers at risk and somehow Apple is evil for not crediting researchers on a disputed claim?
Hypocrisy, thy name is Microsoft.