Better question how can Apple trust anything if they relied on a compromised version of OSX during development?
In a worse case exploitation of the vulnerability, backdoors could be sprinkled anywhere on any OSX machine including binaries on development machines or those used to administer servers. Short of bringing in a unicorn to snif out virgins, they can only assume that everything connected to the internet has been fucked.
For exploits embedded in the source code, rebuilding doesn't eliminate anything. If there are others - and why wouldn't a sophisticated attacker plant more than one, then the best option is a code audit and wishfully hoping that it found everything.
How fucked could Apple be? With SSL broken, why wouldn't an attacker do such a things to create a robust exploit?
Suppose Apple looked at the commit history for the problematic file and the change to the source code doesn't show up...compromising a machine that controls version control software would allow that. If I were running an NSA op or were a cyber-crimminal, that's the sort of thing I would do once I thought of it. Well actually I would hire some Fairfax County contractor to do it in the case of the NSA - someone like Snowden.
5 comments
[ 2.4 ms ] story [ 37.8 ms ] threadIn a worse case exploitation of the vulnerability, backdoors could be sprinkled anywhere on any OSX machine including binaries on development machines or those used to administer servers. Short of bringing in a unicorn to snif out virgins, they can only assume that everything connected to the internet has been fucked.
For exploits embedded in the source code, rebuilding doesn't eliminate anything. If there are others - and why wouldn't a sophisticated attacker plant more than one, then the best option is a code audit and wishfully hoping that it found everything.
How fucked could Apple be? With SSL broken, why wouldn't an attacker do such a things to create a robust exploit?
Suppose Apple looked at the commit history for the problematic file and the change to the source code doesn't show up...compromising a machine that controls version control software would allow that. If I were running an NSA op or were a cyber-crimminal, that's the sort of thing I would do once I thought of it. Well actually I would hire some Fairfax County contractor to do it in the case of the NSA - someone like Snowden.