Friedrich1d ago
daniel:// stenberg://

Today we celebrate four years since Apple pulled the ghost CVE prank on us:

https://daniel.haxx.se/blog/2022/03/23/anatomy-of-a-ghost-cve/

#curl

Anatomy of a ghost CVE

"The Lord giveth and the Lord taketh away."Job 1:21 On March 16 2022, the curl security team received an email in which the reporter highlighted an Apple web page. What can you tell us about this? I hadn't seen it before. On this page with the title "About the security content of macOS Monterey 12.3", … Continue reading Anatomy of a ghost CVE →

daniel.haxx.se
Mar 23 at 7:11amWeb
Show threadThoralf Will 🇺🇦🇮🇱🇹🇼1d ago
@bagder Any guesses on how much time you and the team wasted for pretty much nothing?
How is the "productive work" vs. "chasing other people's mess for nothing" ratio in general?
Show threaddaniel:// stenberg://1d ago

@thoralf that's really hard to tell. Also, the "for nothing" depends on who you ask and how you determine it. Most chases like this actually contribute and add *something* to the project. Code, experience, documentation etc.

But since we don't try to measure or count this, I can't even guess!

Show threadKiskae1d ago
@bagder did you ever get a reply? Or is it still sitting in their mailbox?
Show threaddaniel:// stenberg://1d ago
@Kiskae never got any reply.
Show threadArian1d ago
@bagder best wishes to all who celebrate!
Show threadMarc1d ago
@bagder Apple are the true hipsters: sloppy before it was cool 😬
Show threadAMT1d ago
@bagder did you send Apple a bill for time spent investigating, communicating and following up?
Show threadSimon Welsh1d ago
@bagder hopefully you being the CNA for curl means this won’t happen again
Show threaddaniel:// stenberg://1d ago
@simon_w yes, this should not be possible these days
Show threadAlex1d ago
@bagder (The tiny tinfoil guy inside me) Maybe Apple found a nice backdoor they decided to keep for themselves—and, maybe, share with a select few of their best friends—but it somehow was flagged wrongly in their system which triggered an automatic API call to MITRE? 🤔