Comment by callesgg
5 years ago
He could just have sent in a bug report. Said that the length was not validated.
No need to dig so much if you just want to fix the problem.
But he wanted to prove something. That is a different thing.
5 years ago
He could just have sent in a bug report. Said that the length was not validated.
No need to dig so much if you just want to fix the problem.
But he wanted to prove something. That is a different thing.
By 'wanting to prove something', he caused the vendor to act urgently, instead of sweeping this as a maybe-exploitable-maybe-not bug that would get lazily patched whenever.
By 'wanting to prove something', he showed the shortcomings of multiple security mitigations, all defeated by simple bugs.
By 'wanting to prove something', he also discovered two other exploitable 0days, that wouldn't have been discovered otherwise. Those 0days were likely already in the hands of bad actors, too.
Finally, the reason he even discovered the original bug is because Apple accidentally once or twice forgot to strip function names from a binary. If this didn't happen, that bug very likely would still be out there in the wild.
I'm not sure you understand how security research works.