Tuesday, June 30, 2009

Palm Patched my vulnerability in WebOS

Palm recently put out a new patch that addresses a vulnerability that I had discovered back on June 17th 2009 in the new WebOS for the Palm Pre. In my first disclosure to them, I included one critical issue and 2 minors issues.

After some quick testing last night, the critical issue was fixed, however I have a potential new one that I will be sending to them today once confirmed.

The Patch notice: (My name is halfway down under 1.0.4)
Palm Patch Notes

To show Palm's commitment to security, I wanted to show you the time line of events surrounding my disclosure and the rapid response.

6-16-2009 Critical Vulnerability discovered and validated
6-17-2009 Palm contacted to setup meeting/discussion
6-18-2009 New minor vulnerabilities found
6-21-2009 Palm contacts me, I send full disclosure to them
6-23-2009 Brian Hernacki contacts me and verifies critical issue states will be patched
6-29-2009 Vulnerability is patched

I have not included any specific details on the matter from WebOS 1.0.3 as I have been asked to wait until more people are completely patched.

That being said, when given the green light, I will provide more details on the matter.


No comments:

Post a Comment