| ▲ | KerrickStaley 5 hours ago |
| > At the time of writing, the fix has not yet reached stable releases. Why was this disclosed before the hole was patched in the stable release? It's only been 18 days since the bug was reported to upstream, which is much shorter than typical vulnerability disclosure deadlines. The upstream commit (https://github.com/gnachman/iTerm2/commit/a9e745993c2e2cbb30...) has way less information than this blog post, so I think releasing this blog post now materially increases the chance that this will be exploited in the wild. Update: The author was able to develop an exploit by prompting an LLM with just the upstream commit, but I still think this blog post raises the visibility of the vulnerability. |
|
| ▲ | ezoe 5 hours ago | parent | next [-] |
| I guess traditional moratorium period for vulnerability publication is going to be fade away as we rely on AI to find it. If publicly accessible AI model with very cheap fee can find it, it's very natural to assume the attackers had found it already by the same method. |
| |
| ▲ | saddist0 4 hours ago | parent [-] | | It’s a wrong way to look at things. Just because CIA can know your location (if they want to), would you share live location to everyone on the internet? LLM is a tool, but people still need to know — what where how. | | |
| ▲ | lxgr 3 hours ago | parent | next [-] | | Not sure if that's a great example. If there's a catastrophic vulnerability in a widely used tool, I'd sure like to know about it even if the patch is taking some time! The problem with this is that the credible information "there's a bug in widely used tool x" will soon (if not already) be enough to trigger massive token expenditure of various others that will then also discover the bug, so this will often effectively amount to disclosure. I guess the only winning move is to also start using AI to rapidly fix the bugs and have fast release cycles... Which of course has a host of other problems. | | |
| ▲ | integralid an hour ago | parent [-] | | >there's a bug in widely used tool x" There's a security bug in Openssh. I don't know what it is, but I can tell you with statistical certainty that it exists. Go on and do with this information whatever you want. |
| |
| ▲ | mx7zysuj4xew 2 hours ago | parent | prev [-] | | Wrong argument, since it's not just available to "the CIA" but every rando under the sun, people should be notified immediately if "tracking" them is possible and mitigation measures should become a common standard practice |
|
|
|
| ▲ | bawolff 2 hours ago | parent | prev [-] |
| Once the commit is public, the cat is out of the bag. Being coy about it only helps attackers and reduces everyone's security. |
