> Factoring is a financial transaction and a type of debtor finance in which a business sells its accounts receivable (i.e., invoices) to a third party (called a factor) at a discount.[1][2][3] A business will sometimes factor its receivable assets to meet its present and immediate cash needs.[4][5] Forfaiting is a factoring arrangement used in international trade finance by exporters who wish to sell their receivables to a forfaiter.[6] Factoring is commonly referred to as accounts receivable factoring, invoice factoring, and sometimes accounts receivable financing. Accounts receivable financing is a term more accurately used to describe a form of asset based lending against accounts receivable. The Commercial Finance Association is the leading trade association of the asset-based lending and factoring industries.[7]
This sounds like discounting a Bill of Exchange. Although the Bill of Exchange is drawn only against the delivery of a physical good, so this may be the difference between the two.
For example, let's say I own a sheep farm. I hire people to trim the sheep, and they produce a bunch of cotton. Without the Bill of Exchange, if I want to pay the people I've hired then I will need to ship this cotton to the spinner, who then ships the spun cotton to the weaver, who then ships the woven cotton to the clothier, who then makes clothes and sells it to a consumer. Only after this has happened can I pay my employees with the money of the paying consumer.
With the Bill of Exchange, a bill is created when I deliver cotton to the spinner. This bill will require the spinner to pay me for the cotton delivered in e.g. three months. I can then take this bill to someone who trusts that the spinner will pay me in three months and ask them to buy the bill at a discount, such that they are paid in three months (when the bill expires). I can then use the proceeds from the sale of the bill to pay my employees immediately. And the buyer of the bill earns a bit of interest because he pays less for the bill than he is paid at maturity.
In all likelihood, Apple would just refuse to play ball and tell them to go ahead and sell it to someone else if they're so confident. Zerodium and other markets already exist, and I don't think people at Apple lose much sleep over it. And you better hope you close that deal before Google Project Zero finds it independently and tells Apple for free. Plus the mere mention that a vulnerability exists in a specific piece of software may lead Apple engineers to finding and patching it before you can sell it. Give away too many details and it's burned.
People tend to vastly overestimate the economic impact of an exploited security vulnerability. A vulnerability which can be patched in a centralized manner has a low value half-life: it rapidly decreases in value over time. I would guess over 90% of active daily users of macOS already have the patch for this bug due to automatic updates. New buyers are essentially guaranteed not to have the vulnerability at all. The vulnerability would have to be absolutely catastrophic to be worth something, and in that case it would probably be used for targeted exploitation and burned after a short period of time.
Contrast with something like heartbleed, which is still around. That is a vulnerability with serious half-life and significant economic impact. The pool of available victims who can be exploited by heartbleed is nontrivial and persistent years later. Criminals will actually pay for something like that.
Bug bounty doesn't mean that the reporter is selling the bug they find for a reward. It's a gesture of gratitude from the company. This whole conversation is coming from a place of entitlement.
Did he phone them to check? I get a lot of fake invoices in my junk mail. I also know someone who lost £50k paying an invoice with bank details that had been tampered with by hackers. I hate phoning people but I always phone about invoices.
I can't find any information on the following questions:
Are all past versions of OS X / Apple Mail affected?
For what OS X Version does Apple provide a security update regarding this issue?
Has anyone found a fix that prevents auto-uncompression (such as a "defaults write com.apple.mail xyz False" command)?
Due to several reasons, I am also on an older Version of OS X and this issue makes me a bit nervous.
Thats what I thought first too (I am the author). And your guess for the reason is right. AppleScripts need to be stored in ~/Library/Application Scripts/com.apple.mail directory which is outside of the sandbox.
Readit News
Maybe a good business is bug escrow company.
From wikipedia:
> Factoring is a financial transaction and a type of debtor finance in which a business sells its accounts receivable (i.e., invoices) to a third party (called a factor) at a discount.[1][2][3] A business will sometimes factor its receivable assets to meet its present and immediate cash needs.[4][5] Forfaiting is a factoring arrangement used in international trade finance by exporters who wish to sell their receivables to a forfaiter.[6] Factoring is commonly referred to as accounts receivable factoring, invoice factoring, and sometimes accounts receivable financing. Accounts receivable financing is a term more accurately used to describe a form of asset based lending against accounts receivable. The Commercial Finance Association is the leading trade association of the asset-based lending and factoring industries.[7]
For example, let's say I own a sheep farm. I hire people to trim the sheep, and they produce a bunch of cotton. Without the Bill of Exchange, if I want to pay the people I've hired then I will need to ship this cotton to the spinner, who then ships the spun cotton to the weaver, who then ships the woven cotton to the clothier, who then makes clothes and sells it to a consumer. Only after this has happened can I pay my employees with the money of the paying consumer.
With the Bill of Exchange, a bill is created when I deliver cotton to the spinner. This bill will require the spinner to pay me for the cotton delivered in e.g. three months. I can then take this bill to someone who trusts that the spinner will pay me in three months and ask them to buy the bill at a discount, such that they are paid in three months (when the bill expires). I can then use the proceeds from the sale of the bill to pay my employees immediately. And the buyer of the bill earns a bit of interest because he pays less for the bill than he is paid at maturity.
[1] https://professorfekete.com/articles/AEFMonEcon101Lecture5.p...
[2] https://professorfekete.com/articles/AEFMonEcon101Lecture6.p...
1. Company verifies the bug
2. Assigns it a price according to impact
3. Keeps details hidden until Apple pays them, then reveals the bug. Thus Apple is forced to pay, but bad actors dont get access.
Different bug markets can compete to correctly price bugs.
People tend to vastly overestimate the economic impact of an exploited security vulnerability. A vulnerability which can be patched in a centralized manner has a low value half-life: it rapidly decreases in value over time. I would guess over 90% of active daily users of macOS already have the patch for this bug due to automatic updates. New buyers are essentially guaranteed not to have the vulnerability at all. The vulnerability would have to be absolutely catastrophic to be worth something, and in that case it would probably be used for targeted exploitation and burned after a short period of time.
Contrast with something like heartbleed, which is still around. That is a vulnerability with serious half-life and significant economic impact. The pool of available victims who can be exploited by heartbleed is nontrivial and persistent years later. Criminals will actually pay for something like that.
What is a bugs correct price? The price that a bad actor would pay for it?
Deleted Comment
> 2020–05–24: PoC done and reported to Apple
> 2020–06–04: Catalina 10.15.6 Beta 4 with [hotfix released]
> 2020–07–15: Catalina 10.15.6 Update with hotfix released
Makes we wonder how many applications on Windows and MacOS actually support the system sandbox.
Are all past versions of OS X / Apple Mail affected? For what OS X Version does Apple provide a security update regarding this issue? Has anyone found a fix that prevents auto-uncompression (such as a "defaults write com.apple.mail xyz False" command)?
Due to several reasons, I am also on an older Version of OS X and this issue makes me a bit nervous.
Deleted Comment
> Available for: macOS Mojave 10.14.6, macOS High Sierra 10.13.6, macOS Catalina 10.15.5
[0]: https://support.apple.com/en-us/HT211289
Or maybe the script has to exist in some folder this vulnerability doesn't have access to?
Deleted Comment
The core problem is that really dumb feature which auto-expands certain zip files. I need to turn that off.
MailWebAttachment.h contains a method:
I bet that if I Swizzle that to always return false, this "feature" will go away. I'll found out this weekend...Edit: Is the author's PoC available anywhere? Not that I really need it...
Do you follow all security-related announcements for Mac OS and do your own back ports and fixes?
How did you decide 10.9 is the right balance of risk for you?