AFP/SSH vulnerability in OSX

Had this notice sitting in my inbox when I got home tonight. Excerpt:

In Mac OS X 10.2, Apple updated Apple Filing Protocol (AFP) to permit secure connections over SSH (Secure Shell) protocol. However, Chris Adams, a system administrator in San Diego, Calif., noted that while users could request secure connections, the system will not issue any alert or indication if an SSH connection is unavailable and then defaults to a non-secure connection. He noted that the only indication was a negative one—users must be aware that an alert "Opening Secure Connection" did not appear.

By way of explanation, AFP is the default file sharing protocol for the mac. With 10.x, AFP was extended to be tunneled over TCP/IP. This isn't that big of a deal for secure networks, but there are a lot of shops who use AFP over IP to transmit files between macs over the net. Obviously when you're going out over untrusted networks (ie, the internet) you want to do it securely. When they think they're doing it securely, but they're not, that just sucks.

But more disturbing:

Though Adams said he first reported this bug to Apple in early December 2003 and followed up weeks later, he received no response from the computer manufacturer. However, he told eWEEK.com that a final notice that he was going to release the information publicly resulted in a response on Friday.

So, a response time of 5-6 months until they even replied to the person submitting the vulnerability, let alone actually releasing a fix. This goes back to something I've been bitching about for awhile now.