toggle

AAPL Stock: 100.46 ( -0.11 )

Printed from http://www.macnn.com

Details on Mac OS X/Safari security vulnerability

updated 05:45 pm EDT, Tue May 18, 2004

Mac OS X/Safari security

eWEEK has a .




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. PookJP

    Joined: Dec 1969

    0

    ...

    Who the h*** comes up with these things?

  1. dcrosby

    Joined: Dec 1969

    0

    who

    Satan himself. And Bill Gates.

  1. atomicon

    Joined: Dec 1969

    0

    SCARY

    Wow, that's scary. I clicked on the link to the example page (thinking that the warning about clicking it referred to a link on that page) and, lo and behold, my Terminal opened up and started processing a Unix command. As they said, it's harmless, but if it hadn't been, it was definitely too late to do anything about it... YIKES.

  1. jimothy

    Joined: Dec 1969

    0

    My fix

    I modified the script at /Library/Documentation/Help/MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt (as pointed out in the 2nd-to-last link above) so it prompts you whether you want to allow or deny the script to run. If you click "Deny", it will not run:

    on «event helphdhp» (completeParam)
    -- localizable text
    set cancelBtn to "Cancel"
    set errorText to "The item cannot be opened. It may be disabled or not installed."
    --end localizable text


    try
    display dialog "Something is trying to run: " & completeParam buttons {"Allow", "Deny"} default button 2 with icon 0

    set buttonPressed to (button returned of result)

    if (buttonPressed is "Allow") then

    tell application "Finder"
    open file completeParam of the startup disk
    end tell
    end if
    on error errMsg number errNum
    display dialog errorText buttons {cancelBtn} default button 1 with icon 0
    return
    end try
    end «event helphdhp»

  1. klinux

    Joined: Dec 1969

    0

    Seriously

    What's to prevent a script kiddie to post a link (Kournikova!) in Macnn Lounge or in Appleinsider, Macrumors, Macslash, etc that lures unsuspecting people to executive destructive commands!

    Sure, one could say the axiom of don't download/open/click/visit whatever from unsuspecting people but we know that do not work in real life.

    The next step is would be for someone to write a mail.app script that sends out e-mail to everyone on ones Address Book, spoofs the return address and includes a link and then executes that command on the user's own machine. Voila! The first OS X virus!

    (Shudders)

  1. ibmjones

    Joined: Dec 1969

    0

    Not that serious

    It looks bad, but because of Mac OS X's Unix's security model, the worse it could do is to blow away the user's home directory. I imagine that even being logged into the machine as the admin user, it wouldn't do that much damage.

    Now if the vulnerability allows the script to elevate itself as the superuser (root), that would be a different story. But as it stands now, I don't think that it will happen any time soon.

  1. bauhaus

    Joined: Dec 1969

    0

    UNIX

    The thing is, real UNIX is far better in security than Apple's bastardation. Apple is trying to make a user-friendly UNIX by compromising the basics of UNIX. It's part of the reason why OS X wouldn't be able to obtain UNIX certification from the Open Group. (FYI, early versions (pre-beta) of OS X qualified for UNIX certification-- the modifications after modifications by the time of deployment removed the OS from certification)

  1. Simon

    Joined: Dec 1969

    0

    Re: UNIX

    > Apple is trying to make a user-friendly UNIX by compromising the basics of UNIX.

    Example? Proof?

    Nope. Just FUD.

  1. klinux

    Joined: Dec 1969

    0

    Oh yeah

    the worse it could do is to blow away the user's home directory

    Here, ibmjones, click on this link over here....

    Just because you don't think it is serious does not mean it is not serious.

  1. klinux

    Joined: Dec 1969

    0

    Easy there

    Hey Simon, don't use FUD if you do not know what it means.

    Apple did modify the basics of UNIX - I would call case insensitivity and unexpected naming of system directories basic enough. Whether I would call it "compromised" is another question, however.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Life n Soul 8 Driver Bluetooth headphones

When it comes to music on the go, consumers generally have some options to consider when looking for the best experience. While Blueto ...

Pure Jongo T2 wireless speaker

Multi-room audio compatibility is a key metric for wireless sound systems these days. The entry cost into a house-spanning system can ...

Logitech Z213 multimedia speakers

Desktop computer speakers sit in a weird area of limbo: many consumers have forgone the era of desktop listening for the privacy and v ...

toggle

Most Commented