"OS X security flaw = Headlines WIn Security flaws = Little Notice "

Windows security flaws get plenty of notice and headline too. Please stop acting like you are a victim or something.

This one is not particularly worrying, because it's not associated with insecure design or policy like the Safari Dashboard install bug is. THAT is Windows-like, just a little, in the same way that an unpaid parking ticket is like grand theft auto. That's not to say, though, that one shouldn't pay ones metaphorical parking tickets...

No mention of leaked password at all. It provides basic information about the computer and various user accounts to someone who may be interested in breaking into it. That information would make it easier (than blindly guessing) to target the machine for a break-in but it would still require more effort.

Which is a concern only if your computer is accessible from the outside (i.e. not behind one or more firewalls).

But I agree that it seems that the Apple is paying less and less attention to security. Their different groups seem to be in 'communications blackout". They don't seem to spend any time in the "Wow, great idea. Now let's make sure this is secure and not likely to cause breaches." Like the widget thing. The Finder group decides to set up widgets to auto-install. Not taking into account that if safari tries to open the file, it'll get installed wihtout concern. Now its compositing in quicktime over the internet. Great idea guys.

So, what's next week. Finding out that all data we type into safari gets stored in a specific file that's transmitted over the internet to Apple's web servers unencrypted?

Sketchy "potential" critical information leak discovered, with fix (how much productivity will we lose by disabling composites) and soon permanent fix. Ye of little faith, where is the evidence that Apple is any more or less security concious? This stuff was coded months ago, maybe a year or more just like the dashboard stuff, do you think that security focus is a flavor of the week thing? So far pretty petty stuff, personally I am glad of the scrutiny and have confidence that no major flaws are lurking underneath. Must be you guys do your jobs so well that you never overlook anything, or maybe not and that's why you think the end of the world is around the corner?!? First evil widgets, now composites from h***, let's see, Apple, successful exploits - 0, virus count - 0, Windows successful exploits - happening right now, virus count - nearly 100,000. Hmmmm, it's ok to breath easily, take a prozac and get some sleep, the only communications blackout is apparently between the cognition and reaction sections of your brains.

another workaround is to stop watching p*** on the interent

A few people are critical that the disclosure of this problem was so detailed. At least two people independently saw the potential for misuse on the Quartz Composer developer mailing list. There is nothing to say that malicious people have not used this to gain information from unsuspecting users.

By publishing the full details, people can evaluate the risks for themselves and take informed action. Other security researchers can verify my results. People can exercise pressure on the vendor to quickly address the problem since it is out in the open. Finally, it will help third-parties to think an extra round about the features of their apps, so that they do not make the same or similar mistake.

With hand-waving and unsupported claims of "some information disclosure vulnerability in QC", these goals would not have been met.

And if anyone thinks that Windows has _less_ eyes on it (and gets less headlines) for security issues, you really need to take a reality check...If you consider that I, personally, have found a dozen security flaws (6 of which have been disclosed thus far) in less than three months, that indicates that not very many people at all are scrutinizing OS X's security. Yet.

/ Regards, David Remahl

The annoying thing is that this entire class of problem, malicious external software, has had a solution for over 30 years now. Someone should dig up some of those old papers on protection domains. Obviously, what a piece of software can do should be limited by which domain it comes from. If it wants more privileges, it should have to ask the user nicely.

Dang ecrelin, that is a long post full of nothing, whenin doubt, drag out the dead horse of virus count of Windows vs OS X.

I mean forget about the fact that many of the virus will not longer work in XP SP 2 or anything or the fact that the major threat now is due to phishing or the fact many of the exploits published are academic rather than happening in the wild.

But heck, forget about what Apple is doing wrong, let's talk about what Windows is doing worse.

Yeah, it's only your username and apparently internal id. The rest is almost assumed. Even if it sends information on your machine it isn't difficult to blueprint information once you have an IP. Your external IP is going to be there even if you are behind a router. So, if you take a user w/ a airport base station doing nat and dhcp, the 'exploit' will have the machine blueprint, your login name, and your internal ip. Figuring out the router and what's running on it isn't difficult either. All of that is for the sk's. So if you have services w/ port forwarding from the router you may be in vulnerable, and if you are sitting there w/ a real IP (as opposed to invalid) and you're just hooked up to your 'modem' then you're more vulnerable. Joe gets your ip and username then launches an attack against your password remotely. Even takes a few EASY guesses for a lot of people and suddenly he's in. Of course you'd have to allow him to log in remotely in the first place so there's the protection, but if you need to log in remotely/share then you have to use the fix here. It's not trivial.