[muglo] Re: Mac OS X vulnerable to one-two combo attack
- From: "Eric D" <hideme666@xxxxxxxxxxx>
- To: muglo@xxxxxxxxxxxxx
- Date: Fri, 21 May 2004 01:38:23 -0400
I have a suspicion that the authors of the ZDNet stories and that particular
website are trying to drum up ad readership by exaggerating these
vulnerabilities. What you can do with a malicious script is pretty limited
by the fact that Mac OS X severely limits apps' access to system
directories/code and gives no access to files inside the home directories of
other users.
I find the following article a tad misleading since Apple's solution to
updating their OSes seems to be quite robust and likely captures a very
sizeable portion of the Mac OS X-using world (with internet access... and
these are the people vulnerable ;). The default for OS X is to have Software
update set to check in with Apple every week IIRC (and, if you happen to
miss a "scheduled" update, Software update checks immediately the next time
the web becomes available).
http://zdnet.com.com/2100-1105_2-5205912.html
I wouldn't worry about any of this nonsense. News agencies have gotten the
public so immune to "normal" news that the only way they can get eyeballs or
ear drums is by sensationalising (i.e. fudging) stories (the British press
is horrible for that... even the BBC partakes at times (IMNSHO the CBC is
generally a higher quality broadcaster. BBC 4 has some very aggressive &
impressive morning show hosts (who can ask some very pointed and crafty
questions of their guests (a very adversarial style of interviewing)) but
after 9:00 the quality of programming drops off for the whole day (unlike
CBC radio 1)).
Apple's strategy for dealing with 'critical' updates is preferable to that
of M$ IMNSO (of course, they are limited by a poor implementation of auto
update mechanisms in their various OSes). I'd rather the update be released
quietly so that the bulk of users are updated before the hackers have a
chance to reverse engineer the update, which, in turn means there's little
incentive for them to bother exploiting it since only a few (foolish) people
will have turned off the auto-update feature. Also, since these people have
figured out _how_ to turn off auto-update they are likely more computer
literate than your average Joe so they will have different strategies
available to them to protect their computers from malicious use.
Eric.
>From: spellboundpub@xxxxxxxxxx
>Reply-To: muglo@xxxxxxxxxxxxx
>To: muglo@xxxxxxxxxxxxx
>Subject: [muglo] Mac OS X vulnerable to one-two combo attack
>Date: Thu, 20 May 2004 14:11:14 -0700 (PDT)
>
>This ZDNN (http://www.zdnn.com/) story has been sent to you from
>spellboundpub@xxxxxxxxxx
>
>Mac OS X vulnerable to one-two combo attack
>By Robert Lemos
>
>Two flaws, when used together, could let attackers who concoct a special
>Web site place a file on a Mac and then run the file through a simple
>browser command.
>
>http://zdnet.com.com/2100-1105_2-5215586.html?tag=sas.email
>
>Read all technology news from this week:
>http://www.news.com/thisweeksheadlines/
>
>--------------------------------
>Copyright 2004 CNET Networks, Inc. All rights reserved.
>CNET Networks, Inc.
>235 Second Street
>San Francisco, CA 94105
>U.S.A.
>
>_________________________________________________
>
>For information concerning the MUGLO List just click on
>
> http://muglo.on.ca/Pages/joinus.html
>
>Don't forget to periodically check our web site at:
>
> http://muglo.on.ca/
>
_________________________________________________________________
MSN Premium helps eliminate e-mail viruses. Get 2 months FREE*
http://join.msn.com/?pgmarket=en-ca&page=byoa/prem&xAPID=1994&DI=1034&SU=http://hotmail.com/enca&HL=Market_MSNIS_Taglines
_________________________________________________
For information concerning the MUGLO List just click on
http://muglo.on.ca/Pages/joinus.html
Don't forget to periodically check our web site at:
http://muglo.on.ca/
Other related posts: