Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote iChat Exploit Patched

Posted by pudge on from the gotta-restart-now-brb dept.

99BottlesOfBeerInMyF writes "Apple has released a security update to patch a hole in iChat. Apparently, correctly crafted links sent via iChat can execute programs if the path is known. If this allows for command line attributes to be included, it could be a pretty big hole; although it would still require some social engineering. The Apple description is here."

3 of 55 comments (clear)

  1. Re:social engineering by Cecil · · Score: 4, Insightful

    Seriously though, I could easily socially engineer anyone. How hard to you have to try to get someone to click on a link? Just tell them it's a really cool site.

    Do you click on unsolicited links from strangers? Wow, I guess IM Spam *is* effective after all.

    The FA says that it now opens a finder window to where the program is. A user could tell a person to click on a "link" and the click on a "link" in the resulting window.

    What? This is not Windows, where Internet Explorer == Windows Explorer. Finder is a completely distinct application from Safari or any other web browser. It does not display links, it displays files. This is extremely clear to even a poor, intellectually challeged 'Mac-user'.

    --
    Random and weird software I've written.
  2. Re:All I want to know is... by 47Ronin · · Score: 5, Insightful

    Why can't the installer do that for them?
    #1 It's rude for the OS to just instantly reboot the machine. It just makes a STRONG suggestion to reboot. What if you have unsaved work that you really NEED to finish now? At least the OS is not crippled during the install.

    #2 Rather than risking the probability that a process doesn't HUP properly, it's safer for Apple just to reboot the Mac so that simple Mac users will get a proper reset of all processes. Helps avoid customer service issues if a HUP doesn't go correctly. Advanced users can usually avoid a reboot and just restart the process that was affected.

    --
    Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
  3. Re:All I want to know is... by 47Ronin · · Score: 5, Insightful

    Stop trying to justify extremely poor design choices. It could try to HUP the process, and if it goes wrong, ask the user to do a logout or reboot. There's often no need to reboot at all.

    It may be poor design to you, but to the majority of users it is no big deal. In fact, it is safer to reboot than to have to script a process hangup which may involve other running applications, which could get messy. Now, the installer does not force you to reboot, it merely puts up a modal dialog that a reboot is required for changes to take affect, which you can dismiss until you feel like returning to it to click "Reboot" ... I'm pretty damn sure Apple could easily change the installer to kill -HUP a process, but what if you're currently using it? What if the kernel was patched and requires a reboot, but you're downloading a giant tarball? Wouldn't you rather have the option of rebooting later? If you REALLY don't want to reboot, force quit the installer so it doesn't bother you (or update via command line instead). Who knows, maybe Tiger will allow for HUP'd upgrades. Apple plays it safe by suggesting a reboot for core system item upgrades. It DOES NOT ask for a reboot when a sofwareupdate upgrades stuff like iMovie or XCode, which are self-contained apps that do not have shared libraries or hooks into system files.

    --
    Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.