Slashdot Mirror
Remote iChat Exploit Patched
99BottlesOfBeerInMyF writes "Apple has released a security update to patch a hole in iChat. Apparently, correctly crafted links sent via iChat can execute programs if the path is known. If this allows for command line attributes to be included, it could be a pretty big hole; although it would still require some social engineering. The Apple description is here."
This sounds exactly like the away:// hole in AIM from a few weeks ago. Has anyone audited the UNIX talk command for similar bugs?
Why can't the installer do that for them?
#1 It's rude for the OS to just instantly reboot the machine. It just makes a STRONG suggestion to reboot. What if you have unsaved work that you really NEED to finish now? At least the OS is not crippled during the install.
#2 Rather than risking the probability that a process doesn't HUP properly, it's safer for Apple just to reboot the Mac so that simple Mac users will get a proper reset of all processes. Helps avoid customer service issues if a HUP doesn't go correctly. Advanced users can usually avoid a reboot and just restart the process that was affected.
Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
How hard is to to socially engineer the average mac user?
you wouldn't believe how easy it is. whenever new users come into the "panther" chatroom using ichat, they are told to hit command-L for a list of other chatrooms. 80% fall for it. some repeatedly; they come back and ask for the key combo again, figuring they entered it wrong the first time.
"I DARE you to make less sense!"
Stop trying to justify extremely poor design choices. It could try to HUP the process, and if it goes wrong, ask the user to do a logout or reboot. There's often no need to reboot at all.
... I'm pretty damn sure Apple could easily change the installer to kill -HUP a process, but what if you're currently using it? What if the kernel was patched and requires a reboot, but you're downloading a giant tarball? Wouldn't you rather have the option of rebooting later? If you REALLY don't want to reboot, force quit the installer so it doesn't bother you (or update via command line instead). Who knows, maybe Tiger will allow for HUP'd upgrades. Apple plays it safe by suggesting a reboot for core system item upgrades. It DOES NOT ask for a reboot when a sofwareupdate upgrades stuff like iMovie or XCode, which are self-contained apps that do not have shared libraries or hooks into system files.
It may be poor design to you, but to the majority of users it is no big deal. In fact, it is safer to reboot than to have to script a process hangup which may involve other running applications, which could get messy. Now, the installer does not force you to reboot, it merely puts up a modal dialog that a reboot is required for changes to take affect, which you can dismiss until you feel like returning to it to click "Reboot"
Those who laugh at you for you having a Mac.. are the people who constantly call you to fix their PC.
Every time you reboot, god kills a kitten.
I am not certain exactly what is going on with these updates, but I think you are missing two pieces of data. First, there are two versions of "Security Update 2004-09-07" 1.0 and 1.1. Second, although I'm not certain it is relevant, the only demo of this exploit I saw called the ftp: handler and directed it at a local .app bundle in order to launch it. My test of the exploit, however, failed. This might be due to the fact that ftp had been broken by a previous update.
It would be interesting to hear how this round of updates came about.