Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X Struck By Severe Security Hole

Posted by ryuzaki0 on from the bend-over-everyone dept.

An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."

4 of 559 comments (clear)

  1. Re:System should be safe by Peganthyrus · · Score: 5, Insightful

    this exploit can only affect items that the user has rights to

    Like ~/Documents/ where you're encouraged to store pretty much everything you make with your machine.
    Or ~/Pictures/ where iPhoto keeps everything it loads up.
    Or ~/Music/ where iTunes puts all your music.
    Or wherever the hell iMovie keeps what you build with it - probably either ~/Movies/ or ~/Documents/
    Or wherever the hell GarageBand keeps its work.

    Sure, the machine still boots. But if a script does rm -rf ~*.* you're kinda fucked. Why is it that Slashdotters always say 'oh, this exploit just affects userland, no big deal'?

    --
    egypt urnash minimal art.
  2. Re:Seriously by AHumbleOpinion · · Score: 5, Insightful

    I believe the poster's comments better relate wishing that hackers would act more like ex-criminals developing security systems. Ie, reformed bank robbers providing a service to make banks more secure; they obviously have the skills, they might as well use them for good.

    I think your analogy doesn't really support your point and in fact supports the GP. Reformed bank robbers are not really security experts who can design new security systems, I think you your opinion is based more on movies than on reality. Similarly, hackers are romanticized, their skills exaggerated, in movies and in ill informed nerd mythology spread by sites like slashdot.

    It really is that hackers outnumber developers and that developers have to be perfect all the time and one of the hackers just needs to get lucky once. Hackers are often more like specialized technicians that are skilled in a narrow range, not a skilled engineer that can design a system from scratch. And then there are the kiddies.

  3. Re:This IS a bad one by shotfeel · · Score: 5, Insightful

    Yes, its really a bug in LaunchServices, not the browser (any download method is vulnerable). It takes advantage of Apple's split-personality when dealing with files -is file type determined by extension or creator code? This is what can happen when they don't coincide.

  4. False analogy by xiphoris · · Score: 5, Insightful

    For the most part, it always requires less skill to break something than to get something working.

    Your car analogy would be good if we were talking about computer code -- it takes a lot more skill to write some good code than to mess it up (in textual form). But that's not what we're talking about here.

    We're talking about circumvention of security, often known as "breaking" it; but that break (to circumvent protection) is a very conceptually different break than your car example (to render nonfunctional).

    Finding exploits like this takes time, intelligence, and often understanding of the software in question. Especially in a well-crafted system, you have to know how the system works in order to circumvent it.