Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Closes iSight Security Hole

Posted by CmdrTaco on from the nobody-wants-to-see-me-naked dept.

Gruber Duckie writes "Apple's security update 2006-008, posted yesterday, is a little more interesting than it sounds. According to information (and a demo!) posted at Macslash the "information leak" mentioned in Apple's advisory actually makes it possible for a web site to send whatever your (isight) web cam sees up to the server. I'm glad they fixed this quickly."

8 of 213 comments (clear)

  1. Keep their little heads in the sand. by delire · · Score: 2, Insightful

    Got to love the idea of using an OS whose scope of security vulnerability need to be 'leaked' to be known.

    Fsck that..

  2. Re:Security Hole? by djh101010 · · Score: 3, Insightful

    That's going to keep me laughing a long time. ESPECIALLY at the mac zealots out there (those who believe it was the perfectly secure OS,

    You know, it's funny. The ONLY people I ever see who say "perfectly secure" or "bulletproof", are people like you. Maybe you just don't read clearly and you think Mac folks actually are saying it, or maybe you're just an AC trying to stir up discussion. So are you ignorant, or are you lying?

  3. Give me a break by CODiNE · · Score: 3, Insightful

    So all the high rated posts I see talk about how terrible Apple's security was, 1984 comes true, blah blah blah.

    Did any of you bother to try out the exploit? I just did... know what it does? It turns on that bright green LED right next to the camera, the one that tells you when it's on. It's pretty bright and when it turns on all of the sudden, you NOTICE. It then proceeded to crash my browser. Well it may be possible that Apple carefully designed their hardware in such a way that the LED is software controlled and the camera is capable of invisibly monitoring people, there is no evidence to back those claims.

    True with proprietary software one just never knows for sure, but honestly let's see someone figure out how to take a picture or make a movie without the light coming on, THEN we can start calling Apple Big Brother. Honestly if that were possible then I'd dump this laptop in a heartbeat since it would require purposely designing it with that in mind.

    --
    Cwm, fjord-bank glyphs vext quiz
  4. Re:Security Hole? by TheRaven64 · · Score: 2, Insightful

    The original iSigh had a physical shutter. When the camera was turned off, the shutter closed. You could look in the end and see that it was impossible to take a picture. I don't understand why something like this wasn't included with the built-in one; a simple slider over the front would have done the trick...

    --
    I am TheRaven on Soylent News
  5. Fundamental design problem by MobyDisk · · Score: 2, Insightful
    People who think Apple is safe by design need to take a hard look at this vulnerability.

    Description: Java applets may use QuickTime for Java to obtain the images... This is just like the classic Microsoft/ActiveX type of problems. They exposed a control to web pages then realized, after the fact, that the control could do things they didn't intend. It's just like how MS Office was exposed via VBScript/JScript. And just like how Firefox exposed XUL commands. So now Apple exposed native controls via Java.

    Apple's solution is the same as Microsoft's. Only "signed" applets can access this control now. The fundamental problem though, is that unsigned applets shouldn't be able to access anything outside of the standard Java classes. They need to stop making blacklists and whitelists of what controls are safe, and instead, make it so that no controls are safe.
  6. Re:Why this is interesting by IamTheRealMike · · Score: 2, Insightful
    As for how long you think a malicious ad doing *anything* on a major network would survive, let's just say "not long".

    It doesn't have to be long, that's the trick. This isn't a theoretical problem, it has actually happened multiple times with previous browser based exploits. One ad-based attack is estimated to have zombied over a million machines in the span of hours it was live for. This makes sense - ad networks serve millions of impressions per hour, and it can easily take several hours for them to respond and pull an ad, especially if it goes live in the middle of the night (or worse, the ad is designed to behave itself when loaded into the ad networks IP address range - I believe this has also happened).

    See here for more details

  7. Re:Security Hole? by Moofie · · Score: 4, Insightful

    And you should always take every word that comes out of a salesperson's mouth as the gospel truth, and not apply common sense ever.

    --
    Why yes, I AM a rocket scientist!
  8. Re:Security Hole? by Anonymous Coward · · Score: 1, Insightful

    Follow the thread. He responded to someone who claimed that someone is either ignorant or lying if they think there are people making claims like "hacker proof". Salesperson or not, this refutes the "ignorant or lying" charge. He explicitly mentioned he was doubtful of the claim.