• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
RE: Accessibility penalty?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Accessibility penalty?

  • Subject: RE: Accessibility penalty?
  • From: "Pietrzak, Bryan" <email@hidden>
  • Date: Wed, 30 Jul 2003 13:22:45 -0600
So when is Apple going to prevent the various mach code injection
techniques?

When are the security risks like the various Haxies going to be stopped?

Seems to me that those are significant risks to the community.

Bryan

> ----------
> From: Guy Fullerton
> Sent: Wednesday, July 30, 2003 1:26 PM
> To: Bill Cheeseman
> Cc: Accessibility-Dev Mail
> Subject: Re: Accessibility penalty?
>
> On Tuesday, July 29, 2003, at 11:28 PM, Bill Cheeseman wrote:
>
> > on 03-07-29 9:29 PM, Andrew Taylor at email@hidden wrote:
> >
> >> Security. The Accessibility API allows programs to control the
> >> machine and do anything to another program completely behind the
> >> user's back. It is potentially the "back door" that weakens UNIX when
> >> remote control of another machine is left unguarded. It is just like
> >> putting your valuable data on a machine and turning on guest access
> >> on the internet. So Apple turns it off by default (as they should)
> >> and requires a real user to turn it on.
> >
> > On this theory, AppleScript and a whole lot of other built-in utilities
> > would also be turned off by default.
>
> AppleScript isn't considered quite the same type of security risk
> because app developers get to make the choice of exactly how much (if
> any) of their application is scriptable. (The details of how this
> choice is made depends on the framework used to build the app, of
> course.)
>
> However, Accessibility happens behind the developer's back (for the
> standard widgets/controls/views), thereby eliminating the developer's
> ability to choose not to support Accessibility for any of their
> existing apps. The user cannot be guaranteed that any of their existing
> apps offer the correct level of security with respect to the
> Accessibility APIs, so therefore Accessibility must be turned off by
> default.
>
> If the Accessibility APIs predated Mac OS X (the way AppleScript did),
> and if app developers understood and dealt with the implications of the
> implicit support via standard widgets, then perhaps Apple could have
> turned it on by default in Mac OS X.
>
> I'm not sure what other built-in utilities you are referring to, so I
> can't speak to those.
> _______________________________________________
> accessibility-dev mailing list | email@hidden
> Help/Unsubscribe/Archives:
> http://www.lists.apple.com/mailman/listinfo/accessibility-dev
> Do not post admin requests to the list. They will be ignored.
_______________________________________________
accessibility-dev mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/accessibility-dev
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: removing notifications
  • Previous by thread: Re: Accessibility penalty?
  • Next by thread: Re: Accessibility penalty?
  • Index(es):
    • Date
    • Thread