Re: [OT] When will Apple learn?
Re: [OT] When will Apple learn?
- Subject: Re: [OT] When will Apple learn?
- From: Sander Tekelenburg <email@hidden>
- Date: Tue, 10 May 2005 01:55:00 +0200
At 14:52 -0400 UTC, on 2005/05/09, Stephen Jonke wrote:
> On May 9, 2005, at 2:19 PM, John C. Welch wrote:
>> It takes exactly two clicks to manually run any file you download,
>> since you
>> can do this from the download manager window. Running downloaded files
>> automatically, (for that's what you're doing when you open them) is
>> dangerous.
>
> How precisely is it more dangerous than downloading and then
> double-clicking to run it?
Because Safari's current 'security' model allows for attacks like this:
<http://64.70.134.217/widgets/zaptastic/>, which shows that all you need to
do is clickelty-clik a link (like for instance right here in your email
client), and you've got some widget installed on your system without even
knowing it. As soon as you innocently hit F12, it will execute.
There is *no* step involved that people generally label "downloading".
The worst of it is that this is very much like the help:runscript and URL
scheme security issue[*] that raised a lot of noise about exactly one year
ago[*]. This one too allows a stupid META HTTP-EQUIV="refresh" to be used.
IIRC, before the help:runscript hole got plugged Apple even suggested people
switch off Safari's option to automagically open 'safe' downloads.
I don't know exactly how secure the Dashboard 'sandbox' is. Apple obviously
considered security, but that's not to say there are no holes there. But even
if the widget respects that security model, as I understand it, all a user is
protected by from granting a widget Admin rights is a user-friendly dialog
box asking for permission. I think it is the same dialog that Apple provided
as the 'fix' for the URL scheme security hole.
But the difference is that with the old URL scheme security hole, the code
would (have to be) be executed shortly after visiting the malicious site. So
as a user, you might think that's fishy. With this widget attack, it may take
minutes, hours, days, weeks, whatever before you hit F12. Less users will
think twice when they get that dialog *then*.
An occasional security problem is to be expected. Especially with complicated
new technologies, like LaunchServices, which was the issue a year ago. But to
have essentially the same security hole return only 1 year later, and in
something that's really just a toy, is truly pathetic.
[*] <http://www.euronet.nl/~tekelenb/playground/security/URLschemes/>
> Either way you are running it.
The difference is in being allowed to be *aware* that you will be running it.
Tiger (by default) doesn't.
--
Sander Tekelenburg, <http://www.euronet.nl/~tekelenb/>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Applescript-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden