Security patch 2008-005 and scripting additions
Security patch 2008-005 and scripting additions
- Subject: Security patch 2008-005 and scripting additions
- From: Bill Cheeseman <email@hidden>
- Date: Fri, 01 Aug 2008 05:41:01 -0400
- Thread-topic: Security patch 2008-005 and scripting additions
Yesterday's security patch 2008-005 from Apple included this:
"Impact: A local user may execute commands with elevated privileges
Description: A design issue exists in the Open Scripting
Architecture libraries when determining whether to load scripting
addition plugins into applications running with elevated privileges.
Sending scripting addition commands to a privileged application may
allow the execution of arbitrary code with those privileges. This
update addresses the issue by not loading scripting addition plugins
into applications running with system privileges. The recently
reported ARDAgent and SecurityAgent issues are addressed by this
update. Credit to Charles Srstka for reporting this issue."
Does "scripting addition plugin" mean what we normally refer to as
"scripting addition"? And exactly what usage patterns does this patch
prevent? (I didn't follow the ARDAgent and SecurityAgent threads closely
enough to know just what was involved.)
But my main question is this: After the patch, is it possible to work around
the new restriction by providing for user authentication?
--
Bill Cheeseman - email@hidden
Quechee Software, Quechee, Vermont, USA
www.quecheesoftware.com
PreFab Software - www.prefabsoftware.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden