Lists

Open Menu Close Menu

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: Security patch 2008-005 and scripting additions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Security patch 2008-005 and scripting additions

Subject: Re: Security patch 2008-005 and scripting additions
From: Hamish Sanderson <email@hidden>
Date: Fri, 1 Aug 2008 14:02:33 +0100

Charles Profitt wrote:

John DeTroye denied that a regular user could elevate their privs when I asked him about this... so I was worried that Apple was not taking this seriously.

I am glad this has been patched.

It's a start (and a reminder of the essential evilness of osaxen as an extension mechanism).

However, while I'm no security expert, I can't help feeling this is only part of a larger concern: as far as I can make out, the main problem with the Apple event IPC security model is that there isn't one. For example, why should a non-privileged process [without additional authentication] be allowed to send *any* Apple events to privileged processes in the first place?

Anyone with more security chops care to weigh in?

Hamish
--

Hamish Sanderson
Production Workflow Developer
Sun Branding Solutions Ltd
Tel: +44(0)1274 200 700
www.s-brandingsolutions.com


_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users

This email sent to email@hidden

Follow-Ups:
- Re: Security patch 2008-005 and scripting additions
  - From: "John C. Welch" <email@hidden>

Prev by Date: Re: Security patch 2008-005 and scripting additions
Next by Date: Alias Files
Previous by thread: Re: Security patch 2008-005 and scripting additions
Next by thread: Re: Security patch 2008-005 and scripting additions
Index(es):
- Date
- Thread