Re: Security patch 2008-005 and scripting additions
Re: Security patch 2008-005 and scripting additions
- Subject: Re: Security patch 2008-005 and scripting additions
- From: Hamish Sanderson <email@hidden>
- Date: Fri, 1 Aug 2008 14:02:33 +0100
Charles Profitt wrote:
John DeTroye denied that a regular user could elevate their privs
when I
asked him about this... so I was worried that Apple was not taking
this
seriously.
I am glad this has been patched.
It's a start (and a reminder of the essential evilness of osaxen as an
extension mechanism).
However, while I'm no security expert, I can't help feeling this is
only part of a larger concern: as far as I can make out, the main
problem with the Apple event IPC security model is that there isn't
one. For example, why should a non-privileged process [without
additional authentication] be allowed to send *any* Apple events to
privileged processes in the first place?
Anyone with more security chops care to weigh in?
Hamish
--
Hamish Sanderson
Production Workflow Developer
Sun Branding Solutions Ltd
Tel: +44(0)1274 200 700
www.s-brandingsolutions.com
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden