Re: A wild OS X security hole appears!!!! [Was: Application library ?]
Re: A wild OS X security hole appears!!!! [Was: Application library ?]
- Subject: Re: A wild OS X security hole appears!!!! [Was: Application library ?]
- From: Shane Stanley <email@hidden>
- Date: Wed, 06 Jan 2016 10:48:19 +1100
On 6 Jan 2016, at 9:57 AM, Shane Stanley <email@hidden> wrote:
>
> On 6 Jan 2016, at 4:35 AM, has <email@hidden> wrote:
>>
>> OK, so before I Radar the following wharrgarbl as a Major Security Hole, can someone else here please *confirm* for me that installing an OS X application named (e.g.) 'Foo.app' containing a script library named 'Bar.scpt[d]' does indeed automatically override an identically named 'Bar.scpt[d]' library in '~/Library/Script Library' whenever a user script subsequently executes a `use script "Bar"` import statement.
>
> Um, no, that does not happen.
FWIW, the order outlined in the ASLG appears to be incorrect: ~/Library/Script Libraries is checked before app bundles. However, /Library/Script Libraries appears to be checked after app bundles, so let's assume that's what Hamish meant.
Armageddon? Hardly. Yes, someone could distribute scripts that do nefarious things. It's been that way for more than 20 years. Automator is open to something similar. Apps can already use AppleScript to hide malicious code. And without a StandardLib it's moot anyway.
Why would someone bother, when they can cause so much more damage, and to a much wider audience, without resort to such an obscure technique? I mean, how many "psychopathic anti-AppleScriptists" are there? And why can't the App Store audit this code?
Personally, the existence of "do shell script ... with administrator privileges" makes me lose more sleep.
--
Shane Stanley <email@hidden>
<www.macosxautomation.com/applescript/apps/>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden