Re: Security Update [Was: Re: Script Library Search Order]
Re: Security Update [Was: Re: Script Library Search Order]
- Subject: Re: Security Update [Was: Re: Script Library Search Order]
- From: has <email@hidden>
- Date: Wed, 20 Jan 2016 13:58:29 +0000
Martin Orpen wrote:
Today’s Security Update:
OSA Scripts
Available for: OS X El Capitan v10.11 to v10.11.2
Impact: A quarantined application may be able to override OSA script
libraries installed by the user
Description: An issue existed when searching for scripting
libraries. This issue was addressed through improved search order and
quarantine checks.
CVE-ID
CVE-2016-1729 : an anonymous researcher
Eh, don't look at me, my lazy ass still hasn't filed the ticket (started
writing it up, forgot to finish it). Maybe Chris pre-empted it, or a
real security researcher reported it first.
Still, at least that [hopefully] plugs the security aspect.
Though, if course, it's no improvement in any other respects: it's still
quite a good idea executed really badly. It just means user-installed
libraries can now accidentally mask library-supplied ones, plus
searching every .app bundle _automatically_ makes the initialization
process needlessly slow/stale. So the correct way to implement
app-embedded library support remains `script "SomeLib" of application
"SomeApp"`. This is why we have explicit namespaces and object
specifiers, to provide clarity, certainty, and sanity in an otherwise
crazy world.
Regards,
has
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden