RE: [Fed-Talk] Apple's security belly-flop
RE: [Fed-Talk] Apple's security belly-flop
- Subject: RE: [Fed-Talk] Apple's security belly-flop
- From: "Fairbanks, Lee (contr-ird)" <email@hidden>
- Date: Fri, 24 Feb 2006 15:50:44 -0500
- Thread-topic: [Fed-Talk] Apple's security belly-flop
The fix to the problem would be to patch Safari so that if it tried to
auto open a file thought to be "safe" by its file extension, and it
turns out to be a shell script or other executable once the metadata is
parsed, that it should not auto-execute.
-lee
-----Original Message-----
From: fed-talk-bounces+lee.fairbanks.ctr=email@hidden
[mailto:fed-talk-bounces+lee.fairbanks.ctr=email@hidden] On
Behalf Of Michael Pike
Sent: Friday, February 24, 2006 3:12 PM
To: Brian Raymond
Cc: email@hidden
Subject: Re: [Fed-Talk] Apple's security belly-flop
What kind of patch will fix this? Apple to cripple iChat so it won't
send files?
The bottom line is educate your users.
And let me also elaborate on another of your comments. "Has not had
the eyes on it other OS's have."
Mac is Unix based... Unix has been around since the 60's.... core
unix doesn't have as many problems as Windows.
There is a difference between ASKING a user to accept a file (in the
mac instance), and having it spread without the user knowing (as in
ALL windows based exploits).
mike
On Feb 24, 2006, at 10:36 AM, Brian Raymond wrote:
> I don't know that Mac's reputation for security is well deserved as
> it has
> not had the eyes on it that other operating systems have. UNIX like
> OSes
> have some advantages over the traditional target of Windows because
> of their
> architecture but that does not necessarily mean they are inherently
> more
> secure. I say that because the implementation of that OS can
> provide for
> serious lapses in security.
>
> There have been a number of serious security fixes provided by
> Apple in the
> past that are brushed over in the release notes by stating
> something along
> the lines of "addressed an issue in X". The current issue on the
> table in
> this thread is related to that same general sense. Apple does not
> arm it's
> users and admins with the information they need to be proactive about
> managing their systems. Information needs to be provided to the
> community so
> they can mitigate any issues before a patch is released. When
> patches are
> released Apple needs to make it clear what is being addressed so
> vulnerabilities don't get lumped in with standard bug fixes and
> patched when
> convenient vs. necessary.
>
> My .02
>
> - Brian
>
>
> On 2/24/06 12:22 PM, "Rex Sanders" <email@hidden> wrote:
>
>> One of the few arguments for keeping Macs "under the radar" and on
>> the
>> desktop at many locations is a reputation for good security.
>>
>> With the new Mac OS X scripting vulnerability(*), and Apple's
>> silence on
>> the issue, that reputation is evaporating rapidly. If Upper IT
>> Management
>> perceives that Macs are as big a security headache as Windows,
>> they'll push
>> even harder to throw out the Macs.
>>
>> When are we going to hear that Apple is even working on this
>> problem? How
>> soon can we expect a fix?
>>
>> What can Apple say to regain their reputation for secure computing?
>>
>> -- Rex
>>
>>
>> (*) In case you haven't heard, Mac OS X has a serious design flaw
>> opening
>> a huge security vulnerability:
>>
>> http://isc.sans.org/diary.php?storyid=1138
>>
>> http://www.macintouch.com/readerreports/security/topic4055.html
>>
>> Read carefully through the end of the last link. The problem is not
>> limited to Safari, Mail.app, or Terminal. No workaround proposed
>> so far
>> closes all the exploit paths. First reported on February 20, we
>> have no
>> acknowledgement or "we're working on it" from Apple.
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Fed-talk mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>> 40dataline.com
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
> 40gmail.com
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
a.mil
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden