• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: SCPreferencesCreateWithAuthorization: an open invitation to malware developers
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SCPreferencesCreateWithAuthorization: an open invitation to malware developers

  • Subject: Re: SCPreferencesCreateWithAuthorization: an open invitation to malware developers
  • From: Quinn <email@hidden>
  • Date: Wed, 2 Jan 2008 09:59:31 +0000
At 9:00 -0800 19/12/07, Nathan Duran wrote:
Remember that trojan plugin that poked poisoned DNS servers into unsuspecting users' network settings thereby redirecting web traffic to phishing sites and porn ads? Well from what I've seen, 10.5 just made that attack a whole lot easier. 

[My response uses the terms from Q&A 1277 "Security Credentials".

<http://developer.apple.com/qa/qa2001/qa1277.html>
]

AFAICT this is a consequence of the shared security credentials cache. When you log in, you acquire credentials for the admin user. Those credentials are cached in the authorisation instance associated with that login session. When a program run in that login session creates an AuthorizationRef, it refers to the same authorisation instance, and thus has access to the same credentials.

You can see exactly the same behaviour in Network preferences. If you log in as an admin user, you can immediate go to the Network preferences panel and start changing preferences.

Notably, you can't do the same thing in the Accounts preferences panel. That's because Network preferences uses the "system.preferences" authorisation right, which has the "shared" property set to true, while Accounts uses "system.preferences.accounts", which has the shared property set to false.

Clearly this is a matter of policy rather than a specific bug. As such, I'd advise you raise the issue with Apple Product Security <email@hidden>. Regardless of my own personal feelings on this issue, the Product Security guys are the ones who officially get to decide on this sort of convenience vs security issue.

S+E
--
Quinn "The Eskimo!"                    <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




    

  • Next by Date:
Re: Library for ifnet_attach_protocol_v2

    • 

  • Next by thread:
Re: Library for ifnet_attach_protocol_v2

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •