Isn't that a little like saying "Human beings should never make mistakes."? Or saying that creative people should always assume that their work might be used for nefarious things, thus subverting the creative process by never doing anything new?
Isn't that a little like saying "Human beings should never make mistakes."? Or saying that creative people should always assume that their work might be used for nefarious things, thus subverting the creative process by never doing anything new?
Suggesting that we should strive to prevent something from occurring isn't the same as being too clueless to know it will occur. For example, I shouldn't hit reply until I have proofread my comment for typos, but unfortunately that will occur because I'm not vigilant enough to prevent it from happening.
Suggesting that we should strive to prevent something from occurring isn't the same as being too clueless to know it will occur.
It seems to me that the enormous number of variables inherent to OS software makes bug & exploit catching a fairly herculean task. Mistakes and misses will happen even when we strive to catch the bugs. I think saying "both flaws should not happen" casts people at Apple and Google in a bad light that they may not deserve.
I might have been mistaken about the immediacy of the attack. I thought this was something that could be executed from Javascript. It looks like that is not the case. The naive delivery mechanism would be through having the user run an installer. That installer would not require elevated privileges, but it is an installer none-the-less and something the user would have to double-click intentionally.
As was pointed out by ars technica though, if there is any means of code execution by way of a flaw in your browser, or of course Flash, this could indeed be a drive by situation. It would be possible using these two vectors combined to gain elevated privilege and install anything at all simply by visiting a site -no password required. Without that secondary ability to execute code arbitrarily, this is not as big a threat as I thought.
If some hacker does know how to execute arbitrary code in your browser though, this is indeed a golden ticket.
I might have been mistaken about the immediacy of the attack. I thought this was something that could be executed from Javascript. It looks like that is not the case. The naive delivery mechanism would be through having the user run an installer. That installer would not require elevated privileges, but it is an installer none-the-less and something the user would have to double-click intentionally.
As was pointed out by ars technica though, if there is any means of code execution by way of a flaw in your browser, or of course Flash, this could indeed be a drive by situation. It would be possible using these two vectors combined to gain elevated privilege and install anything at all simply by visiting a site -no password required. Without that secondary ability to execute code arbitrarily, this is not as big a threat as I thought.
If some hacker does know how to execute arbitrary code in your browser though, this is indeed a golden ticket.
I came across a site yesterday that told me why Flash was out of date and then it downloaded a DMG onto my desktop.
I don't have Flash installed on Safari not would I be likely to click on that DMG, but I can see how many wouldn't hesitate. I've even included the sudoers check into my file for Terminal commands for when I inspect other people's Macs.
Furthermore, occasionally I will install an app from an unknown developer to check out. I did this last week when looking for an app that will the video metadata HD tag for my iTunes content. If it asked for an admin password I would have been weary, but simply opening up in a secondary user account I wasn't concerned… but that was before I know that it could be bypassed.
I came across a site yesterday that told me why Flash was out of date and then it downloaded a DMG onto my desktop.
I don't have Flash installed on Safari not would I be likely to click on that DMG, but I can see how many wouldn't hesitate. I've even included the sudoers check into my file for Terminal commands for when I inspect other people's Macs.
Furthermore, occasionally I will install an app from an unknown developer to check out. I did this last week when looking for an app that will the video metadata HD tag for my iTunes content. If it asked for an admin password I would have been weary, but simply opening up in a secondary user account I wasn't concerned… but that was before I know that it could be bypassed.
Agreed. I would have considered running something from a less trusted but not random source if it did not need to escalate. Now I will need to think about a separate machine.
Comments
Let me be clear: both flaws should not happen
Isn't that a little like saying "Human beings should never make mistakes."? Or saying that creative people should always assume that their work might be used for nefarious things, thus subverting the creative process by never doing anything new?
What exactly is "adware"?
Suggesting that we should strive to prevent something from occurring isn't the same as being too clueless to know it will occur. For example, I shouldn't hit reply until I have proofread my comment for typos, but unfortunately that will occur because I'm not vigilant enough to prevent it from happening.
Suggesting that we should strive to prevent something from occurring isn't the same as being too clueless to know it will occur.
It seems to me that the enormous number of variables inherent to OS software makes bug & exploit catching a fairly herculean task. Mistakes and misses will happen even when we strive to catch the bugs. I think saying "both flaws should not happen" casts people at Apple and Google in a bad light that they may not deserve.
I might have been mistaken about the immediacy of the attack. I thought this was something that could be executed from Javascript. It looks like that is not the case. The naive delivery mechanism would be through having the user run an installer. That installer would not require elevated privileges, but it is an installer none-the-less and something the user would have to double-click intentionally.
As was pointed out by ars technica though, if there is any means of code execution by way of a flaw in your browser, or of course Flash, this could indeed be a drive by situation. It would be possible using these two vectors combined to gain elevated privilege and install anything at all simply by visiting a site -no password required. Without that secondary ability to execute code arbitrarily, this is not as big a threat as I thought.
If some hacker does know how to execute arbitrary code in your browser though, this is indeed a golden ticket.
I came across a site yesterday that told me why Flash was out of date and then it downloaded a DMG onto my desktop.
I don't have Flash installed on Safari not would I be likely to click on that DMG, but I can see how many wouldn't hesitate. I've even included the sudoers check into my file for Terminal commands for when I inspect other people's Macs.
Furthermore, occasionally I will install an app from an unknown developer to check out. I did this last week when looking for an app that will the video metadata HD tag for my iTunes content. If it asked for an admin password I would have been weary, but simply opening up in a secondary user account I wasn't concerned… but that was before I know that it could be bypassed.
I came across a site yesterday that told me why Flash was out of date and then it downloaded a DMG onto my desktop.
I don't have Flash installed on Safari not would I be likely to click on that DMG, but I can see how many wouldn't hesitate. I've even included the sudoers check into my file for Terminal commands for when I inspect other people's Macs.
Furthermore, occasionally I will install an app from an unknown developer to check out. I did this last week when looking for an app that will the video metadata HD tag for my iTunes content. If it asked for an admin password I would have been weary, but simply opening up in a secondary user account I wasn't concerned… but that was before I know that it could be bypassed.
Agreed. I would have considered running something from a less trusted but not random source if it did not need to escalate. Now I will need to think about a separate machine.