Remote iChat Exploit Patched 55
99BottlesOfBeerInMyF writes "Apple has released a security update to patch a hole in iChat. Apparently, correctly crafted links sent via iChat can execute programs if the path is known. If this allows for command line attributes to be included, it could be a pretty big hole; although it would still require some social engineering. The Apple description is here."
Re:social engineering (Score:5, Insightful)
Do you click on unsolicited links from strangers? Wow, I guess IM Spam *is* effective after all.
The FA says that it now opens a finder window to where the program is. A user could tell a person to click on a "link" and the click on a "link" in the resulting window.
What? This is not Windows, where Internet Explorer == Windows Explorer. Finder is a completely distinct application from Safari or any other web browser. It does not display links, it displays files. This is extremely clear to even a poor, intellectually challeged 'Mac-user'.
Re:social engineering (Score:5, Funny)
you wouldn't believe how easy it is. whenever new users come into the "panther" chatroom using ichat, they are told to hit command-L for a list of other chatrooms. 80% fall for it. some repeatedly; they come back and ask for the key combo again, figuring they entered it wrong the first time.
Re:social engineering (Score:5, Funny)
Doesn't Work... (Score:2)
Re:Doesn't Work... (Score:3, Informative)
All I want to know is... (Score:5, Interesting)
Re:All I want to know is... (Score:5, Informative)
Re:All I want to know is... (Score:5, Interesting)
Re:All I want to know is... (Score:5, Insightful)
#1 It's rude for the OS to just instantly reboot the machine. It just makes a STRONG suggestion to reboot. What if you have unsaved work that you really NEED to finish now? At least the OS is not crippled during the install.
#2 Rather than risking the probability that a process doesn't HUP properly, it's safer for Apple just to reboot the Mac so that simple Mac users will get a proper reset of all processes. Helps avoid customer service issues if a HUP doesn't go correctly. Advanced users can usually avoid a reboot and just restart the process that was affected.
Re:All I want to know is... (Score:5, Insightful)
It may be poor design to you, but to the majority of users it is no big deal. In fact, it is safer to reboot than to have to script a process hangup which may involve other running applications, which could get messy. Now, the installer does not force you to reboot, it merely puts up a modal dialog that a reboot is required for changes to take affect, which you can dismiss until you feel like returning to it to click "Reboot"
Re:All I want to know is... (Score:5, Funny)
Re:All I want to know is... (Score:2)
Nor that he was another grammar nazi. Hail, brother!
-fred
But ... but ... but... (Score:5, Funny)
Re:But ... but ... but... (Score:1)
Though ever since MS started holding back patches as part of their "security initiative" marketing ploy, they have been coming slower... who the hell cares about uptime if your box gets pwned as a result of MS's marketing department?
Re:All I want to know is... (Score:2)
I would think a "hit this button to quit iChat" may be confusing to beginner users so that solution is out.
Obvoiusly a way to seamlessly quit the current iChat and start a new one would be ideal, but I'm not sure if it is worth the time it would take to develop such a solution.
Re:All I want to know is... (Score:2)
I could be wrong but if iChat is currently running it does not shut it down, because it doesn't affect a running app since its instance is already loaded in RAM and stays there until the user quits it. It only affects the binary that is on the hard drive.
This is how Safari (or any other normal app
Re:All I want to know is... (Score:5, Informative)
Then let me ask another question... (Score:2)
Why isn't this in the information about the vulnerability?
If what you've said is true, Apple should mention it so people who don't use iChat know it's an important update for them.
However, I'll assume you're wrong. Apple would at least mention Safari and Mail in the Impact and Availability sections of the Security Update if it was a general problem handling URLs.
Re:All I want to know is... (Score:5, Informative)
No, it replaced a private framework.
Lots and lots of other programs could potentially use it.
No, only iChat and Mail use it. Any program that link against it is relying on an unpublished API.
Someone please mod parent DOWN, and also mod down the guy asking to mod the parent UP.
Wow... (Score:5, Funny)
Re:Wow... (Score:5, Informative)
Not complaining, just wondering (Score:3, Informative)
But I brought up the fact that the last Update, "Security Update 2004-09-07" reappears in the Software Update list as a required update, even if you've already installed it (which I did on the 7th), and that this update (the last one) breaks your ftp server if you happened to be running one. The ftp server is fixed by adding a
Re:Not complaining, just wondering (Score:5, Informative)
It would be interesting to hear how this round of updates came about.
Re:Not complaining, just wondering (Score:1)
Re:Not complaining, just wondering (Score:5, Informative)
In an Apple page on the 1.1 version of the Security Update [apple.com], they explicitly note that the 1.1 version "fixes the following issues in Security Update 2004-09-07 v1.0:"
So that people who installed the 1.0 version get offered the 1.1 version, and can get their FTP server and their ability to go to sites that think that a browser version string containing "Netscape" and "4." means the browser is Netscape 4.
Windows Geeks are Hermaphrodites (Score:1, Funny)
So how long until "Chicks With Dicks 25" comes out anyway? Randall preordered that thing ages ago.