Re: New Patch Fixes 43 Flaws In OS X, Many Serious

"GreyCloud" <mist@xxxxxxxxxxx> wrote in message
news:jOWdnc7ffPS7T_bZRVn-tg@xxxxxxxxxxxxxx
Daniel Johnson wrote:
The answer has to do with how processes are started, inherit permissions
from the uid/gid, etc.

I don't think so.

Then you should prove your point then, rather than blather about 'I don't
think so.'

I think I've made my case; but this is not related to it. I
think the answer has not to do with how processes are
started, because I do not think that Timberwoof, or you,
have any answers.

Everything coming into any UNIX box thru a browser is automatically set
to read only.

This is not true. Try it yourself; download a text file
and then check to see if you can edit it.

But it is true.

It isn't. Try it.

You should investigate more carefully about this before going on any
further. You've been too closely tied to IE.

IE runs on the Mac.

Even if it were true, it woudl not help; read only
programs can be executed, and once running
can wreak havok.

Which means you are just guessing and don't know.

No; even if a browser were written that did mark all
downloads as read-only, it would do not good.

I have no idea why some Mac users think it would.

There is no need to alter anything
that was downloaded.

In IE you can download something and it will automatically execute it.

No; Mac acolytes seem terribly attached to this notion, but
it was never true. There have been exploitable bugs in IE,
but they didn't involve the user downloading things; they
were things that happened while browsing web pages.

(Which, if anything, is worse, but never mind that. :D )

Same for OE.

As a rule, what happens to OE is that it hosts IE to render
HTML mail, and if IE is exploitable, OE is too.

It's a lot like Apple's Mail and WebKit, actually.

I'd say that's why the certs recommend FireFox and Thunderbird over IE and
OE.

Interestingly, Safari has some trouble here. To this day it
still installs downloaded dashboard widgets for you.

This does not actually run them, but it makes it all to easy
to do by accident.

At least the "first run" warning actually works now.

Of course, Safari has also had a few bugs where downloaded
executables would run automatically, as well as the usual
buffer overflows and such.

An interesting point: Microsoft's much maligned "Registry"
displays an advantage here:

The auto-run-executable bugs that Apple has had are bugs in
the Finder, or in the launcher APIs. They happen because
Mac OS X tries to be very smart and figure out how to work
with an app automatically. This is why you don't need to
install some apps. But 'very smart' code is very complex and
there have been bugs in it. It can be tricked into running
things that it shouldn't.

The registry is much simpler: the keys that tell the OS
how to work with the app must be put there explicitly.
You must have an installer to do this, but the user must
explicitly *run* the installer. It won't be done for him.
There's no 'smart' auto-configuration, and no self-repair.

Once the keys are installed, then the OS may execute the
application automatically. But this cannot happen until the
installer runs. (And that's also a program so if it's malicious,
registry keys are the least of your worries).

[snip]
If it does not have the setuid bit set, then it inherits the uid/gid
of the process that starts it. The Finder process or the browser's
process or the Dashboard process might do this; all of these
have the user's uid and gid.

But it doesn't, so why go over something you don't know about?

They do have the user's uid and gid, of course. Most of
the recent Safari bugs are buffer overflows; injected code
will then run inside Safari with the user's uid and gid.

The auto-execute-downloaded-file bugs are Finder bugs,
and auto-exected files will be launched by the Finder, but
it's the same uid and gid.

What other would you expect?

Quite simple.

In your head it is. But in the real world it is rather complicated
mechanism. That's why there are books published about UNIX.

Well, I supose "complicated" is relative, after all...


.

Relevant Pages

  • Re: Graphic converter query - transparency
    ... I was thinking of castle. ... make your installer available; an ftp site isn't a software installer in ... size of TeX has to do with anything. ... So you are saying that everything in that download is directly useful? ...
    (uk.comp.sys.mac)
  • Re: UNABLE TO CHECK FOR UPDATES ON THIS COMPUTER
    ... "Office Hotfix Installer encounter a problem..." ... i did download the windows installer cleanup utility w/o ... >There are some known issues with the Office Update site. ... >1) Use a utility to clean out the Windows Installer data, ...
    (microsoft.public.officeupdate)
  • Re: An alternative to Product Activation
    ... dongles will be regarded as a serious option by Codegear. ... Either the user could provide a username and password at the ... which is somehow embedded into the installer prior ... to download, or Codegear would generate them for you (probably the ...
    (borland.public.delphi.non-technical)
  • Re: Is there a malware/virus in the form of a fake registry cleaner?
    ... | pop-ups wanting to fix 288 registry entries. ... | all - asks if you want to send the installer to the recycle bin --- SAY ... Execute; Multi_AV.exe ... FireWall to allow it to download the needed AV vendor related files. ...
    (alt.comp.anti-virus)
  • Re: Fiend reuntied
    ... >> somewhere on the Debian website is a single-CD installer. ... Download, burn, ... Type some of a valid file-name and then hit. ... Suprisingly handhi. ...
    (uk.rec.sheds)