Re: New Patch Fixes 43 Flaws In OS X, Many Serious

Daniel Johnson wrote:

"GreyCloud" <mist@xxxxxxxxxxx> wrote in message news:jOWdnc7ffPS7T_bZRVn-tg@xxxxxxxxxxxxxx

Daniel Johnson wrote:

The answer has to do with how processes are started, inherit permissions

from the uid/gid, etc.

I don't think so.

Then you should prove your point then, rather than blather about 'I don't think so.'


I think I've made my case; but this is not related to it.

You haven't made any case.
First you better understand how the kernel gives out unique process ids first and also tied to the user id.

I
think the answer has not to do with how processes are
started, because I do not think that Timberwoof, or you,
have any answers.

Guffaw!!! Squirming away from the fundamentals of Unix won't do you any good. It just is the way things are handled in Unix.



Everything coming into any UNIX box thru a browser is automatically set to read only.

This is not true. Try it yourself; download a text file
and then check to see if you can edit it.

But it is true.


It isn't. Try it.

I did. And I doubt that you are telling the truth here.



You should investigate more carefully about this before going on any further. You've been too closely tied to IE.


IE runs on the Mac.


Yeah, 5.5 version from a long time ago.

And guess what... the kernel controls that process as well.
IE 5.5 does not equal IE 6.0. Matter of fact, IE 5.5 doesn't even resemble the M$ version at all. Where are the trojans for OS X?


Even if it were true, it woudl not help; read only
programs can be executed, and once running
can wreak havok.

Which means you are just guessing and don't know.


No; even if a browser were written that did mark all
downloads as read-only, it would do not good.


That's what you think.
And it does do a great deal of good. It prevents malware from executing and seeing that the downloaded object has no id or user id available, the kernel will not execute it.

I have no idea why some Mac users think it would.


Why you think it won't is anybodies guess.


There is no need to alter anything
that was downloaded.

In IE you can download something and it will automatically execute it.


No; Mac acolytes seem terribly attached to this notion, but
it was never true. There have been exploitable bugs in IE,
but they didn't involve the user downloading things; they
were things that happened while browsing web pages.

(Which, if anything, is worse, but never mind that. :D )


Guffaw!! IE 6.0 has always executed stuff sent to it.
Don't know about IE 7.0, but that remains to be seen.
Ever have your browser hijacked while surfing?


Same for OE.


As a rule, what happens to OE is that it hosts IE to render
HTML mail, and if IE is exploitable, OE is too.

It's a lot like Apple's Mail and WebKit, actually.

But actually not.



I'd say that's why the certs recommend FireFox and Thunderbird over IE and OE.


Interestingly, Safari has some trouble here. To this day it
still installs downloaded dashboard widgets for you.


It does? I've never seen it do it.

This does not actually run them, but it makes it all to easy
to do by accident.


Heh. I have to go to apple for widgets and select the ones I want.

At least the "first run" warning actually works now.

Of course, Safari has also had a few bugs where downloaded
executables would run automatically, as well as the usual
buffer overflows and such.

Such as?


An interesting point: Microsoft's much maligned "Registry"
displays an advantage here:

The auto-run-executable bugs that Apple has had are bugs in
the Finder, or in the launcher APIs. They happen because
Mac OS X tries to be very smart and figure out how to work
with an app automatically. This is why you don't need to
install some apps. But 'very smart' code is very complex and
there have been bugs in it. It can be tricked into running
things that it shouldn't.

Such as?


The registry is much simpler: the keys that tell the OS
how to work with the app must be put there explicitly.
You must have an installer to do this, but the user must
explicitly *run* the installer. It won't be done for him.
There's no 'smart' auto-configuration, and no self-repair.


So? The registry is the one basket mechanism. If you drop the basket all your eggs are broken.

Once the keys are installed, then the OS may execute the
application automatically. But this cannot happen until the
installer runs. (And that's also a program so if it's malicious,
registry keys are the least of your worries).

[snip]

If it does not have the setuid bit set, then it inherits the uid/gid
of the process that starts it. The Finder process or the browser's
process or the Dashboard process might do this; all of these
have the user's uid and gid.

But it doesn't, so why go over something you don't know about?


They do have the user's uid and gid, of course. Most of
the recent Safari bugs are buffer overflows; injected code
will then run inside Safari with the user's uid and gid.


Do you know how a buffer overflow works?
This type of code and bug is easily fixed.

The auto-execute-downloaded-file bugs are Finder bugs,
and auto-exected files will be launched by the Finder, but
it's the same uid and gid.

What other would you expect?


I expect that you are wrong.
I've yet to have anything auto-execute on me from the internet.
This is where the id/gid process permissions come into play.


Quite simple.

In your head it is. But in the real world it is rather complicated mechanism. That's why there are books published about UNIX.


Well, I supose "complicated" is relative, after all...


To most windows users... yes, it is complicated.



--
Where are we going?
And why am I in this handbasket?
.

Relevant Pages

  • Re: Problems with Windows Update should not be charged to report.
    ... Everybody at Microsoft kept telling me ... In your other post you mentioned using a 3rd party registry and inspection product. ... The .CHM files aren't versioned and that can cause some confusion for the installer, but so can a damaged Local Install Source ... It is really frustrating when downloads from Windows or Office Update sites ...
    (microsoft.public.officeupdate)
  • Re: Fedora Core 3 Transferred to Fedora Legacy
    ... There is absolutely no garuntee that respins produced ANYWHERE by ... uses a different installer codebase and an different installer ... is asking for a whole different set of bugs... ... the community so far who have stepped up to ...
    (Fedora)
  • Re: Problems with Windows Update should not be charged to report.
    ... Oh, I almost forgot, Bob. ... The .CHM files aren't versioned and that can cause some confusion for the installer, but so can a damaged Local Install Source ... It is really frustrating when downloads from Windows or Office Update sites ... Outlook 2003 Junk-Email Filter ...
    (microsoft.public.officeupdate)
  • Re: Fedora Core 3 Transferred to Fedora Legacy
    ... I think what he is saying here is not only relevant to installer ... Using the updated isos I save about 20-40min on each install here, ... > There is absolutely no garuntee that respins produced ANYWHERE by ... but the FC4.* has fixed some bugs and contain newer ...
    (Fedora)
  • Re: Problems with Windows Update should not be charged to report.
    ... If you use MS Product Support to report a problem and if the problem does turn out to be one that is in the update then MS does not ... the MS Update (combined Windows and Office) and MS OfficeUpdate sites don't use the same checking. ... The .CHM files aren't versioned and that can cause some confusion for the installer, but so can a damaged Local Install Source ... It is really frustrating when downloads from Windows or Office Update sites ...
    (microsoft.public.officeupdate)