Re: Security concerns from 20050307 MacInTouch

On 10/6/06 22:57, in article 4f0thkF1h2kn1U1@xxxxxxxxxxxxxx, "Ian McCall"
<ian@xxxxxxxxxx> wrote:

I discovered this page while looking for something else completely.

<http://www.macintouch.com/security-finder.html>

... I wonder, with hindsight, do
experts think it was an issue after all? Do those experts think there
is still an issue of concern?

Not to bump myself up to the level of expert, but there's no security
issue there. The task requires you to set a scheduler item going, then
logout. You can only set a scheduled item going if you grant admin
rights (sudo access, ie. root). As root, you are and -should be- the
ultimate source of authority as to what goes on with that machine.

So nope, not a problem. Someone asked for a task to be set going with
root-level access, and they got exactly what they asked for.

Still, it helps point out to people what the admin password dialog is doing
and why. I would say 95% of my customers will just slap in their admin
password if something pops up and asks for it, no questions asked.

If I was writing a virus/trojan/malware all I'd do is craft the installer
window to say something like

"blahblah needs permission to open your keychain..." or "Flashplayer needs
to be updated, blah blah" or "Safari needs to download an updated Realplayer
componant" or anyone of a number of other things.

People would just do it. Bingo, you own them.

Any reason why that wouldn't work?

And it reminds me to get rid of that keychain unlock message on login that I
always authenticate so blithely.

.

Quantcast