|Home » Industry Watch » The Technological
Taking insecurity seriously.
Subject: Re: Arbitrary execution of code in 'InputManagers'
It's a 'trojan scenario'. You know that and we know that.
We also know people have beseeched you in the past to do something about this.
We also were fairly sure you'd claim 'works as designed' but we were obliged to try.
If OS X gets hit by an outbreak everyone loses - not only Apple users but others on other Unix platforms and even Windows users. They'll be less inclined to make the switch away from Windows and you know the Enderles and the Ballmers will be out en masse telling everyone what a leaky sieve OS X and Unix are. With all that taken into consideration, and reflecting on the wide open architecture of this 'feature' with the possibilities for 'swizzling' and who knows what other pranks, this seems is a light nonchalant attitude for the OS vendor to take. And it certainly undermines people's confidence in Apple's motto to 'take security matters seriously'.
This is the 'design flaw' that let ichatHack, mailHack, safariHack, Oompa Loompa, InqTana, and iAdware all through the door. How many proofs of concept are necessary? Must we really have a bona fide destructive worm outbreak before you reconsider your position that 'it works as designed'?
Please include the line below in follow-up emails for this request.
Thank you for filing this issue via Apple's bug reporting system. Apple takes every report of a potential security problem very seriously.
After examining your report we do not believe that the issue is a security vulnerability. Input Managers can only be installed by processes that already have the privileges of the authenticated user. In other words, arbitrary code execution is not possible unless the user is already running malware.
When filing a bug report, other Classification values are available to describe the type of issue: 'Performance', 'Crash or Data Loss', 'Serious Bug', 'Other Bug/Has Workaround', 'Feature (New)', and 'Enhancement'. We have changed the classification from 'Security' to 'Enhancement' to assist the engineering teams in handling this request.
If you have any questions or concerns please feel free to let us know.