|Home » Industry Watch
The Other Shoe
Apple 'fixed' their vulnerabilities - at application level. If you're using their own web apps, you're safer - sort of. If you're using anything else - Camino, Firefox, Thunderbird - you're still totally wide open.
As pointed out at this site last Thursday, there is a whale of a difference between a programming bug and a design flaw.
Programming bugs can be found and fixed; design flaws require more effort.
Apple's vulnerabilities with Oompa Loompa and its successors are not programming bugs. They're design flaws.
They're design flaws because Apple present a confused and contradictory facade to the user - an experience that can easily be exploited by 'social engineering'.
It was 'social engineering' that caused US$5.5 billion [sic] in damages with ILOVEYOU aka the Love Bug. 'Social engineering' isn't to be dismissed - nor are damages accrued through its use.
OS X has too many ways of identifying files which collectively fall far too short and for ordinary users too little information which could make up the slack. It has creator codes, file types, extensions, and 'usro' information stuffed inside resource forks and 'AppleDouble's - but draws no attention to POSIX file modes whatsoever.
It's the POSIX file mode which determines if a Unix script disguised as a JPEG will be able to run or not: the mode has to include an 'execute' bit relevant to the current user.
Finder's info panel will show the user all this information, but the task is then to constantly be on one's guard and check this panel for each and every file to be 'opened' - and for each and every time you open it.
Clearly this is not user-friendly; it's not even 'user-practical'.
If the bad guys want to sneak bad stuff on your machine, they're always going to have a chance. But if you want to be able to thwart them, you have to have a chance too.
Apple's 'fix' attempts to address these issues by adding code to the three applications iChat, Mail, and Safari. When a file is about to be opened and run, something called 'download validation' kicks in.
So you get a chance - but only if you're using Apple's own web applications. Otherwise you're still toast.
Firefox lovers, Camino adherents, Thunderbird users - forget it. You won't get a clue. You'll still be tricked. All Apple did was add code to three applications - they didn't address the design flaw at all.
Caveat downloader. Caveat OS X user.
Hyde Park Corner I
The Chocolate Tunnel
Peeking Inside the Chocolate Tunnel
Apple's 'Unix' Runs Arbitrary Code on Boot?
Input Managers — The Cure
OS X patch faces scrutiny
Trojan flaw persists in OS X
Experts Claim Security Flaw Remains
Apple criticised for persistent Trojan flaw