19 May 2004 | Ben Scofield said...

But - but - but - if you follow that logic, then all of those core Windows security holes shouldn't be called 'critical' until after they're exploited, either. As I understand it, the issue is one of potential - regardless of whether an exploit has appeared 'in the wild' or not, there's a gaping (and relatively easily fixed) hole in the OS. The potential damage is what rates the hype.

19 May 2004 | One of several Steves said...

Would you have the same attitude if MS had decided to sit on a known XP security flaw for three months, just because it hadn't been exploited yet? I know Apple isn't as experienced with these things as MS, who seem to issue a new security fix at least a couple times a month, but one of the keys of computer security is that you fix flaws when they become known and a solution or patch is developed. "It isn't a big deal, no one's been effected" isn't really an adequate response.

To use your CNN/disease analogy, it would be roughly like saying "We've discovered some ebola virus lying around in Atlanta - we think it somehow got out of the Centers for Disease Control - but no one's gotten sick from it, so we're not in a big rush to clean it up."

19 May 2004 | RS said...

if you follow that logic, then all of those core Windows security holes shouldn't be called 'critical' until after they're exploited, either.

Windows is a different beast. How often do you clean your Mac of viruses and spyware? <quickly steps away from Windows/Mac fireworks>

To use your CNN/disease analogy, it would be roughly like saying "We've discovered some ebola virus lying around in Atlanta - we think it somehow got out of the Centers for Disease Control - but no one's gotten sick from it, so we're not in a big rush to clean it up."

Where does a disease lie around?

What I'm trying to say is that you can't fall into a hole that isn't in your way. Yes, holes should be patched. But what site is going to use this exploit, and how am I going to end up there? Yes, it's a problem, but I'm not going to lose any sleep over it.

19 May 2004 | Darrel said...

With that logic, we would have no need to destroy Iraq!

;o)

Apple should fix this, though. This one is nasty.

================================
(insert my new 37sig sig/request...)
Can you get the Firefox, can't-scroll-left-to-see-rest-of-SVN-bug fixed? You need to give your body a min-width = to the width of the container DIV (min-width: 766px).
================================

19 May 2004 | Brad Hurley said...

Usually after a flaw like this is reported, lots of hackers around the world set to work figuring out ways to exploit it before a patch is issued. And with so many Mac owners smugly proclaiming the Mac's general immunity to viruses and other attacks that plague Windows users, I bet there are some hackers out there who would be more than happy to put some egg on their faces. Yes, virus writers usually ignore Macs because they're such a small piece of the pie and barely worth the effort, but that famous attitude of superiority among certain Mac evangelistas is bound to backfire somehow.

19 May 2004 | Darrel said...

Brad:

OSX is not immune. Never has been. OS9 was fairly immune (in comparison to windows).

It's also true that one reason virii are written for Windows is that there are more of them. Another reason is that Windows is a mess and allows programmers to patch code into all sorts of nooks and crannies that I really wouldn't want others poking into. So it's a bit of both.

================================
(insert my new 37sig sig/request...)
Can you get the Firefox, can't-scroll-left-to-see-rest-of-SVN-bug fixed? You need to give your body a min-width = to the width of the container DIV (min-width: 766px).
================================

19 May 2004 | Tomas said...

You don't think this is serious? _Try_ to imagine a more serious security flaw, I dare you!

19 May 2004 | Shawn Oster said...

I completely agree that people get their knickers in a bunch rather too quickly about these issues, whether it be Mac or Windows. The Windows cult has been kicked in the shins over and over with this type of over-reaction and now it seems the Mac cult is getting a taste by the same reactionary, "if the sky isn't falling it doesn't make good news" media fundamentalists.

Nothing has caught on fire, no one has lost thousands of dollars, babies aren't being born with horns and cloven hooves so I'd definitely not consider it critial.

19 May 2004 | beto said...

Hackers know better - there's no power, glory or even profit on messing with the paltry amount of users who prefer Macs. I can still sleep with both eyes wide shut.

19 May 2004 | Guan Yang said...

Have you actually tried the harmless but scary demo? You can find it here:

http://bronosky.com/pub/AppleScript.htm

I find it very scary.

/Guan

19 May 2004 | One of several Steves said...

I find it highly amusing to see people argue not to fix something or make noise about it not being fixed because it hasn't hurt anyone yet or hasn't "caught fire."

Would people take that attitude with anything other than computer security?

Oh, don't bother with those fire doors, alarms and sprinklers. The building isn't burning, is it?

Oh, don't fix those corroded engine mounts; it's not like the engine is falling off the plane as it flies.

Etc.

19 May 2004 | Mr. Nosuch said...

And unlike many security defects, this one is super trivial to build a nasty exploit with. Making a buffer overrun hole do something mean can involve a fair amount of skill and work, but this OS X hole a trivial amount of knowledge can let you build a web page that will eat all of a user's documents. Or worse.

Kind of scary to think that any link you follow could eat your data. That's a big scary hole.

19 May 2004 | RS said...

Kind of scary to think that any link you follow could eat your data. That's a big scary hole.

Sure.

Maybe I'm an anomaly, but I very rarely visit sites that I don't already "know" or haven't been linked to by a site I trust. How will you get to this scary link? What page will have it? This is the practical approach I'm talking about. If that link is never in front of you, it has no potential to harm you.

19 May 2004 | Brad Hurley said...

Maybe I'm an anomaly, but I very rarely visit sites that I don't already "know" or haven't been linked to by a site I trust.

Clearly you don't have a teenager in the house. My girlfriend's 14-year-old daughter clicks on everything; I ran Spybot on her Windows computer a couple of weeks ago and it eliminated 64 spyware programs from her machine.

She's an extreme case (in more ways than one), but my impression is that lots of people tend to be pretty indiscriminate when it comes to following links.

20 May 2004 | Ian said...

Nah, Apple knows hackers can't afford to buy a system with the latest OS X revision, so you're pretty safe ;)

20 May 2004 | David S said...

Not sure if it's a possibility, but what about it getting embedded in HTML emails? That's how most of the Windows ones seem to get around.

The attitude of this post is a bit aloof and ignorant. It's that kind of attitude that leaves you open, not immune.

20 May 2004 | daveb said...

Here's a little more sane analysis (read: factual) than the bronosky.com analysis.

http://www.euronet.nl/~tekelenb/playground/security/diskURLscheme/

22 May 2004 | Drew said...

and now Apple has released an update for this problem
Looks like they thought it was pretty serious, too

27 May 2004 | Geno said...

shut up now?

15 Jun 2004 | Song Lyrics said...

Search for Song Lyrics by the Artist Name:
0 • 1 • 2 • 3 • 4 • 5 • 6 • 7 • 8 • 9
A • B • C • D • E • F • G • H • I • J • K • L • M
N • O • P • Q • R • S • T • U • V • W • X • Y • Z