Paul Schmehl wrote:
> --On Thursday, March 02, 2006 08:57:18 +1100 [EMAIL PROTECTED] wrote:
>>
>> Sorry to spoil everyone's fun.
>> <http://docs.info.apple.com/article.html?artnum=303382>
>>
>> Maybe, just maybe, Apple are actually better (able/positioned) to
>> respond quickly to vulnerabilities before the exploits in-the-wild
>> affect more than 50 people? Who knows.
>>
> It doesn't look like it. They seem to have addressed the
> vulnerability as it applies to Safari, but not the underlying
> vulnerability.
I don't know how you deduce that Z was referring to the Safari problem(s),
I thought it might have been the one about the mailer failing to warn for
some unsafe attachment types.
>If I send you an email, with a zip attachment (naming
> and extension is irrelevant), and I can get you to attempt to open
> the attachment (fairly trivial with many users), I can execute
> abitrary code on your machine. The only "restriction" is that, if I
> attempt to execute code that requires admin privileges, I'd have to
> convince you to type in your password (again, fairly trivial for most
> users.)
Exactly. Some of the most successful viruses recently have arrived inside
encrypted zip files, with a GIF as an attachment, that contains a password
in graphical format, and the user has to open the gif attachment and note
down the password and open the zip and enter the password and extract the
executable and run it.
And they /did/, in their droves.
No matter what kind of protection Apple put in place, no matter how
quickly they fix drive-by-install vulnerabilities, no matter how big the
warning dialog that mail pops up when it detects executable files and even
if it isn't spoofable - people will still do it.
cheers,
DaveK
--
Can't think of a witty .sigline today....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
