Apple Closes iSight Security Hole 213
Gruber Duckie writes "Apple's security update 2006-008, posted yesterday, is a little more interesting than it sounds. According to information (and a demo!) posted at Macslash the "information leak" mentioned in Apple's advisory actually makes it possible for a web site to send whatever your (isight) web cam sees up to the server. I'm glad they fixed this quickly."
Keep their little heads in the sand. (Score:3, Insightful)
Fsck that..
Re:Security Hole? (Score:4, Insightful)
You know, it's funny. The ONLY people I ever see who say "perfectly secure" or "bulletproof", are people like you. Maybe you just don't read clearly and you think Mac folks actually are saying it, or maybe you're just an AC trying to stir up discussion. So are you ignorant, or are you lying?
Give me a break (Score:4, Insightful)
Did any of you bother to try out the exploit? I just did... know what it does? It turns on that bright green LED right next to the camera, the one that tells you when it's on. It's pretty bright and when it turns on all of the sudden, you NOTICE. It then proceeded to crash my browser. Well it may be possible that Apple carefully designed their hardware in such a way that the LED is software controlled and the camera is capable of invisibly monitoring people, there is no evidence to back those claims.
True with proprietary software one just never knows for sure, but honestly let's see someone figure out how to take a picture or make a movie without the light coming on, THEN we can start calling Apple Big Brother. Honestly if that were possible then I'd dump this laptop in a heartbeat since it would require purposely designing it with that in mind.
Re:Security Hole? (Score:3, Insightful)
Fundamental design problem (Score:3, Insightful)
Apple's solution is the same as Microsoft's. Only "signed" applets can access this control now. The fundamental problem though, is that unsigned applets shouldn't be able to access anything outside of the standard Java classes. They need to stop making blacklists and whitelists of what controls are safe, and instead, make it so that no controls are safe.
Re:Why this is interesting (Score:3, Insightful)
It doesn't have to be long, that's the trick. This isn't a theoretical problem, it has actually happened multiple times with previous browser based exploits. One ad-based attack is estimated to have zombied over a million machines in the span of hours it was live for. This makes sense - ad networks serve millions of impressions per hour, and it can easily take several hours for them to respond and pull an ad, especially if it goes live in the middle of the night (or worse, the ad is designed to behave itself when loaded into the ad networks IP address range - I believe this has also happened).
See here for more details [infoworld.com]
Re:Security Hole? (Score:4, Insightful)
Re:Security Hole? (Score:1, Insightful)