Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Apple

Apple Closes iSight Security Hole 213

Posted by CmdrTaco from the nobody-wants-to-see-me-naked dept.
Gruber Duckie writes "Apple's security update 2006-008, posted yesterday, is a little more interesting than it sounds. According to information (and a demo!) posted at Macslash the "information leak" mentioned in Apple's advisory actually makes it possible for a web site to send whatever your (isight) web cam sees up to the server. I'm glad they fixed this quickly."
This discussion has been archived. No new comments can be posted.

Apple Closes iSight Security Hole More

Apple Closes iSight Security Hole

Comments Filter:

  • Keep their little heads in the sand. (Score:3, Insightful)

    by delire ( 809063 ) on Wednesday December 20, 2006 @10:58AM (#17312440)
    Got to love the idea of using an OS whose scope of security vulnerability need to be 'leaked' to be known.

    Fsck that..

  • Re:Security Hole? (Score:4, Insightful)

    by djh101010 ( 656795 ) * on Wednesday December 20, 2006 @12:28PM (#17313710) Homepage Journal
    That's going to keep me laughing a long time. ESPECIALLY at the mac zealots out there (those who believe it was the perfectly secure OS,

    You know, it's funny. The ONLY people I ever see who say "perfectly secure" or "bulletproof", are people like you. Maybe you just don't read clearly and you think Mac folks actually are saying it, or maybe you're just an AC trying to stir up discussion. So are you ignorant, or are you lying?

  • Give me a break (Score:4, Insightful)

    by CODiNE ( 27417 ) on Wednesday December 20, 2006 @01:16PM (#17314356) Homepage
    So all the high rated posts I see talk about how terrible Apple's security was, 1984 comes true, blah blah blah.

    Did any of you bother to try out the exploit? I just did... know what it does? It turns on that bright green LED right next to the camera, the one that tells you when it's on. It's pretty bright and when it turns on all of the sudden, you NOTICE. It then proceeded to crash my browser. Well it may be possible that Apple carefully designed their hardware in such a way that the LED is software controlled and the camera is capable of invisibly monitoring people, there is no evidence to back those claims.

    True with proprietary software one just never knows for sure, but honestly let's see someone figure out how to take a picture or make a movie without the light coming on, THEN we can start calling Apple Big Brother. Honestly if that were possible then I'd dump this laptop in a heartbeat since it would require purposely designing it with that in mind.

  • Re:Security Hole? (Score:3, Insightful)

    by TheRaven64 ( 641858 ) on Wednesday December 20, 2006 @01:30PM (#17314540) Journal
    The original iSigh had a physical shutter. When the camera was turned off, the shutter closed. You could look in the end and see that it was impossible to take a picture. I don't understand why something like this wasn't included with the built-in one; a simple slider over the front would have done the trick...

  • Fundamental design problem (Score:3, Insightful)

    by MobyDisk ( 75490 ) on Wednesday December 20, 2006 @02:37PM (#17315426) Homepage
    People who think Apple is safe by design need to take a hard look at this vulnerability.

    Description: Java applets may use QuickTime for Java to obtain the images...
    This is just like the classic Microsoft/ActiveX type of problems. They exposed a control to web pages then realized, after the fact, that the control could do things they didn't intend. It's just like how MS Office was exposed via VBScript/JScript. And just like how Firefox exposed XUL commands. So now Apple exposed native controls via Java.

    Apple's solution is the same as Microsoft's. Only "signed" applets can access this control now. The fundamental problem though, is that unsigned applets shouldn't be able to access anything outside of the standard Java classes. They need to stop making blacklists and whitelists of what controls are safe, and instead, make it so that no controls are safe.

  • Re:Why this is interesting (Score:3, Insightful)

    by IamTheRealMike ( 537420 ) on Wednesday December 20, 2006 @02:48PM (#17315562)
    As for how long you think a malicious ad doing *anything* on a major network would survive, let's just say "not long".

    It doesn't have to be long, that's the trick. This isn't a theoretical problem, it has actually happened multiple times with previous browser based exploits. One ad-based attack is estimated to have zombied over a million machines in the span of hours it was live for. This makes sense - ad networks serve millions of impressions per hour, and it can easily take several hours for them to respond and pull an ad, especially if it goes live in the middle of the night (or worse, the ad is designed to behave itself when loaded into the ad networks IP address range - I believe this has also happened).

    See here for more details [infoworld.com]

  • Re:Security Hole? (Score:4, Insightful)

    by Moofie ( 22272 ) <lee AT ringofsaturn DOT com> on Wednesday December 20, 2006 @03:11PM (#17315852) Homepage
    And you should always take every word that comes out of a salesperson's mouth as the gospel truth, and not apply common sense ever.

  • Re:Security Hole? (Score:1, Insightful)

    by Anonymous Coward on Wednesday December 20, 2006 @03:25PM (#17316012)
    Follow the thread. He responded to someone who claimed that someone is either ignorant or lying if they think there are people making claims like "hacker proof". Salesperson or not, this refutes the "ignorant or lying" charge. He explicitly mentioned he was doubtful of the claim.

Slashdot Top Deals

"If I do not want others to quote me, I do not speak." -- Phil Wayne

Close