Apple Closes iSight Security Hole 213
Gruber Duckie writes "Apple's security update 2006-008, posted yesterday, is a little more interesting than it sounds. According to information (and a demo!) posted at Macslash the "information leak" mentioned in Apple's advisory actually makes it possible for a web site to send whatever your (isight) web cam sees up to the server. I'm glad they fixed this quickly."
Would make for a GREAT security wake-up website (Score:5, Interesting)
What a great enhancement it would be for such websites to display a picture of the user at his computer! "We know you use a Mac, Live in California and Look like THIS!" Just one visit such a site would go a LONG way to instilling a useful level of caution.
Re:Security Hole? (Score:5, Interesting)
In his book, 1984, George Orwell proposed the idea of television screens that also acted as camera and allowed a remote viewer to monitor whatever was going on in front of them.
In the year 1984, Apple Computers released an advert for the first Mac with the slogan 'Why 1984 won't be like 1984.'
In the year 2005, Apple Computers released the new iMac, a device with a display screen and integrated camera which allowed a remote viewer to monitor whatever was going on in front of it.
Am I the only one (Score:5, Interesting)
/View mode (Score:3, Interesting)
It was fairly common for someone to make a joking about how they were or were not dressed. A common reply was for someone else to type something like
and tell the group that he or she could now verify whether or not first speaker had been telling the truth. Occasionally the first speaker would be naive and gullible enough to believe it.
Little did I know that
Re:Security Hole? (Score:3, Interesting)
While what you're saying might well be true, I really don't understand the logic. If MS released patches continuously as they were completed, how would this stop major corporations from testing and deploying them on a regular cycle? Couldn't the corporation equally well still have a "patch Tuesday" where the collect all the current, undeployed patches and begin the process of testing and deploying them? All patches that became ready later than that would be processed in the next cycle. If MS released patches as they were done, each company would have the option of using whatever patching cycle they see fit. What's the benefit of MS forcing everyone to use a specific patching cycle?
Re:Why this is interesting (Score:4, Interesting)
And actually, this has nothing to do with "integrating all (?) its OS components with the web browser". It has to do with QuickTime movies being able to be embedded in a web page, which is perfectly appropriate, and another supported feature of QuickTime, namely QuickTime for Java, being able to take instructions from a Java applet, like it was designed to do. None of these things are "bugs", but the confluence of them in this circumstance allows a malicious applet to take imagery from the camera via a Quartz Composer composition. This has ZERO to do with "integrating OS components" into the browser. This is all done via QuickTime and QuickTime for Java, which can be accessed via the browser. Oversight? Yes. Now fixed? Yes.
As for how long you think a malicious ad doing *anything* on a major network would survive, let's just say "not long". By that logic, you could make the same claim about things that install malware via browser vulnerabilities on any platform: "But what if you got this on a popular site?!?" Yeah, what if?
Re:Security Hole? (Score:4, Interesting)
So no - I heard this from an actual Apple employee that OSX is "perfectly secure".
To be honest they only people I've heard this claim from are Apple sales people and Apple employees at conventions (I work for a software developer).
Re:Give me a break (Score:4, Interesting)
So all the high rated posts I see talk about how terrible Apple's security was, 1984 comes true, blah blah blah.
I don't see that as the character of the highly rated posts here.
Well it may be possible that Apple carefully designed their hardware in such a way that the LED is software controlled and the camera is capable of invisibly monitoring people, there is no evidence to back those claims.
I strongly suspect that the LED is hardwired to the camera. That would be easy to do and makes sense from a design perspective. I'd be happier, however, if Apple provided some confirmation of this, rather than leaving us all to hope that is the case.
I think that would make them lousy designers, not big brother, unless there is also evidence that they are doing something with that anti-feature. I'm not happy, however, about assuming all is well unless it can be proved otherwise. I like openness in this regard rather than relying upon obscurity.
Honestly if that were possible then I'd dump this laptop in a heartbeat since it would require purposely designing it with that in mind.
That's not necessarily so. It could be they bought an off the shelf component without an indicator and wanted to tie its operation to the LED, but the interface was such that you couldn't just string it inline with the power without detrimental affects. So they put them both in and tied them in firmware or software and are hoping no one will figure out that it can be bypassed. That would explain their silence on the topic, although it could just be that no one who knows has realized people want to know or have doubts. I rarely use the iSight on my laptop and I did not pay for it anyway. If I feel it is a threat a small square of metal and some electrical tape will take care of it.