Post by: gunug on December 20, 2006, 09:39:01 AM
http://docs.info.apple.com/article.html?artnum=304916
I didn't login to see this but in case you have to:
QUOTE
Security Update 2006-008
*
QuickTime for Java, Quartz Composer
CVE-ID: CVE-2006-5681
Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Visiting a malicious web site may lead to information disclosure
Description: Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site. When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information. This update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets. Quartz Composer compositions continue to function locally. Applications and signed Java applets that utilize QuickTime and QuickTime for Java are unaffected. This issue does not affect systems prior to Mac OS X v10.4. It also does not affect the Windows platform. Credit to Geoff Beier for reporting this issue.
*
QuickTime for Java, Quartz Composer
CVE-ID: CVE-2006-5681
Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8
Impact: Visiting a malicious web site may lead to information disclosure
Description: Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site. When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information. This update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets. Quartz Composer compositions continue to function locally. Applications and signed Java applets that utilize QuickTime and QuickTime for Java are unaffected. This issue does not affect systems prior to Mac OS X v10.4. It also does not affect the Windows platform. Credit to Geoff Beier for reporting this issue.
Post by: tacit on December 20, 2006, 04:13:53 PM
Basically, in English, this security vulnerability means that it could, in theory, be possible for a Java programmer to write a Java applet that will show him whatever is in any QuickTime window you happen to have open on your computer at the same time as you are running the Java applet. As security holes go, it's rather...farfetched.
(I remember one Apple security bug that was kind of interesting: if you had a network of Macs, *and* the Macs were all configured to get their list of users from a central LDAP server, *and* you had a BootP server on the same network, *and* an attacker could sit down in front of the BootP server and take control of it, *and* the attacker reconfigured the BootP server to send out corrupt BootP information, *and* someone using one of the Macs on the network restarted his computer, then the attacker could get the root password for that Mac. Talk about farfetched scenarios...but Apple fixed it anyway.)
Post by: () on December 20, 2006, 11:32:40 PM
I really don't think people should be allowed to watch you through your iSight cam unless you give permission and connect directly to someone on the net.
Post by: Gregg on December 21, 2006, 07:51:20 AM
See what I mean?
Post by: tacit on December 21, 2006, 06:51:30 PM
QUOTE(Nutterbutter @ Dec 21 2006, 05:32 AM) <{POST_SNAPBACK}>
I put a piece of paper and tape over my eyesite cam on my iMac intelcore.
I really don't think people should be allowed to watch you through your iSight cam unless you give permission and connect directly to someone on the net.
I really don't think people should be allowed to watch you through your iSight cam unless you give permission and connect directly to someone on the net.
People can't. Breathless hype aside, this security vulnerability does not mean that another person can take over and activate your iSight without your knowledge.
Also, the little green light next to the iSight will always be on if the iSight is on; if that light is off, the iSight is not even getting power. So you can relax.
Post by: Xairbusdriver on December 21, 2006, 08:09:28 PM
QUOTE("tacit")
...the little green light next to the iSight will always be on if the iSight is on; if that light is off, the iSight is not even getting power...
Sure! That's easy for you to say/write! But how do the rest of us know that the little green light is not the real camera?! So covering up what looks like the lens won't help, anyway! It's all a conspiracy! They are out to spy on us! And now Apple is helping them! What next! Apple will force us to put all our applications in a single directory? 
Post by: gunug on December 21, 2006, 08:56:12 PM
QUOTE
Elisabeth Schwarzkopf?
What about her?
Post by: Gregg on December 22, 2006, 07:50:19 AM
QUOTE(gunug @ Dec 21 2006, 08:56 PM) <{POST_SNAPBACK}>
What about her?
Good question. I think...
Post by: Xairbusdriver on December 22, 2006, 02:17:49 PM
I thought I had posted in the wrong thread! Gregg, I think he meant to post in <this thread> to HighMac. 
Post by: Gregg on December 23, 2006, 02:34:01 PM