Author Topic: iSight Security Hole plugged (Read 7968 times)

gunug · « **on:** December 20, 2006, 09:39:01 AM »

Scary if you have an iSight and surf in the buff:

http://docs.info.apple.com/article.html?artnum=304916

I didn't login to see this but in case you have to:

QUOTE

Security Update 2006-008

*

QuickTime for Java, Quartz Composer

CVE-ID: CVE-2006-5681

Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8

Impact: Visiting a malicious web site may lead to information disclosure

Description: Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site. When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information. This update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets. Quartz Composer compositions continue to function locally. Applications and signed Java applets that utilize QuickTime and QuickTime for Java are unaffected. This issue does not affect systems prior to Mac OS X v10.4. It also does not affect the Windows platform. Credit to Geoff Beier for reporting this issue.

tacit · « **Reply #1 on:** December 20, 2006, 04:13:53 PM »

Only scary if you have an iSight, surf in the buff, AND have the iSight turned on and displaying inside a window. A malicious Java applet can't actually activate the iSight if it is not already on.

Basically, in English, this security vulnerability means that it could, in theory, be possible for a Java programmer to write a Java applet that will show him whatever is in any QuickTime window you happen to have open on your computer at the same time as you are running the Java applet. As security holes go, it's rather...farfetched.

(I remember one Apple security bug that was kind of interesting: if you had a network of Macs, *and* the Macs were all configured to get their list of users from a central LDAP server, *and* you had a BootP server on the same network, *and* an attacker could sit down in front of the BootP server and take control of it, *and* the attacker reconfigured the BootP server to send out corrupt BootP information, *and* someone using one of the Macs on the network restarted his computer, then the attacker could get the root password for that Mac. Talk about farfetched scenarios...but Apple fixed it anyway.)

() · « **Reply #2 on:** December 20, 2006, 11:32:40 PM »

I put a piece of paper and tape over my eyesite cam on my iMac intelcore.

I really don't think people should be allowed to watch you through your iSight cam unless you give permission and connect directly to someone on the net.

Gregg · « **Reply #3 on:** December 21, 2006, 07:51:20 AM »

My eysight ain't what it used to be, so I'm not too concerned...

See what I mean?

tacit · « **Reply #4 on:** December 21, 2006, 06:51:30 PM »

QUOTE(Nutterbutter @ Dec 21 2006, 05:32 AM) <{POST_SNAPBACK}>

I put a piece of paper and tape over my eyesite cam on my iMac intelcore.

I really don't think people should be allowed to watch you through your iSight cam unless you give permission and connect directly to someone on the net.

People can't. Breathless hype aside, this security vulnerability does not mean that another person can take over and activate your iSight without your knowledge.

Also, the little green light next to the iSight will always be on if the iSight is on; if that light is off, the iSight is not even getting power. So you can relax.

Xairbusdriver · « **Reply #5 on:** December 21, 2006, 08:09:28 PM »

QUOTE("tacit")

...the little green light next to the iSight will always be on if the iSight is on; if that light is off, the iSight is not even getting power...

Sure! That's easy for you to say/write! But how do the rest of us know that the little green light is not the real camera?! So covering up what looks like the lens won't help, anyway! It's all a conspiracy! They are out to spy on us! And now Apple is helping them! What next! Apple will force us to put all our applications in a single directory?

gunug · « **Reply #6 on:** December 21, 2006, 08:56:12 PM »

QUOTE

Elisabeth Schwarzkopf?

What about her?

Gregg · « **Reply #7 on:** December 22, 2006, 07:50:19 AM »

QUOTE(gunug @ Dec 21 2006, 08:56 PM) <{POST_SNAPBACK}>

What about her?

Good question. I think...

Xairbusdriver · « **Reply #8 on:** December 22, 2006, 02:17:49 PM »

Had me there for a second, gunug!

I thought I had posted in the wrong thread! Gregg, I think he meant to post in <this thread> to HighMac.

Gregg · « **Reply #9 on:** December 23, 2006, 02:34:01 PM »

Must be that darn tabbed browser...

News:

Author Topic: iSight Security Hole plugged (Read 7968 times)