Archives > 2006

iSight Security Hole plugged

(1/2) > >>

gunug:
Scary if you have an iSight and surf in the buff:

http://docs.info.apple.com/article.html?artnum=304916

I didn't login to see this but in case you have to:

QUOTESecurity Update 2006-008

    *

      QuickTime for Java, Quartz Composer

      CVE-ID: CVE-2006-5681

      Available for: Mac OS X v10.4.8, Mac OS X Server v10.4.8

      Impact: Visiting a malicious web site may lead to information disclosure

      Description: Java applets may use QuickTime for Java to obtain the images rendered on screen by embedded QuickTime objects and upload them to the originating web site. When this facility is used in conjunction with Quartz Composer, it becomes possible to capture images that may contain local information. This update addresses the issue by disallowing Quartz Composer compositions in unsigned Java applets. Quartz Composer compositions continue to function locally. Applications and signed Java applets that utilize QuickTime and QuickTime for Java are unaffected. This issue does not affect systems prior to Mac OS X v10.4. It also does not affect the Windows platform. Credit to Geoff Beier for reporting this issue.

tacit:
Only scary if you have an iSight, surf in the buff, AND have the iSight turned on and displaying inside a window. A malicious Java applet can't actually activate the iSight if it is not already on.

Basically, in English, this security vulnerability means that it could, in theory, be possible for a Java programmer to write a Java applet that will show him whatever is in any QuickTime window you happen to have open on your computer at the same time as you are running the Java applet. As security holes go, it's rather...farfetched.

(I remember one Apple security bug that was kind of interesting: if you had a network of Macs, *and* the Macs were all configured to get their list of users from a central LDAP server, *and* you had a BootP server on the same network, *and* an attacker could sit down in front of the BootP server and take control of it, *and* the attacker reconfigured the BootP server to send out corrupt BootP information, *and* someone using one of the Macs on the network restarted his computer, then the attacker could get the root password for that Mac. Talk about farfetched scenarios...but Apple fixed it anyway.)

():
I put a piece of paper and tape over my eyesite cam on my iMac intelcore.

I really don't think people should be allowed to watch you through your iSight cam unless you give permission and connect directly to someone on the net.

Gregg:
My eysight ain't what it used to be, so I'm not too concerned...

See what I mean?

tacit:
QUOTE(Nutterbutter @ Dec 21 2006, 05:32 AM) I put a piece of paper and tape over my eyesite cam on my iMac intelcore.

I really don't think people should be allowed to watch you through your iSight cam unless you give permission and connect directly to someone on the net.

People can't. Breathless hype aside, this security vulnerability does not mean that another person can take over and activate your iSight without your knowledge.

Also, the little green light next to the iSight will always be on if the iSight is on; if that light is off, the iSight is not even getting power. So you can relax.

Navigation

[0] Message Index

[#] Next page

Go to full version