As the Apple Turns    About    Reruns    Contact    Preferences Sun 7:18 AM

At Last, The End Of An Error (5/21/04)
SceneLink
 

Folks, we don't want to send you off into your weekend all alarmed and stuff, but we just wouldn't feel right if we didn't remind you one more time that this latest Mac OS X security hole is the Real Deal™. It's understandable if you're still playing the part of a skeptical villager, given how often people have cried wolf by playing up Mac security flaws that turn out to be all theory and no practice; that executable-code-in-MP3-ID-tags one, for example, was pretty nifty and definitely clever, but apparently a little too academic for anyone to bother exploiting for real-- and yet there was all sorts of hubbub over someone having finally found a major Mac OS X hole, the sky was falling, life as we knew it would never be the same, yadda yadda yadda.

Or what about security flaws that aren't flaws at all, like that Trojan that was just an executable AppleScript with a custom icon slapped on top? It's not a security problem with the operating system if someone lies to you about what a program does, just like it's not the architect's fault if someone tells you that jumping off a skyscraper's roof won't kill you much. But of course, the media loves grasping at every straw it can find in hopes of convincing people that Mac OS X is no more secure than Windows-- which is sort of like saying that sand is no less wet than water, but hey, whatever fries their bacon.

But this Help Viewer vulnerability, well, like we said, it's genuine, and easy enough to exploit that a sleep-deprived monkey with attention deficit disorder could do it. Indeed, WIRED reports that tossing together an exploit is so gosh-darned simple that "malicious script kiddies" are falling all over themselves to do it, and the "outburst of scripts and applications designed to exploit the hole" since it became well-known on Tuesday has prompted Secunia to upgrade the severity of the hole from "Highly Critical" to "Extremely Critical"-- which is, of course, just a little ironic, since the sudden proliferation of exploits is a direct result of Secunia having publicized the flaw in the first place. Ain't it always the way?

Anyway, it's worth mentioning that the two-part exploit to which we originally linked may have implied that you need to download a disk image before your system can be messed with, which is not at all the case. For a clearer picture of what's going on, check out Richard Bronosky's harrowing demonstration-- no disk image involved, and just visiting the page causes Terminal to start spewing data on your disk usage. Basically, if someone knows the location of a script on your hard disk, they can throw together a web page that'll cause it to run automatically. That's probably not all that dangerous, since scripts that ship as part of Mac OS X aren't likely to be destructive in any way, and Bronosky wasn't able to execute UNIX commands with command line arguments, so you can't send, for example, the UNIX command to delete all files, etc.

So the disk image part of the equation just provides the Bad Guys with a convenient way to stick evil scripts onto your system in a known location-- which is a pretty important step if they're trying to do something seriously evil, of course, but control freaks will hate just knowing that the Help Viewer bug alone gives people a certain level of access to what's happening on their systems. If you're anything like us (heaven help you), you still get the screaming mimis just knowing that random people can, for example, minimize all your Finder windows. (If you visited Bronosky's page first, you may need to quit Help Viewer before that link will work, but you get the idea.)

Well, good news: faithful viewer jeffNOTjon informs us that Apple has finally moved past the "We Take Security Very Seriously™" stage of its investigation. Security Update 2004-05-24 (for Panther; there's also one for Jaguar) is now available for your Help Viewer-patching enjoyment, and while it claims to deliver "a number of security enhancements," we strongly suspect that that number is "one." In fact, the update's list of updated components consists of, well, Help Viewer (plus Terminal for Jaguar), so you can be pretty sure of what this thing does. Apply it, and start working on rebuilding that Wall o' Mac Smug you've been sitting on top of for all these years.

 
SceneLink (4710)
And Now For A Word From Our Sponsors
 

Mash-ups and original music by AtAT's former Intern and Goddess-in-Training

Prim M at YouTube
 

The above scene was taken from the 5/21/04 episode:

May 21, 2004: Apple patches that scary Help Viewer security flaw, apparently before any real damage was done. Meanwhile, a company rep describes the Xserve RAID as "the iPod for the enterprise market," which may reveal more about the people running Big Business than you really want to know...

Other scenes from that episode:

  • 4711: 0.9 M Songs In Your Pocket (5/21/04)   You know, for the most part, we like to think of ourselves as pretty shrewd students of human behavior, but we admit that there are still certain segments of the population whose actions and motivations confound us...

Or view the entire episode as originally broadcast...
Vote Early, Vote Often!
Why did you tune in to this '90s relic of a soap opera?
Nostalgia is the next best thing to feeling alive
My name is Rip Van Winkle and I just woke up; what did I miss?
I'm trying to pretend the last 20 years never happened
I mean, if it worked for Friends, why not?
I came here looking for a receptacle in which to place the cremated remains of my deceased Java applets (think about it)

(1247 votes)

Like K-pop, but only know the popular stuff? Expand your horizons! Prim M recommends underrated K-pop tunes based on YOUR taste!

Prim M's Playlist

DISCLAIMER: AtAT was not a news site any more than Inside Edition was a "real" news show. We made Dawson's Creek look like 60 Minutes. We engaged in rampant guesswork, wild speculation, and pure fabrication for the entertainment of our viewers. Sure, everything here was "inspired by actual events," but so was Amityville II: The Possession. So lighten up.

Site best viewed with a sense of humor. AtAT is not responsible for lost or stolen articles. Keep hands inside car at all times. The drinking of beverages while watching AtAT is strongly discouraged; AtAT is not responsible for damage, discomfort, or staining caused by spit-takes or "nosers."

Everything you see here that isn't attributed to other parties is copyright ©,1997-2024 J. Miller and may not be reproduced or rebroadcast without his explicit consent (or possibly the express written consent of Major League Baseball, but we doubt it).