|
Has anyone noticed that Apple seems to be issuing a whole heckuva lot of security updates lately? Honestly, it got to the point where we just stopped mentioning them, because if you folks are half as sick of seeing them pop up in Software Update as we are, you definitely don't want to hear us yakking on about them, too, especially if they aren't fixing anything major and/or dramatic. (Hence our total non-coverage of Security Update 2004-09-07: "Privileged programs using CoreFoundation can be made to load a user supplied library"? Zzzzzzzz...)
So we were all prepared to ignore Security Update 2004-09-16 as well, until we noticed that it only patched a single application-- and that application was iChat. Since we'd never known iChat to be exactly plagued by security holes before (and certainly not any urgent enough to justify taking up a whole security update all by its lonesome barely a week after the last security update), we figured we should take a look and see what scary sort of Microsoftian security chasm was gaping in front of hapless iChat users that would certainly swallow them whole and send them plummeting to their doom.
It's the least we can do for the hapless. After all, those poor guys don't have any hap.
Well, we did a little poking around, and found Apple's explanation of just what this update fixes. Apparently, if you're using iChat on an unpatched system, "remote iChat participants can send 'links' that can start local programs if clicked." So there you are, iChatting away with, let's say, faithful viewer Richard Casey-Whiteman, when he says, "Hey, click to see a web site with a great picture of Anna Kournikova shucking oysters!!!" And of course, you click, expecting Safari to pop up and show you the comely tennis player perpetrating violence upon a bucket of bivalves-- but instead, TextEdit launches! Noooooooooo!!!
That's... that's it?
Wow. Um, well, technically we can't consider that much of a threat, unless you're in the habit of keeping applications on your hard drive like ReformatStartupDiskWithoutAsking.app. Details of the exploit are understandably absent, but we suppose maybe iChat allowed Terminal to be launched with a command to execute, like "rm -r ~/*" or some other unfun ultra-destructive UNIX ickiness, but we tend to think that Apple-- or someone else-- would have mentioned that. In any case, Apple's fix for this issue was to make such links open a Finder window containing the linked app instead of actually launching it.
So Windows users get a security hole that affects multiple versions of Windows plus several Microsoft applications and lets Wintel users get infected with nasty data-destroying viruses simply by looking at a picture, whereas we get a security update because an iChat buddy can send you a link that will launch Stickies. Oh, the inequity of it all...
| |