Classic is down, but not out
Aaaaaw yeah.
Classic isn't going to go down without a fight, and even if you aren't using it it wants to let you know its still there...
Posted here, looks as though the trueblue application (which lets OSX display classic apps within OSX rather than in a windowed environment ala rhapsody) can be exploited to let malicious code run unwanted cron tasks, excecuted as root. Beeaaaautiful.
What kind of creeps me out is that the release date of the advisory is 02.14.2003, same day as 10.2.4... which fixes the issue. Kind of convenient...
Making me wonder if this was perhaps sat on by apple, going the security through obscurity route which microsoft and others have made famous, or if it was posted by atstake.com before this but just hasn't made news.
I've emailed DaveG. at @stake (who reported the exploit), and wonder if I'll hear back.
2003-02-18 01:30:25
=========================================
Update!
Dave just emailed me back within 3 hours to let me know that atstake and apple worked together on the issue...
...sooooooo I'm torn.
On the one hand, it really freaks me out that a company has a known, nasty security exploit and sits on it until they can push the fix out the door, as if anyone figures it out before that time you can have a field day *cough* code red *cough*.
On the other hand, I do understand the issues behind wanting to do that, and why it can be a good idea in some cases. Plus the guy was upfront in his reply- and he did reply. Major gold stars for that.
Yep. Pretty much don't care. Going to be fun watching the mac websites going apeshite over it this morning because they actually have some news to report about the mac... ka-ching, ad revenue spike.
Posted by drunkenbatmanFebruary 18, 2003, at 06:30 AM
