New Patch Fixes 43 Flaws In OS X, Many Serious 2134

There is no need to "trace" anything back to root.

Unix processes form a tree rooted at init; but this is a consequence of several other behaviors. When a Other Unix processes are created by already-extant processes; and no process can be deleted until every process it has created has been deleted.

From these facts we may deduce that they form a tree.

Why we should *care* about this is another question.

snip

Everywhere! :D

I cannot believe you would mistake me for a Mac advocate!

snip

Very good. So it is *not* read-only, and your repeated claims that downloaded files are always read-only is false.

What on earth does this mean?

I do not perceive it. Can you identify it for me?

snip

That's the biggest security problem on Windows, but some of the malware that has appears could also spread in other ways.

snip

They are very rare.

Wow man... lookit the colors!

snip

What a remarkable demand.

Shall I also prove that the sky is blue?

Perhaps tomorrow.

Today, why not prove you can run read-only programs by running one.

It's easy; log in as a standard user and *run any program in the Applications folder*. All are read-only for standard users. And they work fine.

snip

Mac browsers will set this bit when needed, of course.

What is? I'm not following.

The typical case is that the user double-clicks it. Social engineering is much easier that buffer overflows, after all.

The browser or mail client or whatever has already done this; I explained how this works in another message.

Ah, now that too is too strong. If the user can access system files, then malware he runs can do it too. It may have to wait for the user to enter a pbuttword, or it might just prompt the user. Mac OS X prompts for the admin pbuttword so much, that this would not seem unusual.

snip

Possibly. :D

The nonsense was, of course, an explaination of why making read-only files non-execuable on Unix would be most unsafe, from a security point of view.

snip

Javascript is like that on Mac OS X too, of course.

snip

No; Mail and Safari both load and use the HTML renderer that Apple packages as WebKit. It's bit, it's complicated, and if malicious HTML can subvert it, both programs can then be taken over.

snip

After you download a widget, Safari 'recognizes' it and transfers it to ~-Library-Widgets, creating that folder if needed.

On Apple's site, you must select the widget and download explicitly; the installation is the only thing that is automatic.

You do *not* need to explicitly unpack the .zip file, nor install the widget. That's done for you.

snip

Is *is* possible to construct a web-page that auto-downloads the widget, and it will auto-install as well.

The original Tiger release could do all this with no warnings and no user intervention, due to some bugs it had.

The current version puts up two warnings. The first tells you that you have downloaded an application, but not that it will be auto-installed. Sophisticated users will understand this and can block it.

The second warning occurs when you first run the widget, which is of course much too late (it is likely to be long after the download, after all)

snip

That is probably wise. Given your evident lack of technical knowledge, you are just the sort of fellow that needs this sort of protection.

I do not mean that as an insult: you are not, in this regard, any different from 75% of the users out there, I think.

I would recommend that you install antivirus software, if you use Windows. It's a much more hostile environment for a user like you.

snip

Well, all the good bits are closed source. I can't even look. :D

snip

If we fired programmers for writing bugs, there would not be any left, I fear.

So does Microsoft's C++ compiler. Microsoft's compiler can also include overflow-checks automatically, so that at least some buffer overflows can be caught automatically, with no extra code.

I believe Fortran *does* have the problem; but it tends to be used for things that are not internet-facing anyway,

I do not know BLISS, but languages with bounds-checking in some form have been around for a long, long time. The performance cost has been too high, and even now it often still is.

snip

I've never seen that, but it sounds like an unsuccessful attempt to hack your browser that just corrupted it instead of taking over.

snip