Friday, April 6, 2012
Rich Mogull:
The significant thing is that, unlike almost all other Mac malware we’ve seen, Flashback can insinuate itself into your system if you merely visit an infected webpage and are using vulnerable software. You do not need to enter your administrative password or to manually install anything.
[…]
The vulnerability in Java that Flashback exploits was patched in February by Oracle (which inherited Java as part of its acquisition of Sun Microsystems). But Apple waited nearly two months to update OS X with that patched version.
This is the single biggest security issue for Macs. OS X includes a number of software components from third-party vendors and the Open Source software community, and Apple has a terrible track record in updating those components. When a vulnerability becomes publicly known because it’s been patched on another platform, but it isn’t patched on another, the bad guys have a straight-line roadmap to compromising that unpatched system.
In recent years, I’ve only used Java for CrashPlan, so I had it turned off in the browser. And, as it happens, Macs with Xcode or Little Snitch installed are not vulnerable.
The previous incarnation of Flashback was a Trojan horse that masqueraded as an installer for Flash. The interesting thing about that attack vector is that neither sandboxing nor Gatekeeper would be able to protect against it.
Mac Sandboxing Security
Rajeev Nayak:
If you use Chrome, Firefox, or Safari, you can now upload files by dragging them from your desktop onto the Dropbox website. After Dropbox detects the upload, it’ll work its magic to get your stuff wherever you need it.
I recently discovered that this works in Google Docs, too. Pretty cool.
I’ve been using both of these cloud services a lot lately, and the interesting thing is that there’s almost zero overlap with Apple’s (current) vision for iCloud. Dropbox lets me edit the same file with multiple apps on different devices. Google Docs lets multiple people view and edit the same documents, with revision tracking, permissions, and notification.
There’s no iWork for Windows, and iWork.com was read-only and (like iDisk) will be shut down. Apple just doesn’t seem interested in serving customers who want to collaborate or use other platforms.
FadingRed (via Daniel Jalkut):
Greenwich is a Cocoa framework designed to make localization of Cocoa applications extremely easy for developers and translators. We've made every step of the process seamless, so you can focus on creating great software for more people.
This open-source project addresses one of the most longstanding limitations/flaws in Apple’s developer tools. Localization should be much easier than it is, both at the level of communicating with translators and within an Xcode project. So I like that they’re doing something, although I’m a bit skeptical of the dynamic localization approach (contra actual localized xib/nib files). Greenwich seems to rely on string keys (rather than ID numbers), and it inserts the localized strings into the views at runtime. I’ve used apps that do this, and they tend to be characterized by either truncated strings or excess padding. However, in theory Cocoa Auto Layout’s resizing and constraints system should make dynamic localization much more capable than in the past.
Eric Slivka (via Chris Adamson):
Wright outlines a number of different ways in which a malicious user could obtain the login credentials, including customized apps, hidden applications installed on public PCs, or hardware solutions such as a modified speaker dock that could siphon the data.
Apparently the USB vulnerability, which seems to me to be the most serious, only affects iPhones that don’t have a passcode set.
Matt Aimonetti (via Shantonu Sen):
I’d like to make clear that I see myself more in a role of a
facilitator than a technical leader on the order of what Laurent was. This
role has been left vacant for more than 6 months now and needs to be filled
by a group of people with greater technical skills than mine. Additional
contributors are therefore more than welcome to join the team, and their
support will be as much appreciated as it is needed.
Laurent Sansonetti had been working on MacRuby while employed by Apple, but he’s no longer with Apple or contributing to the project.
Update (2012-05-05): Sansonetti has created RubyMotion, a commercial runtime and development environment for building iOS apps with Ruby.
