×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Comments

top

Book Review: Creating Mobile Apps With JQuery Mobile

foo4thought Re:That explains things (91 comments)

You could be describing the linked article or m.slashdot.org itself, which is agonizingly slow and unusable on my old iPhone.

about a year and a half ago
top

Mac OS X Root Escalation Through AppleScript

foo4thought Re:Fix using Info.plist (359 comments)

This may have come too late in the comments for anyone to see it, but if the exploit is active on your system, adding a key to ARDAgent's Info.plist makes the problem go away without disabling ARDAgent altogether. (Whether or not ARDAgent is a security vulnerability itself is another story.)

<key>NSAppleScriptEnabled</key>
        <string>YES</string>

That "YES" is not a typo; setting it to "NO" does not fix the problem. AFAICT this makes osascript expect that ARDAgent will implement more of its own AppleScript handlers...which of course, it doesn't.


P.S. I searched for other, similar problem setuid apps, and turned up check_afp.app (which someone else posted already) and, surprisingly, GoogleUpdaterInstaller. Fortunately, even though these apps run setuid, they won't respond to the "do shell script" attack.

yes it works once, but it doesn't seem to persist.
    i.e. the process of demonstrating that it works exercises the application into overwriting its Info.plist file and obliterating the edit.

more than 6 years ago

Submissions

foo4thought hasn't submitted any stories.

Journals

foo4thought has no journal entries.

Slashdot Login

Need an Account?

Forgot your password?