The more we know, the less we know. We now know it wasn't a Safari flaw. So... was it *actually* a Quicktime flaw or (possibly more likely) a Java flaw....
I think it's more likely that the flaw is a combination of the two programs, probably Java generating some data, or doing something that it isn't supposed to do, since web java is supposed to play in a sandbox, and then quicktime, when presented with data that is totally unexpected, after all, you can't test for every possible case, and hence overflowing with some executable code causing a remote shell to pop up.
Not checking bounds is always bad. It's one of those things almost everybody does (in particular thanks to the C/C++ languages which leave this task explicitly to the programmers) but it is a very bad practise nevetheless.
Considering the speed of modern hardware, there is no reason to omit bounds checking. It is about time that programmers are getting their butts kicked to always do bounds checking, no exceptions ever allowed. Better still, compilers should be upgraded to apply bounds checking by default.
Until that time comes, we will have to put up with software ridden with security holes and bugs like a Swiss cheese.
Apple 13.3" MacBook Pro Notebook (2.26GHz Intel Core 2 Duo Mobile, 2GB DDR3, 160GB HDD, DVD±RW DL, Mac OS X v10.5 Leopard, 13.3" LCD)
Apple MacBook Notebook (2.4GHz Intel Core 2 Duo Mobile, 2GB DDR3, 250GB HDD, DVD±RW DL, Mac OS X v10.6 Snow Leopard, 13.3" LCD)
Apple iMac All-In-One Desktop (3.06GHz Intel Core 2 Duo, 4GB DDR2, 1TB, DVD+-RW DL, Mac OS X v10.5 Snow Leopard, 27" LCD)
Apple iMac All-In-One Desktop (3.06GHz Intel Core 2 Duo, 4GB DDR2, 500GB, DVD+-RW DL, Mac OS X v10.5 Snow Leopard, 21.5" LCD)
Apple 13.3" MacBook Air Notebook (1.6GHz Intel Core 2 Duo Mobile, 2GB DDR3, 120GB HDD, Mac OS X v10.5 Leopard, 13.3" LCD)
QuickTime, not Safari, to blame for MacBook vuln
Anonymous Coward
Hmmmmm.... #
Posted Wednesday 25th April 2007 09:06 GMT
The more we know, the less we know. We now know it wasn't a Safari flaw. So... was it *actually* a Quicktime flaw or (possibly more likely) a Java flaw....
Clay Garland
I think. . . #
Posted Wednesday 25th April 2007 12:48 GMT
I think it's more likely that the flaw is a combination of the two programs, probably Java generating some data, or doing something that it isn't supposed to do, since web java is supposed to play in a sandbox, and then quicktime, when presented with data that is totally unexpected, after all, you can't test for every possible case, and hence overflowing with some executable code causing a remote shell to pop up.
Anonymous Coward
Here we go again. o_O #
Posted Wednesday 25th April 2007 12:48 GMT
Fanbois, start your engines!
WT
No excuses #
Posted Wednesday 2nd May 2007 04:31 GMT
Not checking bounds is always bad. It's one of those things almost everybody does (in particular thanks to the C/C++ languages which leave this task explicitly to the programmers) but it is a very bad practise nevetheless.
Considering the speed of modern hardware, there is no reason to omit bounds checking. It is about time that programmers are getting their butts kicked to always do bounds checking, no exceptions ever allowed. Better still, compilers should be upgraded to apply bounds checking by default.
Until that time comes, we will have to put up with software ridden with security holes and bugs like a Swiss cheese.