Charles on… anything that comes along

Mozilla Flaw Lets Links Run Arbitrary Programs details a flaw, sigh, in Mozilla (for Windows) which will execute code without someone clicking the link. (You could use a self-refreshing frame that was 1 pixel wide, for example.) There’s a fix. Which is nice. It sounds very like the help://runscript flaw in OSX that was fixed last month. Browser-based attacks are going to be big business in the coming years. Because, like Windows, (almost) everyone uses ‘em.

These posts might be related (the database thinks..):
• Is it really so hard? (7 July 2004; score: 51.83%)
• Maybe I'll wait for Sunbird to improve its calendar just a little bit (3 January 2005; score: 50.78%)
• Firefox on OSX: mostly negative, I'm afraid (16 September 2004; score: 48.36%)

I find Paul Thurrott’s Internet Nexus a continual source of perplexity (perplexment? whatever). First annoyance: doesn’t have comments turned on, so one can’t balance the dafter things he repeats or says. Second thing: repeats daft things. Here’s his repeat of an NT Bugtraq warning which fails to pick up on a rather key element of this “vulnerability in the wild”:

“Obviously this is only of interest if an attacker has root (or physical) access to a machine, however…

However, if someone has root (translation: they are God, locally) you’ve already got big enough problems, because they could change your password, and they can access anything you’ve encrypted with Apple’s FileVault. (I’d use PGP anyway.) If they’ve got physical access and a CD - OK, that could be a problem if you haven’t enabled Open Firmware Password, which can disallow someone from starting from anything other than the normal startup disk.

I haven’t looked at this exploit: I expect, based on what’s said, that it’s looking at the swapfiles for longname. (Update: I have, It is.) I saw this reported on an O’Reilly blog a week ago. Read the comments: people tried it and had different results - which suggests to me it’s actually something to do with Appletalk not securing passwords. Many people use the same password all over.

So it’s a vulnerability “in the wild” to the extent that there are hackers prowling around exploiting root vulnerabilities (how many of those are there on OSX, please?) and bearing installer CDs. Except in the latter case, they still have to log into Terminal and then enter a “sudo” (admininstrator) password. Which they’ll get from where, exactly?

This is a classic case of speed-of-light journalism: everyone wants to be first with this story, and to put it on their site first. Nobody brings any expertise to it, however. Result: readers vaguely worried, but not informed.

Meanwhile I had another phishing email (effortlessly spam-trapped by Post Armor) insisting it was “Important Information from Lloyds Bank”. I’d almost feel interested, except I don’t bank with Lloyds. I bet the site it leads you to works perfectly on IE6….

These posts might be related (the database thinks..):
• No, honestly: you don't have to pay Barclaycard's "late payment charge" (6 September 2005; score: 29.18%)
• Sudding Sudoku! How long can it go on? (answer: a few billion years more) (14 May 2005; score: 26.84%)
• A fact you don't know about Morrissey and the Eurovision Song Contest (10 January 2007; score: 22.83%)

Probably the most frustrating thing to get used to in the daily job is spending an afternoon cajoling PR people and tracking down enormously helpful people who tell you really interesting things which you write up for a story which, as you leave the office, is being laid out on a page by a sub. Then you get in next morning, pick up the paper, and…. where’s the story?

Answer: you’ve got the four-star (final) edition and your story got dropped somewhere between the first and what you’ve got.

Such was the case with the physical version of Get ready, here comes the iPod mini - and a revolution in how we enjoy music which, while hardly a revolution in news story-telling, took all sorts of lobbying on my part before it could even get shaped into something sensible. Q Magazine were helpful and so were Word; and so was the PR person for Q. Which made it a bit distressing that the first phone call I got was from said PR person, wondering “when the story would appear.”

These posts might be related (the database thinks..):
• Gus Mueller on watching the money not come in (11 January 2006; score: 29.73%)
• When readers bite (because reviewers don't) (6 November 2006; score: 26.77%)
• Don't think, just repeat it loudly (9 July 2004; score: 18.15%)