[MacTUG] AppleScript flaw allows root access
Marlon A. Griffith
m3griffi at engmail.uwaterloo.ca
Thu Jun 26 12:16:12 EDT 2008
AppleScript flaw allows root access
A MacNN forum poster reports on a serious flaw in Mac OS X's implementation of AppleScript. Essentially, applications that are running as root can accept AppleScript commands from applications that are not running as root -- and since every Cocoa application automatically gets some basic AppleScript support, this means that any time a Cocoa application runs as root, anyone else can send it a "do shell script" command and run other commands or applications as root. This is compounded by the fact that Apple ships an AppleScript application with its setuid bit set out of the box.
http://www.macnn.com/articles/08/06/25/applescript.flaw/
More information about the MacTUG
mailing list