[MacGallant]

Do I uninstall Paranoid Andriod before updating to OSX 10.3.4 or do I leave Paranoid Android alone because it is still needed in OSX 10.3.4?

[CatOne]

Originally posted by MacGallant:
Do I uninstall Paranoid Andriod before updating to OSX 10.3.4 or do I leave Paranoid Android alone because it is still needed in OSX 10.3.4?

I wouldn't install it in the first place.

[mitchell_pgh]

I'm not totally sure, but I noticed this window when trying one of the test features.

http://www.bombaybungalow.com/Picture13.jpg

[mitchell_pgh]

I tried this site to test it...

http://www.insecure.ws/article.php?s...00405222251133

and it no longer will auto run the script... so that's a good thing...

[MindFad]

10.3.4 does not fix the exploit found here:

http://www.unsanity.com/haxies/pa/whitepaper/

So, if you're still worried and a little paranoid—like myself—you may as well leave PA on there. Man, now I need to go listen to some Radiohead.

[turtle777]

Originally posted by MindFad:
10.3.4 does not fix the exploit found here:

http://www.unsanity.com/haxies/pa/whitepaper/

So, if you're still worried and a little paranoid—like myself—you may as well leave PA on there. Man, now I need to go listen to some Radiohead.

Bummer.

APPLE, ARE YOU LISTENING ?

Either the security issue is so deep and complicated to fix that they need much more time, or Apple is plain stupid and arrogant.

Gosh...

-t

[Rickster]

Granted, the timing is a little odd, but remember: full-OS updates are a big deal in terms of engineering and testing time. With little updates like security patches and such, they really only need to test the patched functionality. But when they bump the OS version -- the number that third-party developers base official system requirements on -- they have to test with all kinds of third-party software to make sure they aren't breaking everybody's products. A large-scale QA cycle takes a long time (seen the updates on AppleInsider et al? 10.3.4's been in seeding for months), and thus can get thrown way off when coordinating with short-term projects. That this update came out today and didn't include a fix for the latest security issue isn't necessarily a sign that Apple's ignoring the security issue... it's a sign that they're, well, multitasking.

[MOTHERWELL]

Originally posted by MindFad:

Man, now I need to go listen to some Radiohead.

....or read The Hitchhikers Guide to the Galaxy, where the name comes from...


....or just wait for the movie to come out!

[Person Man]

Originally posted by turtle777:
Bummer.

APPLE, ARE YOU LISTENING ?

Either the security issue is so deep and complicated to fix that they need much more time, or Apple is plain stupid and arrogant.

Gosh...

-t

Multiple security issues came to light in the last two weeks. The first one was the Help Viewer issue. That was reported to Apple in February, and they released the fix last weekend.

While people here were exploring that issue, they discovered the more serious Launch Services URI issue. That was unknown to Apple until a few weeks ago. Apple is NOT stupid and arrogant. This other issue came out around the same time as the Help Viewer exploit was made public. Hence, the confusion because the public perceives this as just one problem, not many.

This newer issue is fairly complex, and Apple will need some time to fix it... PROPERLY, without breaking too much.

The problem was also discovered too soon to make it into the 10.3.4 release.

[sniffer]

Originally posted by Person Man:
This newer issue is fairly complex, and Apple will need some time to fix it... PROPERLY, without breaking too much.

Amen to that.

[Millennium]

Originally posted by Person Man:
Multiple security issues came to light in the last two weeks. The first one was the Help Viewer issue. That was reported to Apple in February, and they released the fix last weekend.

While people here were exploring that issue, they discovered the more serious Launch Services URI issue.

That's just it. It's really all one big security issue, which is manifesting in many different ways. Apple is trying to fix the symptoms piecemeal by dealing with individual apps, rather than simply accept that the scheme underlying it all is inherently flawed, and needs to be taken out right away.

It should never be possible to directly run code from a URI unless that code is carefully sandboxed.

[Person Man]

Originally posted by Millennium:
That's just it. It's really all one big security issue, which is manifesting in many different ways. Apple is trying to fix the symptoms piecemeal by dealing with individual apps, rather than simply accept that the scheme underlying it all is inherently flawed, and needs to be taken out right away.

It should never be possible to directly run code from a URI unless that code is carefully sandboxed.

No, it really is a separate issue from the Help Viewer runscript exploit. That was easily fixed, and they fixed it. That part of the problem was reported to them in February. Nobody else knew about the Launch Services thing then. Not even Apple.

The new thing was discovered in the last two weeks. To suggest that Apple is ignoring the issue at hand and only releasing piecemeal solutions is not appopriate at this point, because Apple hasn't had enough time to study this problem. They had plenty of time to fix the original exploit, and they did.

Fixing the current issue but not fixing Help Viewer may not have prevented the Help Viewer runscript exploit from working. So, they need to do both. One (the easier one) has been fixed. The other will require some thought on their part for a proper fix.

[turtle777]

Originally posted by Person Man:
This newer issue is fairly complex, and Apple will need some time to fix it... PROPERLY, without breaking too much.

Ok, so the fairly easy to fix Helpviewer fix took Apple more than 3 months (Feb - May).

I guess we'd better be prepared for Paranoid Androide being around for at least 6 months.

Sh.....

-t