links for 2008-06-24

My madeleine? Thunderstorms

This has felt like summer, for the first time in recent memory. Why? The last few days, we’ve had high humidity and thunderstorms. Bam. Takes me right back to Newport News or even DC. Mowing the lawn Saturday morning was a real Proustian moment: cloudless sky but with steadily climbing temps and thickening air. By the time I was done I felt like I was swimming in the air, it was so humid. And instantly I was back home, trying to rush to finish the lawn before the skies opened. Then there’s that rush of cool air against the skin right before the rain comes in.

Followup: Mac OS X ARDAgent vulnerability advice

Various parties in the Mac community have weighed in and suggested the best way to address the issue highlighted in last week’s advisory regarding an escalation of privilege vulnerability in ARDAgent. While some have suggested that enabling the remote access service may actually correct the privilege escalation, there’s been enough evidence that it doesn’t really work. And a suggestion to clear the setuid bit that allows ARDAgent to act as root appears to kill it, for at least some commentators. That leaves only leave two options:

  1. If you don’t need to have anyone remotely manage your application, just delete or archive ARDAgent.app.
  2. Restrict ARDAgent from being able to perform do shell script (as described in Martin Kou’s blog)

It would be nice if Apple just closed the hole, wouldn’t it?

While you’re at it, don’t forget to update Ruby (it’s part of the default Mac OS X installation), if you’re using it, to close a whole bunch of holes–from numeric errors to buffer overflows–in the core Ruby runtime.

And can we stop pretending that the Mac OS X platform is magically secure?