When Apple pushed their most recent security update, the first thing we checked was whether the ARDAgent issue was fixed. It’s not. This vulnerability lets anyone execute code as a privileged user and versions of this attack have already been found in the wild. While several Ruby, SMB, and WebKit issues were addressed it, ARDAgent is still unpatched. [Dino Dai Zovi] has published the method by which ARDAgent actually becomes vulnerable: when it starts, it installs its own Apple Event handlers and calls AESetInteractionAllowed() with kAEInteractWithSelf. This should restrict it only to its own events, but for some reason that’s not the resulting behavior. He also pointed out that SecurityAgent has displayed similar weirdness; it is vulnerable to Apple Events even though it doesn’t calls an Apple Events function. We can see how this unexpected behavior could make patch development take much longer and may end up uncovering an even bigger problem. Check out [Dino]’s post for more information.
mac90 Articles
EFiX Boots Leopard Retail DVDs On Generic Hardware
On June 23rd, EFiX is planning on releasing a USB dongle that will let any PC boot and install OSX from a retail DVD. The commercial device is supposed to take care of all patching and other woes OSX86 enthusiasts have had to deal with. Very little information is provided other than a statement that the development process took a lot of time and that they overcame “sabotage”… so, it’s got that going for it. Major OSX86 contributor (and Psystar hater) [Netkas] received a device to test and was pleased with the results. We’re just going to wait and see what happens. Not that it matters; they have no plans of releasing it in the US.
[via InsanelyMac]
[photo: Mario Seekr]
DIY Slingbox
[David] took some interesting steps to put together his own Slingbox-ish setup. He used a Mac mini running Quicktime Broadcaster to capture the stream from a Firewire video camera which his cable/satellite receiver is plugged into. You’ll have to use an OS X machine, but that’s not too difficult these days. Broadcaster is about the simplest way to capture from Firewire and stream. We’re using it in our own office to multicast the signal from a Canadian satellite box.
XBMC For Your Mac
XBMC (formerly Xbox Media Center) has always been a popular choice for retiring an original Xbox. Maybe people install it for lack of something better to do or maybe it’s the pride in having better media support than the 360. The XBMC team has found another device that has a pretty weak television experience, the Mac. Lifehacker took the latest XBMC for OSX beta build for a run now that it supports remote controls. It seems like a much more functional than Apple’s built in Front Row. There are a few things that don’t quite work yet, which you can find in the FAQ. We’re definitely going to try this on our old Mac mini… once we upgrade it to Leopard, which is an unfortunate caveat that might prevent people from running XBMC on legacy hardware. There is no Apple TV support planned because of limited horsepower and the hacking hurdles that might be required. If you’re interested in repurposing your old Xbox with XBMC, check out Lifehacker’s install guide.
Ghost External VGA Display Hack
Certain OS installers cough*osx*cough don’t like the on-board displays on some machines. [Ziddan] posted a paperclip based work around for them on the eeeuser forums (originally posted by [mugan] on insanelymac). Apparently by shorting the pins, the video card will report that there is an unknown external display attached.
Investigating The Leopard Firewall
Our friend [Rich Mogull] has been flipping the switches on Leopard’s new firewall and scanning it to see what’s actually going on. There is some good and some bad. The new application signing is a mixed bag. It breaks Skype and a commenter pointed out that automatically trusting Apple installed apps like NetCat isn’t a good idea either. You can roll your own firewall using user friendly tools like WaterRoof since ipfw is still included.
