OS X’s huge out-of-the-box security hole, and a fix

An enormous Mac OS X selling point has been it’s rock solid security, so one would be pretty enraged to find there is a gaping hole sitting in the operating system that has been reported many times and marked as “behaving normally,” while enabling anyone with GUI access to run as root and do basically anything they want to your computer. Apple has obviously been made aware of this issue, and the worst part is, it has been around at least since Panther—over five years ago.

What exactly is this issue? Well, the issue in and of itself may not seem incredibly malicious. The problem lies in AppleScript, and the fact that Applications running as “root” (which basically gives complete access) can accept AppleScript commands from applications which are not running as root. Developer and MacNN forum member Charles Srstka notes that he has sent this in as a bug to Apple many times, and yet it has been labeled as “Behaves Correctly” and dismissed. Furthering the issue is the fact that all Cocoa applications automatically have basic AppleScript support, so any Cocoa application running as root can recieve these malicious AppleScript commands.

More after the break.