[Bug 19998] The non-appearance of Polygon graphics in LC

Richard Gaskin ambassador at fourthworld.com
Wed Jul 11 20:54:51 EDT 2018


Bob Sneidar wrote:

 > On Jul 11, 2018, at 13:43 , Richard Gaskin wrote:
 >> When a computer's OS no longer receives critical patches for known
 >> exploits, it's no longer safe to use.
 >
 > I think it depends on what you use it for.

True. If you unplug the power and use it as a doorstop, it's completely 
safe. Anything else involves varying degrees of risk. :)

Running outdated software is one of the leading reasons 80% of American 
businesses have experienced at least one form of hack or another.


 > I have yet to see a MacOS "exploit" that didn't require the end user
 > do something they ought not to do, and/or authenticate an action they
 > didn't initiate. And by exploit, I mean access the OS via network
 > protocol and bypass protections in place to prevent it without user
 > action or intervention.

That's true of most OSes.  But look deeper.  They're rarer, but they exist.

And even those that require user action, those actions may seem 
innocuous to many users who do not understand the implications, or can 
use exploits in other software to gain elevated privileges which can 
then be used with exploits requiring admin.

The deeper you look, the murkier things get.

Sometimes even authentication itself becomes vulnerable:

    Passwords are stored in the Mac's Keychain, which typically
    requires a master login password to access the vault.

    But Wardle has shown that the vulnerability allows an attacker
    to grab and steal every password in plain-text using an unsigned
    app downloaded from the internet, without needing that password.
<https://www.zdnet.com/article/apple-macos-high-sierra-password-vulnerable-to-password-stealing-hack/>

And we can't forget everyone's favorite, the Meltdown flaw in Intel 
chips like those in systems that run macOS 10.7:
<https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/>

A partial list of vulnerabilities specific to macOS 10.7.5 is here:
<https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-156/version_id-143035/Apple-Mac-Os-X-10.7.5.html>

That list contains only OS vulnerabilities; other searches can turn up 
additional vulnerabilities against the versions of Safari, Apache, 
rsync, and other programs included in the system which have their own 
lengthy lists of known vulnerabilities.  Combining vulnerabilities 
multiplies threats.

Consider which of the 900+ CVEs against Safari may be used in 
combination with other exploits:
<https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-2935/Apple-Safari.html>


Ultimately, security is a matter of subjective sense of comfort.  The 
sort of person who goes into the shopping mall with they keys left in 
their car will probably feel right at home running an OS where the only 
system patches are being delivered by organized crime rings and hostile 
nation state actors.

After all, not every car with the keys left in it gets stolen, so why 
not? ;)

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com




More information about the Use-livecode mailing list