Bob Sneidar wrote:
> On Jul 11, 2018, at 13:43 , Richard Gaskin wrote:
>> When a computer's OS no longer receives critical patches for known
>> exploits, it's no longer safe to use.
>
> I think it depends on what you use it for.
True. If you unplug the power and use it as a doorstop, it's completely
safe. Anything else involves varying degrees of risk. :)
Running outdated software is one of the leading reasons 80% of American
businesses have experienced at least one form of hack or another.
> I have yet to see a MacOS "exploit" that didn't require the end user
> do something they ought not to do, and/or authenticate an action they
> didn't initiate. And by exploit, I mean access the OS via network
> protocol and bypass protections in place to prevent it without user
> action or intervention.
That's true of most OSes. But look deeper. They're rarer, but they exist.
And even those that require user action, those actions may seem
innocuous to many users who do not understand the implications, or can
use exploits in other software to gain elevated privileges which can
then be used with exploits requiring admin.
The deeper you look, the murkier things get.
Sometimes even authentication itself becomes vulnerable:
Passwords are stored in the Mac's Keychain, which typically
requires a master login password to access the vault.
But Wardle has shown that the vulnerability allows an attacker
to grab and steal every password in plain-text using an unsigned
app downloaded from the internet, without needing that password.
<https://www.zdnet.com/article/apple-macos-high-sierra-password-vulnerable-to-password-stealing-hack/>
And we can't forget everyone's favorite, the Meltdown flaw in Intel
chips like those in systems that run macOS 10.7:
<https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-heres-what-intel-apple-microsoft-others-are-doing-about-it/>
A partial list of vulnerabilities specific to macOS 10.7.5 is here:
<https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-156/version_id-143035/Apple-Mac-Os-X-10.7.5.html>
That list contains only OS vulnerabilities; other searches can turn up
additional vulnerabilities against the versions of Safari, Apache,
rsync, and other programs included in the system which have their own
lengthy lists of known vulnerabilities. Combining vulnerabilities
multiplies threats.
Consider which of the 900+ CVEs against Safari may be used in
combination with other exploits:
<https://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-2935/Apple-Safari.html>
Ultimately, security is a matter of subjective sense of comfort. The
sort of person who goes into the shopping mall with they keys left in
their car will probably feel right at home running an OS where the only
system patches are being delivered by organized crime rings and hostile
nation state actors.
After all, not every car with the keys left in it gets stolen, so why
not? ;)
--
Richard Gaskin
Fourth World Systems
Software Design and Development for the Desktop, Mobile, and the Web
____________________________________________________________________
ambassa...@fourthworld.com http://www.FourthWorld.com
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
