On May 25, 2009, at 6:52 PM, Michael Ash wrote:
The authentication stuff is pertinent, because the AEWP is an example of an API which works by having an unprivileged user process communicate with a privileged process that does the work. A technique which allows you to compromise a process which uses AEWP demonstrates how this compromise can be done with any such setup, even using a secure channel (which AEWP does).
It does? Last I checked, AEWP() used a temp file on disk to pass its AuthorizationRef to the child process. Pipes, anyone?
-- Gwynne, Daughter of the Code "This whole world is an asylum for the incurable." _______________________________________________ Cocoa-dev mailing list ([email protected]) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to [email protected]
