Comments on: Mail.app and Leopard’s ban on Input Managers

By: Bob

Bob — Tue, 27 Mar 2007 13:56:51 +0000

I thought that the stink over the “alleged” delay for Leopard was due to compatibilty issues between Boot Camp and Vista integration. Um…guess that really WAS a rumor…why delay Leoplard when Boot Camp can be updated later?

By: chuy

chuy — Mon, 26 Mar 2007 13:13:06 +0000

There is a new way to do this things, look at the WWDC sessions
——————
Writing an Input Method Using the Input Method Kit Mac OS X Essentials Hands-on
Learn to quickly and easily support international users with Unicode input methods on Leopard with the Input Method Kit framework. This hands-on session guides you through the complete development of a fully functional input method

By: Rosyna

Rosyna — Mon, 26 Mar 2007 09:54:35 +0000

The proper fix for what happened would actually to take a Widgets and/or Windows approach. Sandbox applications that come off the internet when they are run. Then when they quit, tell the user all the resources/files they created and if they’d like to integrate them into the real filesystem.

“If that isnâ€™t a security flaw, then what is it?”

It’s not a security flaw at all. It’s a classic case of the user being the weakest link and everyone seems to want to do everything but blame the user for this.

By: Jonathan

Jonathan — Mon, 26 Mar 2007 07:50:38 +0000

@Rosyna.

You are making an assumption – I didn’t forget anything. Regardless of whether or not you have to run an application to get an infection (isn’t that the case for all malware?), it exploited a flaw in the way the Input Manager system is set up to enable it to affect the whole system and (try and) spread, and all without the need for a password to be inputted. If that isn’t a security flaw, then what is it? A feature? To prevent the potential for it to be exploited, either Apple needed to alter the way items are installed into the Input Manager system, or they needed to alter the system itself (for something with the potential to affect all the apps on your computer, inputting a password and user name should be the bare minimum). Either way, it is something that has been long overdue.

By: Evan Gross

Evan Gross — Mon, 26 Mar 2007 06:39:05 +0000

Helge:

Spell Catcher is an Input *Method*, not an InputManager. Rest assured that Input Methods are NOT going away, in fact quite the opposite is true (about all I can say – NDA and all…)!

By: Rosyna

Rosyna — Mon, 26 Mar 2007 01:36:45 +0000

Jonathan, you forget the fact that you had to run a malicious program to get that thing installed. So it didn’t matter what it installed or didn’t, it already had access to your machine and you already lost.

It did not show that InputManagers were an inherent security flaw. It just showed that you shouldn’t open applications you don’t trust on the internet.

By: mgorbach

mgorbach — Sun, 25 Mar 2007 15:18:46 +0000

Good point Jonathan.
Was not everyone complaining that Apple is not taking a pro-active stance towards security and is waiting until something terrible happens before “taking security seriously”? Well, I think this shows apple IS taking security seriously. It is great that they are sealing off a potential vulnerability BEFORE it is exploited on a large scale. They realize that as macos popularity increases, it will become more of a target and problems will be revealed.

By: Jonathan

Jonathan — Sun, 25 Mar 2007 15:02:31 +0000

One programme you all seem to be forgetting about, which is the one that most (in)famously exploited the security hole in OS X that is the InputManager system, is the Oompa Loompa/Leap.A malware. It wasn’t the most successful malware, but it did highlight that Input Managers are potentially a very bad security issue… has anything been done to close that particular security hole? Nope. Still exists and will do until they get rid of the way Input Managers are handled by the system or the feature itself.

By: DocB

DocB — Sun, 25 Mar 2007 01:28:03 +0000

I remember the bad old days of OS9 extensions and extension managers and Conflict Catcher. The less global futzing with the system the better. I will not cry for Input Managers.

By: DBL

DBL — Sat, 24 Mar 2007 20:42:20 +0000

I looked around and I find I recognise the name of these programs that use InputManager — they represent all the kind of software that I never install on my system. Because they have universal effect. Anytime a program that purports to enhance one particular app asks to be installed in a central location that could affect everything, I *always* opt out. Even sometimes when it’s really pained me. No enhancement is worth that. Now, with Leopard, I guess everyone will be forced to have as trouble and conflict free a computing experience as I have had on OS X. It really makes no difference to a person like me, but maybe you folks will see such increased productivity from reduced system complexity that you will have a lot more time to complain to Apple about it! (That is an often overlooked productivity advantage, for every feature set you add no matter how useful you are giving up something so don’t forget to weigh that, too.)