I just wish Remote Desktop had the ability to view the iSight image. In a lab situation, I can already watch what they have on the screen, let me see who is sitting at it.
Since the camera only has to be on long enough to capture an image, it could take a still image and only be on as long as the "shutter", which might be hard to catch if you're not paying attention. One of those things where you might "think you saw it" but then convince yourself you were imagining things.
Such a little update for such a big issue
Installed ok seemed to boot faster and Safari seems snappier;-)
I just wish Remote Desktop had the ability to view the iSight image. In a lab situation, I can already watch what they have on the screen, let me see who is sitting at it.
I bought my mom an iMac a month ago and she specifically asked me if something like this could happen. Mothers always know.
I just wish Remote Desktop had the ability to view the iSight image. In a lab situation, I can already watch what they have on the screen, let me see who is sitting at it.
I see your point, most computer labs already have cameras, so this is just another. It is still a little creepy though to think someone could be looking at you...face on from 3 feet away.
Hehe... Scary bug.
Oh, and it's 2,7 MB on my iMac G5, and you need to restart!
Applied the security update and the O'Reilly page
http://www.oreillynet.com/lpt/wlg/7409
STILL captures my web cam, not an iSight. Live video, not just a still.
iChat is not running and no images on my desktop.
Using a DV Camcorder as web cam.
Not only that, but it captures the live video output of my BlackMagic video capture card when I'm not using a camera!!
Applied the security update and the O'Reilly page
http://www.oreillynet.com/lpt/wlg/7409
STILL captures my web cam, not an iSight. Live video, not just a still.
iChat is not running and no images on my desktop.
Using a DV Camcorder as web cam.
Not only that, but it captures the live video output of my BlackMagic video capture card when I'm not using a camera!!
So now you know. And knowing is half the battle.
--Chris
However, I hesitate to say 100% definitive statements like "no way". For instance, what if the LED actually burns out or looses contact?
Hi. I'm Chris Adamson, the author of the blog you're quoting, and I want to clarify that the blog does not constitute a test of the exploit. It will continue to work even after you've applied the security patch.
The page does one thing: it shows that a Quartz Composer composition can turn on your camera. This is not a security issue in and of itself, because the image from the camera is only used locally (ie, shown in the web page). This example uses the QuickTime plug-in to put the Quartz Composer composition, saved as a QuickTime "movie", in a web page.
The actual exploit uses a second technology, QuickTime for Java, to load the Quartz Composer movie into a Java applet. Once it does this, the applet can then get the image from the camera and then upload it to a server.
Apple's security fix only disallows this combination. It prohibits "unsigned" applets (those that don't assert the identity of their authors and ask for insecure access to the system) from loading Quartz Composer compositions. Therefore, the applet cannot load the movie that turns on your camera. Note that signed applets, and full-blown double-clickable QTJ applications, are assumed to have full access to your system and thus can still load QC compositions.
So now you know. And knowing is half the battle.
--Chris
Thanks for clearing that up, Chris. I was about to, but I guess its a bit more authoritative coming from you
I see your point, most computer labs already have cameras, so this is just another. It is still a little creepy though to think someone could be looking at you...face on from 3 feet away.