DISQUS

alastair · 2 years ago

Apology accepted, thank-you. (It wasn't really necessary; I'm not easily offended.)

anonymous · 2 years ago

Here's the link to Alastair's post:

http://alastairs-place.net/2006/11/dmg-vulnerab...

Steve Christey · 2 years ago

Alastair's post is a good commentary on the problem of vulnerability information management, and the amount of trust people put into refined information sources. If it took 3 days to verify an issue, it shows how resource-intensive (read: impossible) it would be for an information source to personally verify every single claim out there.

alastair · 2 years ago

It's worth saying that (I think) it would take me less time now to do the same thing again, and I'd expect someone with significant experience inside the Mac OS X kernel (especially IOKit) wouldn't take so long either.

Histrionic · 2 years ago

Is it likely that this will be a problem for WIM disk images on Windows Vista, as well?

Thomas Ptacek · 2 years ago

I don't know enough about them, but I know enough to say this: the right way to do this is to use a fixed format like ISO9660, and the absolute wrong way to do is is to make disk images a metaformat with client-selectable filesystems.

Downloadable disk images and actual disks have radically different requirements; actual disks have to do all sorts of work to handle constant modification and keep coherent state. This is why I think disk images are dumb idea to begin with.

Histrionic · 2 years ago

Well, from a system administration perspective, disk image containers have a lot of advantages for different usage scenarios.

That’s not to say that there aren’t risks associated with them—because it looks like there’s evidence that there is or will be—but the risk sounds like it’s just simply much worse when they are traded across the ’net. They're now being used for general purposes rather than being confined to local computers for specific purposes.