Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Warning | 10 comments | Create New Account
Click here to return to the 'Warning' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Warning
Authored by: jaaronp on Feb 09, '06 10:47:19AM
This looks like it adds some valuable features to iChat.
However, this is not really a plugin. A plugin uses a well defined interface provided by an application's developer in order to allow third parties to extend functionality. This is a hack. I do not mean to imply that it is intended maliciously, or that it isn't a quality piece of software.
Chax uses the Input Management Architecture [developer.apply.com] to add functionality to iChat. This is not the intended use of the Input Management Architecture, and has the (possibly) unwanted side effect of introducing Chax's code into all other applications run by the user who has installed it.
For a more detailed discussion of InputManagers see John Grubers recent article on Smart Crash Reporter [daringfireball.com].
Input Managers are potentially very dangerous so one should always be wary of installing them.
Again, I'd like to reiterate that I do not mean to imply that Chax does anything malicious. The Input Management Framework allows for clever developers to do all sorts of exciting things that would not otherwise be possible, but it also opens up significant attack vectors.

[ Reply to This | # ]
Warning
Authored by: jump420 on Feb 09, '06 05:21:40PM

Very informative piece. Thanks for the heads up!



[ Reply to This | # ]
Warning
Authored by: coolsoldier on Feb 09, '06 06:22:23PM
It is possible to write an InputManager in such a way that it only loads into specific applications. In fact, most Safari bundles are written for SIMBL (Smart Input Manager Bundle Loader), which loads Input Manager bundles only for specific applications. This method of coding eliminates most of the risks of input managers by limiting their effects to the intended application.

Chax doesn't use SIMBL, so it's possible that it does load itself into every application, but it's equally possible that Chax is written to exclude itself from applications other than iChat.

[ Reply to This | # ]
Warning
Authored by: Darkshadow on Feb 10, '06 04:31:50AM

Well, yes and no. Doing things with SIMBL, you're right, that code isn't loaded into every app - but SIMBL itself is.

Chax does get loaded by every app that is launched, but as far as I can tell, it will only load the code that makes the changes in iChat. So while Chax's code is loaded into all apps, only iChat will have the code executed.



[ Reply to This | # ]
Warning
Authored by: SnowLprd on Feb 09, '06 07:46:42PM

While coolsoldier has a point, the key question -- whether Chax code is loaded into every application or just iChat -- is still unanswered. Until this question is answered, I've decided to uninstall Chax for the time being.



[ Reply to This | # ]
Warning
Authored by: GaelicWizard on Feb 10, '06 09:37:43AM

Simply put, it is loaded into each and every application. That's how the Input Manager bundles work. It may not *execute* more than a single function call (that realizes its not in iChat, and does nothing else), but it is unquestionabley loaded into the address space of every application.

JP

---
Pell



[ Reply to This | # ]
Warning
Authored by: robg on Feb 13, '06 07:08:49AM

This warning will apply to *any* useful and cool app that modifies another program via the Input Manager. Off the top of my head, this would include (for Safari) Saft, Pith Helmet, SafariStand, Sogudi, and Acid Search. It probably also covers Keynote Assistant for iPhoto.

In short, yes, there's some risk. But if the code is written correctly, it will only execute in its target app.

To me, the risk is worth the reward -- I've never had an issue with Input Manager hacks, and I run quite a few of them.

-rob.



[ Reply to This | # ]