Get APLawrence.com by RSS(OLDER) <- More Stuff -> (NEWER) (NEWEST)
Home > Security > Background indexing
Printer Friendly Version
Background indexing
The recent problem with Microsoft WMF files is disturbing because it brings to light attack vectors most of us hadn't thought about before.
Any trojan or virus has to be opened for it to attack. That doesn't necessarily mean that the payload itself is an executable file; in this case the Microsoft Windows Picture and Fax Viewer (Shimgvw.dll) is the flawed application that allows the exploit. But you would expect that you would have to actively do something (download and open a file) before being at risk.
Not necessarily. If, for example, you have Google Desktop installed, all you need is to have downloaded an infected file - even a simple ftp download would be enough, because Google Desktop will blindly call the shimgvw.dll library when it indexes the file.
While Google Desktop is an add-on you don't necessarily have, the next version of Windows will have its own automatic indexing. Macs already have this (Spotlight), so if a similar OS level flaw turned up there, we'd have the same problem. Of course all of this comes from "ease of use", which are three words I'm disliking more every day.
The other aspect of this is the propietary DLL. If the code were open source, it would probably already be fixed. Instead, Microsoft is "investigating the issue to determine the appropriate course of action for customers". Isn't that good to know?
Back to Mac's: The Spotlight search tool is often described as the best part of Mac OS X Tiger. It was the "breakthrough feature in OS X version 10.4--the reason to get Tiger" (http://www.pcworld.com/news/article/0,aid,120646,00.asp) and so on. Microsoft will be adding a similar feature to its Vista release; full indexing is apparently a hot feature.
So how come I never use it?
Oh, Spotlight pops up every now and then when I accidentally hit its hot key, but except when I played with it to find out what it was all about and how it worked, I've never had a reason to use it. That must be because I never have to find files, right? Must be nice to have such a great memory, you say.
Nope. My memory is as flaky as anyone else. I often have to find files. But.. Why would you ever want to just find a file? "Oh, I was just curious where I put that foo-bah file.. thanks, Spotlight!". Or "Ayup, I just wanted to check that it's still there. I see it is, thanks" or "I wonder which of my files have the word 'extra' in them?".
Not very likely or very often. Usually when I want to find files it's because I want to DO something with them. I want to delete them, copy them, edit them, or look at them. Spotlight isn't particularly helpful for any of that. It brings up a list of matching files, but you have to take it from there.
That's why I'm more apt to be running "grep" or "find" at the command line. I can do:
vi `grep -l foo *html`
find . -empty -delete
find . -name '*.html' -exec cp {} /tmp \;
and of course much, much more.
The command line version of Spotlight (mdfind) can be piped to other commands, but although in some ways it has much more power than the venerable "find" and "grep" that I do use constantly, in other ways it really has less. For one thing, both Spotlight and mdfind ignore text files with extensions they doesn't understand. I'll talk more about that in another article, but for me, the limitations far exceed the usefulness.
I feel sorry for the Apple developers who worked on Spotlight. I'm sure they put a lot of effort into it, and likely think it's a great feature. I suppose it must be disappointing that so many of us don't use it and don't want it even running. It can really bog down your machine when you are doing things like copying down a lot of files or moving things around; if you aren't going to use it anyway, why waste those cpu cycles and the disk space for the index?
Indeed. So let's get rid of it, shall we?
The first step is to become root. You can do everything with "sudo", but we have a few steps here, so it's easiest to start with "sudo su -". Give your ordinary password, and you have a root prompt.
To disable Spotlight from starting up at boot, edit /etc/hostconfig and change the Spotlight line:
SPOTLIGHT=-NO-
For each disk drive, turn off Spotlight indexing:
mdutil -i off / mdutil -i off /myotherdrive
Note that you'll see errors if the disk is very busy when you do that. Wait till the disk activity stops and try again.
Then run:
mdutil -E / mdutil -E /myotherdrive
If there's any "mdimport" running in Activity Monitor or ps, kill it.
This gets rid of the index, but doesn't remove the .Spotlight directory, so:
cd / rm -rf .Spotlight* cd /myotherdrive rm -rf .Spotlight*
Reboot after all this and you shouldn't be bothered by Spotlight again.
Some web sites have suggested using the System Preferences > Spotlight > Privacy tab but apparently that can cause other problems.
Technorati tags: spotlight security
If this page was useful to you, please click to help others find it:
Your +1's can help friends, contacts, and others on the web find the best stuff when they search.
Inexpensive and informative Apple related e-books:
Upgrading to Leopard
VMware Fusion 2
Easy Mac Backups
Sharing Files in Panther (Leopard version also available)
Fonts in Leopard
More Articles by Anthony Lawrence - Find me on Google+
Have you tried Searching this site?
Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.
Many of the products and books I review are things I purchased for my own use. Some were given to me specifically for the purpose of reviewing them. I resell or can earn commissions from the sale of some of these items. Links within these pages may be affiliate links that pay me for referring you to them. That's mostly insignificant amounts of money; whenever it is not I have made my relationship plain. I also may own stock in companies mentioned here. If you have any question, please do feel free to contact me.
Specific links that take you to pages that allow you to purchase the item I reviewed are very likely to pay me a commission. Many of the books I review were given to me by the publishers specifically for the purpose of writing a review. These gifts and referral fees do not affect my opinions; I often give bad reviews anyway.
We use Google third-party advertising companies to serve ads when you visit our website. These companies may use information (not including your name, address, email address, or telephone number) about your visits to this and other websites in order to provide advertisements about goods and services of interest to you. If you would like more information about this practice and to know your choices about not having this information used by these companies, click here.
Click here to add your comments
Don't miss responses! Subscribe to Comments by RSS or by Email
Click here to add your comments
If you want a picture to show with your comment, go get a Gravatar