BORLOX There's a serious security issue with this software that users should be aware of before they decide whether to install it. From the developer's site: Once you've installed SIMBL, you need to drop some bundles into the Plugins folder. (/Library/Application Support/SIMBL/Plugins) SIMBL scans this folder for bundles each time an application launches. It will check both the Local and User domain for this special folder. This means that it will check ~/Library/Application Support/SIMBL/Plugins before looking in /Library/Application Support/SIMBL/Plugins. One of the few trojans to successfully exploit Mac OS X in the wild was called "Oompa-Loompa." It worked by installing an input manager in the home directory of any user who ran it. As a result, user-domain input managers were disabled in Leopard, and the permissions of the local Input Managers folder were changed so that root privileges were required to install anything into it. SIMBL appears to re-open the security hole that was closed in Leopard. A trojan, only slightly different from the one described above, can install a SIMBL plugin in the user's home directory. Any application can then effectively be replaced by the trojan, even if the user is not a member of the admin group and doesn't have permission to modify the applications directly. You might think that because you're not running as an admin, applications such as Safari or Keychain Access are safe from unintended modification, but with SIMBL installed, you'd be wrong. If you're going to use SIMBL, you should take steps to ensure that plugins can't be installed without your knowledge. How you do that is up to you, but if you don't have a strategy, you shouldn't be using it. The developer should, in my opinion, change the way SIMBL works so that it doesn't load plugins from the user domain. That would mitigate the danger.
(Version 0.9.6c) | 
