|
|||||||
![]() |
|
|
Thread Tools | Rate Thread | Display Modes |
|
|
#1 |
|
Moderator
Join Date: Jan 2002
Location: Singapore
Posts: 4,237
|
Critical vulnerability in Safari 1.2.1 (v125.1) and Internet Explorer 5.2
The Safari vulnerability advisory issued by security firm, Secunia, was updated on Tuesday to "Extremely Critical" from its previous "highly critical" level.
http://secunia.com/advisories/11622/ http://maccentral.macworld.com/news/...afariadvisory/ |
|
|
|
|
|
#2 |
|
Site Admin
Join Date: Dec 2001
Location: Minneapolis, MN
Posts: 3,988
|
Yeah this has been true for a while; the two defenses I'm using against it are:
1) Disable the Safari 'feature' to auto-run "safe" files after downloading. 2) Redirect (using MoreInternet) the help:// protocol URL helper app to be something other than the Help application. Chess has been suggested as a pretty safe replacement. Apple has been notified about this and now that it's getting a lot of press something will be done; it's just when it will be done. I'm sure they'd like to both close the hole and keep as much functionality in the Help system as they can. edit - Rob has an article on the main page about this. |
|
|
|
|
|
#3 |
|
Major Leaguer
Join Date: May 2002
Location: atl, ga, usa
Posts: 356
|
We should carry the discussion from the article to this forum
Having posted in that article's comments several times already, I see that the article's comments section is not the ideal place to discuss this issue, since questions, answers and challenges are adding to the list of comments -- I wish that the comments were functionally the same as these forums, but they're not.
We should try to encourage the posters to move their discussion to the forum, where we can take advantage of its notifications, if that's possible. |
|
|
|
|
|
#4 |
|
Major Leaguer
Join Date: May 2002
Location: atl, ga, usa
Posts: 356
|
Using Stickies as your substitute for Help Viewer
Instead of Chess or TextEdit, someone in the article comments proposed Stickies.
At first, I saw a problem: I couldn't ensure that the right Sticky note would come to the front [my tests brought some, but not all, notes to the front, and not my new warning note]. Then I remembered I could set a Sticky note to be Floating. That seems to resolve it. Now, thanks to MoreInternet, calls to the Help Viewer will invoke Stickies, and my big warning note will be in front, with or without the others. |
|
|
|
|
|
#5 |
|
Site Admin
Join Date: Dec 2001
Location: Minneapolis, MN
Posts: 3,988
|
OK, I added a pointer out in the comments on the main site back to this thread.
|
|
|
|
|
|
#6 |
|
Major Leaguer
Join Date: Oct 2003
Location: UK
Posts: 306
|
A lot of attention has been given to this regarding the default admin account OS X creates, I just wanted to add that a script running on a standard user account can still delete (rm) all of that users files with no authorisation whatsoever (obvious but needed saying).
Because of this and the other Trojan issue which could easily be tweaked to actually display the picture or play the track it is pretending to be in the relevant applications (Preview & iTunes, whatever), and the integration that Applescript and the terminal provide, I'm moving all my users to standard accounts, making sure every one of them has bullet proof backups in place, and in some cases setting up an 'internet' user accessible from FUS, Because in my experience all data is priceless and nothing sucks like losing it. Some of you will probably think this is excessive, especially so when Apple releases a fix (hopefully) shortly, however I believe the blood is in the water now, and if holes like these two exist there are many more to come. Odds are that sooner or later un-checking "Open safe files after downloading" or its later equivalent, will be bolting the door after the Trojan horse has trashed your home. dD |
|
|
|
|
|
#7 | |||||||||||||||||||||||
|
MVP
Join Date: Dec 2001
Location: Portland, OR
Posts: 1,472
|
Ideally, I'd love it if I could have Geeklog run the main page, and have all discussion routed to the vBulletin-based forums. Perhaps I can, someday, but it will take some serious code jockeying that I'll have to hire out to get done -- which means I need both money and time, and more money in the future to pay to have things fixed when future upgrades to either Geeklor or vBulletin need to be implemented onto my now-custom setup. The other option is to somehow make vBulletin create the main macosxhints' page itself, and I'm looking into that as my summer project... -rob. |
|||||||||||||||||||||||
|
|
|
|
|
#8 |
|
Triple-A Player
Join Date: May 2004
Posts: 66
|
An example for the far less serious telnet/ssh exploit would be the following URL:
telnet://-n%2ftmp%2ftestfile This creates a new file in /tmp called testfile and would overwrite an existing file with the same name in the same location. Information about this (in German) can be found here: http://www.heise.de/newsticker/meldung/47324 |
|
|
|
|
|
#9 | |||||||||||||||||||||||
|
Prospect
Join Date: Jan 2002
Location: Eugene
Posts: 25
|
Or use RCDefaultApp and select "<disable>" for the URL scheme to associate it with a DoNothing app. |
|||||||||||||||||||||||
|
|
|
|
|
#10 | |||||||||||||||||||||||
|
Prospect
Join Date: May 2004
Posts: 5
|
Actually, that's far worse. With a single click you could erase any file the user can write to. That would be anything in their home directory, and if they're an administrator, most of the applications.
This is getting worse and worse.
|
|||||||||||||||||||||||
|
|
|
|
|
#11 | |||||||||||||||||||||||
|
Triple-A Player
Join Date: May 2004
Posts: 66
|
This was originally reported for Opera (pre 7.5) on Windows and has also been confirmed for Opera on Linux (and for most browsers on the Mac). The obvious solution is to set the helper application for telnet (and ssh) to something harmless, e.g. Chess. I called it less serious since it can only delete files whose names and paths are known to the 'attacker', which excludes almost all personal files. |
|||||||||||||||||||||||
|
|
|
|
|
#12 |
|
Prospect
Join Date: May 2004
Posts: 5
|
Still, if left untouched, this hole can probably be used to undo most of the fixes to all the other holes. If the right prefs file was erased, it would probably reset all protocol helper changes. The only good fix seems to be this:
http://www.unsanity.com/haxies/pa/ Once that's installed, you just have to use your discretion to decide whether you want to open certain URLs or not. |
|
|
|
|
|
#13 |
|
Major Leaguer
Join Date: Oct 2003
Location: UK
Posts: 306
|
installing RCDefaultApp and setting disk and help URL helpers to disable seems to work, I would advise against installing APE if it can be avoided. dD
|
|
|
|
|
|
#14 |
|
Site Admin
Join Date: Dec 2001
Location: Minneapolis, MN
Posts: 3,988
|
The method described in the previous couple of posts uses telnet:// and not help:// or disk://, and does its thing even if telnetd is not running.
So unless you plan to change many protocols to point to an innocuous app, something like the Unsanity program, which asks what to do, may indeed be your best bet, APE or not. This suggests the kind of fix I'd like to see from Apple: the return of the Internet prefpane to associate protocols with helpers, and a little checkbox next to each that says "Ask first before executing URLs of this type", or something to that effect. This seems to be a general class of exploits, and needs to be addressed in a general way, rather than stomping on each particular case as it arises. |
|
|
|
|
|
#15 |
|
Prospect
Join Date: Apr 2002
Location: London, UK
Posts: 18
|
This goes much futher than Help Viewer
I already posted this in the comments, but it's worth repeating I think. Discussion over at the MacNN forums has revealed this to be far, far, far more serious than previously thought. You can read the a good summary here.
It would seem that Paranoid Android is currently the only full solution. Basically it seems that LaunchServices will add any visible app's new URL scheme to it's cache and launch that app when prompted by a web browser. That app can then do whatever the logged in user can, i.e. wipe home directories. Paranoid Android asks for confirmation when anything other than http, mailto or ftp is called. Spread the word, and it won't hurt to flood Apple with mail on this either. biscuit |
|
|
|
|
|
#16 | |||||||||||||||||||||||
|
Prospect
Join Date: Sep 2003
Posts: 2
|
Except for those of us who have yet to upgrade to Panther, and yet are still vulnerable to this exploit. I agree with the suggestion to use RCDefaultApp, and at the same time, disable Help's ability to run Applescripts, since it's of no use anyway. |
|||||||||||||||||||||||
|
|
|
|
|
#17 |
|
Prospect
Join Date: Apr 2002
Location: London, UK
Posts: 18
|
I think the author of Paranoid Android is going to release a 10.2 compatible version soon, keep an eye on their site.
biscuit |
|
|
|
|
|
#18 |
|
Moderator
Join Date: Jan 2002
Location: Singapore
Posts: 4,237
|
It looks as though Paranoid Android is certainly the way to go...
|
|
|
|
|
|
#19 |
|
Major Leaguer
Join Date: Oct 2003
Location: UK
Posts: 306
|
Of course the telnet thing does not work either if you disable telnet in the RCDefaultApp prefs.
So the three to disable are: disk, help and telnet, which takes about 20 seconds and is easily reversed. See how long it takes to uninstall APE after Apple releases a fix. dD Last edited by darndog; 05-21-2004 at 02:26 PM. |
|
|
|
|
|
#20 | ||||||||||||||||||||||||||||||||||||||||||
|
Major Leaguer
Join Date: May 2002
Location: atl, ga, usa
Posts: 356
|
Nothing that relies on user discretion is suitable for my needs, nor do I care to have APE just to use ParanoidAndroid. A post in the comments to the article about this at the main site explains clearly and simply why RCDefaultApp exceeds MoreInternet or MisFox as a solution to this particular problem, and I'm convinced [I made the main points bold]:
I hope this helps, and I very much hope that this is the last solution any of us need to worry about until Apple addresses the issue properly in an update. |
||||||||||||||||||||||||||||||||||||||||||
|
|
|
![]() |
|
|