Go Back   The macosxhints Forums > Working with OS X > OS X Products -- News and Reviews



Reply
 
Thread Tools Rate Thread Display Modes
Old 05-20-2004, 06:14 AM   #1
sao
Moderator
 
Join Date: Jan 2002
Location: Singapore
Posts: 4,237
Critical vulnerability in Safari 1.2.1 (v125.1) and Internet Explorer 5.2

The Safari vulnerability advisory issued by security firm, Secunia, was updated on Tuesday to "Extremely Critical" from its previous "highly critical" level.

http://secunia.com/advisories/11622/
http://maccentral.macworld.com/news/...afariadvisory/
sao is offline   Reply With Quote
Old 05-20-2004, 07:31 AM   #2
Craig R. Arko
Site Admin
 
Join Date: Dec 2001
Location: Minneapolis, MN
Posts: 3,988
Yeah this has been true for a while; the two defenses I'm using against it are:

1) Disable the Safari 'feature' to auto-run "safe" files after downloading.

2) Redirect (using MoreInternet) the help:// protocol URL helper app to be something other than the Help application. Chess has been suggested as a pretty safe replacement.

Apple has been notified about this and now that it's getting a lot of press something will be done; it's just when it will be done. I'm sure they'd like to both close the hole and keep as much functionality in the Help system as they can.


edit - Rob has an article on the main page about this.
Craig R. Arko is offline   Reply With Quote
Old 05-20-2004, 11:45 AM   #3
osxpounder
Major Leaguer
 
Join Date: May 2002
Location: atl, ga, usa
Posts: 356
We should carry the discussion from the article to this forum

Having posted in that article's comments several times already, I see that the article's comments section is not the ideal place to discuss this issue, since questions, answers and challenges are adding to the list of comments -- I wish that the comments were functionally the same as these forums, but they're not.

We should try to encourage the posters to move their discussion to the forum, where we can take advantage of its notifications, if that's possible.
osxpounder is offline   Reply With Quote
Old 05-20-2004, 11:51 AM   #4
osxpounder
Major Leaguer
 
Join Date: May 2002
Location: atl, ga, usa
Posts: 356
Using Stickies as your substitute for Help Viewer

Instead of Chess or TextEdit, someone in the article comments proposed Stickies.

At first, I saw a problem: I couldn't ensure that the right Sticky note would come to the front [my tests brought some, but not all, notes to the front, and not my new warning note].

Then I remembered I could set a Sticky note to be Floating.

That seems to resolve it. Now, thanks to MoreInternet, calls to the Help Viewer will invoke Stickies, and my big warning note will be in front, with or without the others.
osxpounder is offline   Reply With Quote
Old 05-20-2004, 12:47 PM   #5
Craig R. Arko
Site Admin
 
Join Date: Dec 2001
Location: Minneapolis, MN
Posts: 3,988
OK, I added a pointer out in the comments on the main site back to this thread.
Craig R. Arko is offline   Reply With Quote
Old 05-20-2004, 12:50 PM   #6
darndog
Major Leaguer
 
Join Date: Oct 2003
Location: UK
Posts: 306
A lot of attention has been given to this regarding the default admin account OS X creates, I just wanted to add that a script running on a standard user account can still delete (rm) all of that users files with no authorisation whatsoever (obvious but needed saying).

Because of this and the other Trojan issue which could easily be tweaked to actually display the picture or play the track it is pretending to be in the relevant applications (Preview & iTunes, whatever), and the integration that Applescript and the terminal provide, I'm moving all my users to standard accounts, making sure every one of them has bullet proof backups in place, and in some cases setting up an 'internet' user accessible from FUS, Because in my experience all data is priceless and nothing sucks like losing it.

Some of you will probably think this is excessive, especially so when Apple releases a fix (hopefully) shortly, however I believe the blood is in the water now, and if holes like these two exist there are many more to come. Odds are that sooner or later un-checking "Open safe files after downloading" or its later equivalent, will be bolting the door after the Trojan horse has trashed your home. dD
darndog is offline   Reply With Quote
Old 05-20-2004, 02:07 PM   #7
griffman
MVP
 
Join Date: Dec 2001
Location: Portland, OR
Posts: 1,472
Quote:
Originally Posted by osxpounder
We should try to encourage the posters to move their discussion to the forum, where we can take advantage of its notifications, if that's possible.

Ideally, I'd love it if I could have Geeklog run the main page, and have all discussion routed to the vBulletin-based forums. Perhaps I can, someday, but it will take some serious code jockeying that I'll have to hire out to get done -- which means I need both money and time, and more money in the future to pay to have things fixed when future upgrades to either Geeklor or vBulletin need to be implemented onto my now-custom setup.

The other option is to somehow make vBulletin create the main macosxhints' page itself, and I'm looking into that as my summer project...

-rob.
griffman is offline   Reply With Quote
Old 05-20-2004, 02:12 PM   #8
manu chao
Triple-A Player
 
Join Date: May 2004
Posts: 66
An example for the far less serious telnet/ssh exploit would be the following URL:
telnet://-n%2ftmp%2ftestfile

This creates a new file in /tmp called testfile and would overwrite an existing file with the same name in the same location.

Information about this (in German) can be found here:
http://www.heise.de/newsticker/meldung/47324
manu chao is offline   Reply With Quote
Old 05-20-2004, 05:39 PM   #9
sjk
Prospect
 
Join Date: Jan 2002
Location: Eugene
Posts: 25
Quote:
Originally Posted by osxpounder
Instead of Chess or TextEdit, someone in the article comments proposed Stickies.

Or use RCDefaultApp and select "<disable>" for the URL scheme to associate it with a DoNothing app.
sjk is offline   Reply With Quote
Old 05-20-2004, 06:48 PM   #10
Spades
Prospect
 
Join Date: May 2004
Posts: 5
Actually, that's far worse. With a single click you could erase any file the user can write to. That would be anything in their home directory, and if they're an administrator, most of the applications.

This is getting worse and worse.

Quote:
Originally Posted by manu chao
An example for the far less serious telnet/ssh exploit would be the following URL:
telnet://-n%2ftmp%2ftestfile

This creates a new file in /tmp called testfile and would overwrite an existing file with the same name in the same location.

Information about this (in German) can be found here:
http://www.heise.de/newsticker/meldung/47324

Spades is offline   Reply With Quote
Old 05-20-2004, 07:37 PM   #11
manu chao
Triple-A Player
 
Join Date: May 2004
Posts: 66
Quote:
Originally Posted by Spades
Actually, that's far worse. With a single click you could erase any file the user can write to. That would be anything in their home directory, and if they're an administrator, most of the applications.

This is getting worse and worse.

This was originally reported for Opera (pre 7.5) on Windows and has also been confirmed for Opera on Linux (and for most browsers on the Mac).

The obvious solution is to set the helper application for telnet (and ssh) to something harmless, e.g. Chess.

I called it less serious since it can only delete files whose names and paths are known to the 'attacker', which excludes almost all personal files.
manu chao is offline   Reply With Quote
Old 05-20-2004, 10:22 PM   #12
Spades
Prospect
 
Join Date: May 2004
Posts: 5
Still, if left untouched, this hole can probably be used to undo most of the fixes to all the other holes. If the right prefs file was erased, it would probably reset all protocol helper changes. The only good fix seems to be this:

http://www.unsanity.com/haxies/pa/

Once that's installed, you just have to use your discretion to decide whether you want to open certain URLs or not.
Spades is offline   Reply With Quote
Old 05-21-2004, 07:04 AM   #13
darndog
Major Leaguer
 
Join Date: Oct 2003
Location: UK
Posts: 306
installing RCDefaultApp and setting disk and help URL helpers to disable seems to work, I would advise against installing APE if it can be avoided. dD
darndog is offline   Reply With Quote
Old 05-21-2004, 07:34 AM   #14
Craig R. Arko
Site Admin
 
Join Date: Dec 2001
Location: Minneapolis, MN
Posts: 3,988
The method described in the previous couple of posts uses telnet:// and not help:// or disk://, and does its thing even if telnetd is not running.

So unless you plan to change many protocols to point to an innocuous app, something like the Unsanity program, which asks what to do, may indeed be your best bet, APE or not.

This suggests the kind of fix I'd like to see from Apple: the return of the Internet prefpane to associate protocols with helpers, and a little checkbox next to each that says "Ask first before executing URLs of this type", or something to that effect.

This seems to be a general class of exploits, and needs to be addressed in a general way, rather than stomping on each particular case as it arises.
Craig R. Arko is offline   Reply With Quote
Old 05-21-2004, 08:18 AM   #15
biscuit
Prospect
 
Join Date: Apr 2002
Location: London, UK
Posts: 18
This goes much futher than Help Viewer

I already posted this in the comments, but it's worth repeating I think. Discussion over at the MacNN forums has revealed this to be far, far, far more serious than previously thought. You can read the a good summary here.

It would seem that Paranoid Android is currently the only full solution. Basically it seems that LaunchServices will add any visible app's new URL scheme to it's cache and launch that app when prompted by a web browser. That app can then do whatever the logged in user can, i.e. wipe home directories. Paranoid Android asks for confirmation when anything other than http, mailto or ftp is called.

Spread the word, and it won't hurt to flood Apple with mail on this either.

biscuit
biscuit is offline   Reply With Quote
Old 05-21-2004, 08:36 AM   #16
makeinu
Prospect
 
Join Date: Sep 2003
Posts: 2
Quote:
Originally Posted by biscuit
I already posted this in the comments, but it's worth repeating I think. Discussion over at the MacNN forums has revealed this to be far, far, far more serious than previously thought. You can read the a good summary here.

It would seem that Paranoid Android is currently the only full solution. Basically it seems that LaunchServices will add any visible app's new URL scheme to it's cache and launch that app when prompted by a web browser. That app can then do whatever the logged in user can, i.e. wipe home directories. Paranoid Android asks for confirmation when anything other than http, mailto or ftp is called.

Spread the word, and it won't hurt to flood Apple with mail on this either.

biscuit

Except for those of us who have yet to upgrade to Panther, and yet are still vulnerable to this exploit.

I agree with the suggestion to use RCDefaultApp, and at the same time, disable Help's ability to run Applescripts, since it's of no use anyway.
makeinu is offline   Reply With Quote
Old 05-21-2004, 08:43 AM   #17
biscuit
Prospect
 
Join Date: Apr 2002
Location: London, UK
Posts: 18
I think the author of Paranoid Android is going to release a 10.2 compatible version soon, keep an eye on their site.

biscuit
biscuit is offline   Reply With Quote
Old 05-21-2004, 10:53 AM   #18
sao
Moderator
 
Join Date: Jan 2002
Location: Singapore
Posts: 4,237
It looks as though Paranoid Android is certainly the way to go...
sao is offline   Reply With Quote
Old 05-21-2004, 02:21 PM   #19
darndog
Major Leaguer
 
Join Date: Oct 2003
Location: UK
Posts: 306
Of course the telnet thing does not work either if you disable telnet in the RCDefaultApp prefs.

So the three to disable are: disk, help and telnet, which takes about 20 seconds and is easily reversed.
See how long it takes to uninstall APE after Apple releases a fix. dD

Last edited by darndog; 05-21-2004 at 02:26 PM.
darndog is offline   Reply With Quote
Old 05-21-2004, 03:13 PM   #20
osxpounder
Major Leaguer
 
Join Date: May 2002
Location: atl, ga, usa
Posts: 356
Thumbs up I agree that RCDefaultApp appears to be the best solution

Quote:
Originally Posted by darndog
installing RCDefaultApp and setting disk and help URL helpers to disable seems to work, I would advise against installing APE if it can be avoided. dD

Nothing that relies on user discretion is suitable for my needs, nor do I care to have APE just to use ParanoidAndroid. A post in the comments to the article about this at the main site explains clearly and simply why RCDefaultApp exceeds MoreInternet or MisFox as a solution to this particular problem, and I'm convinced [I made the main points bold]:


Quote:
How to avoid the new 'Help' URL handler vulnerability

Authored by: SimonDorfman.com on Fri, May 21 '04 at 02:05AM

I prefer the fix described here: http://daringfireball.net/2004/05/unsafe_uri_handlers
It uses RCDefaultApp instead of MisFox or More Internet with good reason:
MisFox and More Internet are similar utilities to RCDefaultApp, and are also both free, but there is an important difference. MisFox and More Internet both only show URI protocols registered through the Internet Config system; RCDefaultApp also shows protocols registered directly through Launch Services.
...snip...
The ‘disk:’ and ‘disks:’ protocols are registered directly in Launch Services, which means they aren’t displayed in MisFox or More Internet. I.e., RCDefaultApp shows all the protocol handlers registered on your system; MisFox and More Internet only display the protocols that are registered through Internet Config. Plus, version 1.1 of RCDefaultApp, released earlier this week, introduced the feature that allows you to assign a protocol to “disabled”. This is a more elegant solution than assigning these protocols to dummy applications, such as Mac OS X’s Chess game.

I hope this helps, and I very much hope that this is the last solution any of us need to worry about until Apple addresses the issue properly in an update.
osxpounder is offline   Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT -5. The time now is 12:34 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site design © IDG Consumer & SMB; individuals retain copyright of their postings
but consent to the possible use of their material in other areas of IDG Consumer & SMB.