Domain: geekspiff.com
Stories and comments across the archive that link to geekspiff.com.
Comments · 13
-
Re:URL Handler Exploits appear to be fixed...
On my 'virgin' 10.3.3 machine unchecking "Open Safe files after downloading" in Safari preferences stops at least this exploit. No matter what it mounts the image, but with "Open Safe files after downloading" unchecked it will not run the script that is in the image.
-
Re:URL Handler Exploits appear to be fixed...
This exploit and this exploit still work under OS 10.3.4. I do not have any 3rd party security software, I did uncheck the open safe files after downloading checkbox in Safari preferences.
-
Re:URL Handler Exploits appear to be fixed...
Nope, at least this one still works for me...
-
URL Handler Exploits appear to be fixed...Well, rebooted just fine. No issues yet. Browsing and E-mail working well, grabbed my home Wireless 802.11b/g with WPA just fine, if anything, reception is LESS flaky now (fewer dropouts seen on AP Grapher and fewer random loss of connectivity).
Doesn't seem any slower or faster.
Most importantly, it looks like some of the URI handler problems/security holes are now patched as well. I had uninstalled the "Paranoid Android" Haxie before the update (to make sure there weren't any install issues) so it was no longer running.
It looks like none of these exploits seem to work any more after the 10.3.4 update.
Nice work,
DaveC
-
Exploit doesn't work for me
Running 10.2.8 (updated as of yesterday's fix from Apple) I can't get the
.dmg file to even download when clicking on the example exploit. I get the following error message:"osxMalware.dmg" failed to mount due to error 2. (No such file or directory)
Did Apple's fix take care of this or is the exploit no longer available? -
Much Ado About Not Much...I think this is mainly a PR stunt.
<quote>
Sample ExploitIve written a sample exploit that delivers and executes its payload without user intervention and operates by registering its own URL scheme handler. Until Paranoid Android, there was no way of protecting against this attack, which freaked me out enough to write Paranoid Android.:)
If you click the sample exploit link below, heres what will happen:
- A disk image named MalwareDiskImage will be mounted on your desktop.
- LaunchServices will read the Info.plist file of the application in this disk image automatically, and register the application as the default handler for URLs with a 'malware' scheme.
- The webpage will wait 10 seconds, and then redirect to malware:unused, causing LaunchServices to launch the payload application within the disk image.
- The application within the disk image will write a text file to the users home directory called owned.txt explaining that the machine has been exploited, will present an alert to the user, and will eject the disk image.
Because this sample exploit registers its own URL scheme, none of the methods people had been using involving disabling certain scripts, moving Help.app or changing the 'help' URL scheme would protect against it. At this time, only Paranoid Android provides protection from it.
benign sample exploit -->innocousPage.html
Portions of this sample exploit are based heavily on a prior sample exploit at insecure.ws Conclusions
Until Apple fixes this vulnerability, you should install Paranoid Android and surf safely.
Copyright Jason Harris, 2004, All Rights Reserved
</quote>
I'm using 10.3.3 and when I click on the sample exploit URI, nothing happens -- nothing. I've tried this thing 10+ times, scoured my HD for "owned.txt" and can find nothing. Of course, I installed the RCDefaultApp PreferencePane a couple of days ago and had already followed the suggestions posted by John Gruber on http://daringfireball.net but since Paranoid Android is the ONLY thing that can protect against this exploit, I'm at a loss as to explain why my machines aren't affected. -
Paranoid Android not good for my mom
Paranoid Android does not "protect" against anything, it just lets the user decide which URL schemes he wants to allow and which he doesn't, on a case by case basis. But not everyone is an IT professional and knows by heart which protocols are good and which are evil. My mom doesn't. So, is there a workaround that doesn't involve P.A.? I think so.
I can see three different (but related) issues here:- The "new and unknown URL scheme" issue exploited by malicious applications in downloaded and mounted disk images. Avoid this by not allowing disk images to be mounted automatically. You have to disable "Open Safe Files" (to avoid mounting disk images downloaded over http) and the disk: and disks: protocols. Having to mount all disk images by hand requires a decision from your side and gives you time to think about what you are doing.
- The "help://runscript" issue caused by the Help Viewer accepting arbitrary commands. Disable the help: protocol, who needs it anyway?
- The "telnet://-nfoo" issue caused by telnet's ability to overwrite existing files. Disable telnet:, ssh exists.
To disable the protocols I used RCDefaultApp which is a neat (and missing) preference pane anyway.
With the steps above taken and P.A. installed I opened the sample exploit by the P.A. author (also linked from his white paper if you're paranoid which would seem normal under this circumstances). P.A. nicely asked me for permission, first for disk: and then for malware:. I granted both permissions, but since I had disabled the disk: protocol the image was never mounted and nothing happened.
Now, installing an additional prefPane and disabling individual protocols is not exactly an easy one-click workaround for my mom, but it would be possible to guide her through the process on the phone, and after that she would leave me alone ... until the next flaw is found.
But then again, I still have some hope in Apple releasing a Security Update which is more convincing than the one they just released. With flaws that serious, I expect a bit more than just the replacement of one application which is obviously only part of the problem. -
Re:Closed source - who cares
There is an alternative, sort of. It's called XTender, and its public beta was incredibly unimpressive. The day after XTender went public an update was made to ShapeShifter, and everyone again realized how good it was.
Also, ShapeShifter has cost money since its inception. No underhanded tactics there... although it did have the big themers involved in its creation to do the things that they wanted to do. The same guy develops the theme changing and theme creating software, and he is very approachable in regards to feature requests and bug reports. ShapeShifter is technically under the Unsanity umbrella, but Jason Harris makes both. ThemePark (to create themes) also allows exporting to many other non-guikit formats, including the format native to ShapeShifter's competitor (XTheme), and the format supported by Open Source alternatives such as ThemeChanger.
All ShapeShifter guikits can be extracted into images and a Extras.rsrc file using Guikitty. They can't be directly used by another application, so in a sense it is closed and proprietary, but the above mentioned XTender was able to automatically load ShapeShifter guikits if you had Guikitty installed.
Another big point is that a lot of themes use ShapeShifter because it has features that go above and beyond what is capable with any other theme changer, even in terms of things as simple as changing text colors.
Competition is always good, don't get me wrong. But there isn't a whole lot to complain about with ShapeShifter, and any competition it has had has been crushed despite the higher price tag because of ease of use, features, and theme-changing safety (it doesn't modify any system files, or even attempt to overlay those owned by root).
And finally, theres nothing preventing the winning theme from being released in the DLTA (aka Open Source friendly) format as well, the only restriction would be if the theme requires features that are only available in ShapeShifter.
Alright, I think that about makes the case...
-
Re:Two simple changes to improve the dock
UI in general is based on display PDF, so parts of it could very well be vector based (fonts, of course.) but the icons are not.
Suprisingly none of the MacOS X GUI is vector based, fonts indeed being about the only exception.All of the lovely chrome is bitmapped, something that shocked lots of folks when it first shipped and continues to puzzle everyone. To this day whenever someone replaces the default GUI elements with the alternate charcoal versions or a third party package it's all hardcoped fixed-size bitmaps.
For a walkthrough of 'em, and how to create your own GUI theme for MacOS X check out ThemePark.
-
Here's two resources...
Hope they help:
ResExcellence Themes
Theme Park Tutorial
What does this mean? Make your own. While I'm not familiar with the creation process for other windowing systems (like you mentioned) I do know that you can probably make your own theme to specifications you desire. Those links are where I would start; perhaps there's something there that you can modify or a theme that fits the bill without changes.
Good luck! -
Re:Goodbye "Not Invented Here" daysSure...Apple doesn't publish anything else but a gray version of aqua. They're proud of their interface and want everyone to use it. So what? You can download/create your own themes if you'd like.
Check out the 3rd-party utilities and web sites to get what you'd like:
- ThemePark : Theme design utility
- Duality : A theme changing and checking utility
- Catalyst : A theme creation utility (recommended for use with ThemePark)
- MetamorphX : Another theme switching utility
- ThemePark : Theme design utility
- ResExcellence Themes page : Get your OS X appearance themes here
-
Re:Goodbye "Not Invented Here" daysSure...Apple doesn't publish anything else but a gray version of aqua. They're proud of their interface and want everyone to use it. So what? You can download/create your own themes if you'd like.
Check out the 3rd-party utilities and web sites to get what you'd like:
- ThemePark : Theme design utility
- Duality : A theme changing and checking utility
- Catalyst : A theme creation utility (recommended for use with ThemePark)
- MetamorphX : Another theme switching utility
- ThemePark : Theme design utility
- ResExcellence Themes page : Get your OS X appearance themes here
-
Not closed to tweaking.
This article is all fluff. You've got the one guy who wrote kaleidoscope complaining that the UI now has closed API's. In fact, if a user wanted to change their interface, the pxm resources can be easily edited with resources available.
Not only this, there are several themes available.
The complaint here is that although Darwin is open source, (with most of the core components of the OS), the window server is not. Being a UNIX system, however, you can make a new one if you cared to. Simply running strings from the command line can pull most API functions out of a binary, so emulating them would be a tast, but not an impossible one.
From the beginning, Apple has discouraged used from using elements in the Aqua theme file (extras.rsrc) which are copyrighted by them. However, a full replacement of that resource file that contains no Apple IP can't be pulled by Apple.
Please don't listen to this argument that the OS is closed to tweakers. It's different now to tweak things, but you certainly can.
See? A Titanium theme, a Rhodium theme, a Gunther theme, a Totally Aqua theme.
Hey, even a tool to make them.
Quit complaining.