Domain: rubicode.com
Stories and comments across the archive that link to rubicode.com.
Comments · 6
-
That's how it used to be
The settings for default browser, mail app, and perhaps chat app were all found in a prefpane prior to 10.3(?). Personally I agree that the settings should at least also be available in a prefpane, but word on the street is that when they surveyed users, about half of people wanted them in a prefpane, and the other half thought they should be in the apps themselves.
I recommend RCDefaultApp if you want a prefpane with similar (and more!) functionality.
-
Re:Well written, but
You were saying? There's this, and then Firefox does ask if it should become the default browser. Why would I want to set the default away from Firefox, if I deleted Safari after insttalling it?
Rubicode - RCDefaultApp
Though I do think that WAS a hairbrained decision. -
Re:PDF workaround and solution
For now, Schubert|it's PDF Browser plugin seems to be the best workaround.
I'm not clear why a "workaround" is needed here, given what you've pointed out. Is there a danger in having Acrobat (reader) automatically open a PDF? Also, the last time I tried this plugin it was pretty good, but didn't handle enough of the PDF spec for me to want to use it.
The solution would be a "WebServices" counterpart to "LaunchServices", for handlers of "Unsafe Files"
I use a System Preferences plugin called "RCDefaultApp" (http://www.rubicode.com/Software/RCDefaultApp/) that lets you make arbitrary associations between file types and applications. Is that what you mean?
-
Re:ALL exploits still work under 10.3.4
RCDefaultApp is a simpler way to take care of this. It installs as a Preference Pane, and lets you assign default handlers to (or unassociate completely) the various protocols like afp:, disk:, etc.
As a bonus you can use it to change your default browser without first having to launch Safari. :-) -
Paranoid Android not good for my mom
Paranoid Android does not "protect" against anything, it just lets the user decide which URL schemes he wants to allow and which he doesn't, on a case by case basis. But not everyone is an IT professional and knows by heart which protocols are good and which are evil. My mom doesn't. So, is there a workaround that doesn't involve P.A.? I think so.
I can see three different (but related) issues here:- The "new and unknown URL scheme" issue exploited by malicious applications in downloaded and mounted disk images. Avoid this by not allowing disk images to be mounted automatically. You have to disable "Open Safe Files" (to avoid mounting disk images downloaded over http) and the disk: and disks: protocols. Having to mount all disk images by hand requires a decision from your side and gives you time to think about what you are doing.
- The "help://runscript" issue caused by the Help Viewer accepting arbitrary commands. Disable the help: protocol, who needs it anyway?
- The "telnet://-nfoo" issue caused by telnet's ability to overwrite existing files. Disable telnet:, ssh exists.
To disable the protocols I used RCDefaultApp which is a neat (and missing) preference pane anyway.
With the steps above taken and P.A. installed I opened the sample exploit by the P.A. author (also linked from his white paper if you're paranoid which would seem normal under this circumstances). P.A. nicely asked me for permission, first for disk: and then for malware:. I granted both permissions, but since I had disabled the disk: protocol the image was never mounted and nothing happened.
Now, installing an additional prefPane and disabling individual protocols is not exactly an easy one-click workaround for my mom, but it would be possible to guide her through the process on the phone, and after that she would leave me alone ... until the next flaw is found.
But then again, I still have some hope in Apple releasing a Security Update which is more convincing than the one they just released. With flaws that serious, I expect a bit more than just the replacement of one application which is obviously only part of the problem. -
Re:software update
Other issues... I ran the Security Update, and then tried Unsanity's example. it didn't work. So, it looks like that particular vulnerability is fixed by the Security Update. The problem can be fixed with RCDefault quite easily, as well. Also, note that this vulnerability does not work from within the Opera 7.5 browser.