Slashdot Mirror
Yet Another Mac OS X Protocol Handler Exploit
Rosyna writes "Apple just can't get any breaks lately. First the help protocol handler exploit (which has been fixed), then the telnet handler exploit, and now an exploit for any arbitrary protocol handler: make your own, then exploit it. You can auto mount a volume in Mac OS X via the disk, afp, or ftp handlers (and probably others). Paranoid Android will help prevent exploitation until Apple fixes the problem." The hole here is that when a volume with an application on it is mounted, Apple registers the application's specified protocol handlers, without additional user action. Another option is to disable those handlers that allow volume mounting, but playing that game, obviously, isn't a guaranteed win in the long run.
What'd they do, hire the security team away from Microsoft?
First, there is al this talk of switching to linux.
And now even the virus writers are starting to pay attention to something else besides windows.
Finally the end is near.
Goodbye Billy...
On the other hand, I do use Mac OS X.
D'Oh...
I love my Apple computers and I adore OS X.
That said, I'm immensley releived the floodgates to OS X exploitation have finally been thrown open.
Allow me to explain.
Too long Apple users have gloated (senselessley) that OS X is somehow more secure than Windows. This collective delusion has lulled everyone into a false sense of security. Being one of the few who bothers to "secure" his OS X installation, I am often jeered at for being paranoid - uneccesarily so, according to my detractors.
But the truth is that no software sytem is perfect. This is the wake-up call Apple and its users to realise they need to watch out too. I relish this because taking action *now* too purge OS X of its deficiencies will prevent the pitiful scene common to Windows users. I don't want OS X exploited on a daily basis as happens with Windows. I want OS X to be secure!
There will be much displeasure in the short-term, but that which does not kill us only makes us stronger.
When I tried to run the proof-of-concept (linked to in the Paradoid Anderoid whitepaper on the exploit at unsanity. com/haxies/pa/whitepaper) using Mozilla 1.7b, DiskCopy gave the error "osxMalware.dmg" failed to mount due to error 2. (No such file or directory) and mozilla gave the error malware is not a registered protocol.. Maybe it's a safari-only 'sploit?
Seriously though, once Linux becomes a real choice for average desktop users we'll be seeing Linux exploits as well.
Stop the world; I need to get off.
I'm not the only one who's thought of this when I first started using a mac?
how many times have you downloaded something from Safari, to have it automount, and even run the installer?
I'm a big retard who forgot to log out of Slashdot on Mike's computer! LOOK AT ME.
Fire up MisFox again and update the help protocol helper to /System/Library/CoreServices/Help Viewer.app
If you disagree then it must be overrated, redundant or trolling.
This issue was discovered on the MacNN forum, when they were discussing the previous exploit. The accepted workaround was downloading one of the utilities to change the protocol helpers, but the user kampl refused to have any non-Apple "security fix" on his system (He never acknowledged that the utilities were not sucurity fixes at all, just tools to change user preferences). His solution was to delete the HelpViewer app from his system. One bright member of the forum pointed out that that isn't enough, you could probably just stick the HelpViewer on the .dmg image and LaunchServices would find it there. Another poster realized this might work for any application if you bind it to a bogus protocol in the Info.plist file, so there is no need for HelpViewer at all. A third poster had a sample exploit coded in no time. Apple was promptly notified, so we can expect another fix soon (hopefully).
To continue using Safari safely, just uncheck 'Open 'safe' files after downloading.' - which prevents the automagic mounting of disk images you download. No one should be using that option.
Informatus Technologicus
I'd clap, but this is the internet.
Paranoid Android is for 10.3 only. Xcode comes with the ability to 'back-compile' to 10.1.5 and 10.2.7. Offering the other images, or one image that works on all, should be no bother. Offering only 10.3 is weak - very weak.
This is really the same exploit, with the same solution.
1) Disable automount of downloaded files in Safari.
2) Install the security update
3) Disable telnet: disk: and disks: protocols
That's it. No web page can exploit this arbitrary protocol problem if you do step 1 above. Step 2 fixes the help: issue, and step 3 fixes all other known issues.
Why does this warrant 4 stories in 4 days? Are all the Windows weenies just that thrilled that there is an exploit on OSX?
- Vincit qui patitur.
But what they're saying is that if I mount a Trojan Horse disk image, it will do bad things to my computer. Explain to me how this is worse than a Trojan horse program? It's possible to write a trojan horse for any platform. Only download software from places you trust.
Random and weird software I've written.
The solution I proposed on the previous article already takes this into account.
Can't you see that everyone is buying station wagons?
Ive written a sample exploit that delivers and executes its payload without user intervention and operates by registering its own URL scheme handler. Until Paranoid Android, there was no way of protecting against this attack, which freaked me out enough to write Paranoid Android.:)
If you click the sample exploit link below, heres what will happen:
Because this sample exploit registers its own URL scheme, none of the methods people had been using involving disabling certain scripts, moving Help.app or changing the 'help' URL scheme would protect against it. At this time, only Paranoid Android provides protection from it.
benign sample exploit -->innocousPage.html
Portions of this sample exploit are based heavily on a prior sample exploit at insecure.ws Conclusions
Until Apple fixes this vulnerability, you should install Paranoid Android and surf safely.
Copyright Jason Harris, 2004, All Rights Reserved
I'm using 10.3.3 and when I click on the sample exploit URI, nothing happens -- nothing. I've tried this thing 10+ times, scoured my HD for "owned.txt" and can find nothing. Of course, I installed the RCDefaultApp PreferencePane a couple of days ago and had already followed the suggestions posted by John Gruber on http://daringfireball.net but since Paranoid Android is the ONLY thing that can protect against this exploit, I'm at a loss as to explain why my machines aren't affected.Reading up on the feature that causes the problem, it looks like something in normal situations to be very useful. Rather than simply disabling this functionality, it would certainly seem better to find a solution the security issue. Maybe one would be to require admin permission before activating the URL helper, with a warning of what it would do?
I had thought about requiring applications to be signed, and non-signed applications requiring extra permission, but since this issue is likey to arise from unsigned applications that the user would accept anyhow, would we just be gaining a false sense of security?
I would be curious to read your ideas.
Jumpstart the tartan drive.
Running 10.2.8 (updated as of yesterday's fix from Apple) I can't get the .dmg file to even download when clicking on the example exploit. I get the following error message:
Did Apple's fix take care of this or is the exploit no longer available?Can't this one escalate even further?
Can't trojans that get onto Macs turn into bona-fide worms, distributing themselves via Address Book and HTML e-mail that does the 'disk://' download?
There are a number of workarounds at the moment:
1. The best is Paranoid Android linked to in the article itself. PA itself uses the APE kernel extension from Unsanity, however, and some people have reported problems with this.
2. Another method is to use Internet Exploere, MisFox or MoreInternet to set the following protocol helpers which can mount volumes, to point to an innocuous application, such as Chess.
fpt:
afp:
disk:
disks:
3. In a public environment where there are some automatcially mounted network shares such as in a university, school or company, you would also have to take into account protocols such as:
nfs:
webdav:
smb:
cifs:
but these are less likey to be used in conjunction with this vulnerability as it would be more difficult to get one of these users to simultaneously go to a webpage that exploits this.
Dont know where these associations are stored, but that file should be readonly for staff, and require authentication when changed. This also catches changing the protocol handler.
Apple just can't get any breaks lately.
You make it sound as if this is something that people are doing to Apple or that is like a natural disaster.
It is not. If any manufacturer ships software with security holes, it is that manufacturer's choice: they are trading off security against faster shipment and better (=more expensive) software engineering practices.
And the public relations fallout is also Apple's responsibility: it is, after all, Apple that positioned their system in their paid ads as supposedly "more secure".
the Snitch seems to block bogus protocol handlers. as long as LS queries you about the "diskimages-handler", the connection can be blocked, and the image fails to mount. camino gives me "malware is not a registered protocol"
but for how long??
"Under the spreading chestnut tree, I sold you and you sold me."
While Paranoid Android 1.1 is better than nothing, it allows some exploits to slip through. Basically, it allows ftp links to mount in the Finder. Once this is done, the Finder will register any URL handlers present. That can include URL handlers that Paranoid Android trusts.
All of this is even after the 5-24 security update is installed, of course.
Apple really need to do something about Launch Services. I think the best bet would be to mark newly discovered URL schemes as untrusted. When the user tries to run an untrusted scheme for the first time, warn them about it.
This exploit works equally good, or even better, with ordinary zip files. Safari auto-expands these on-the-fly, so it's much faster than mounting a disk image. You can also use .sit or .hqx or whatever; the important thing is that LaunchServices registers the application.
This is how I think Apple could solve this:
When an application first is detected, all its URL schemes is un-flagged. The first time the user launches that app, they get flagged, and can be used freely.
If the user (or the exploit!) tries to use these URL schemes before they're flagged, a dialog appears, requesting the user to accept the launch before opening the URL.
Sig Nature
Yeah, and that brings the total number up to two or three exploits. Let's all just switch back to Windows--it's obviously a superior, more secure operating system!
Nice freakin' headline.
[disclaimer:not affiliated with obdev, just a satisfied user]
.dmg Little Snitch popped up wanting to know if this should be allowed.
Anyone surfing without an application sensitive firewall should catch a clue.
The first time Mozilla tried to mount a sample exploit
Granted, your run of the mill user would likely click through allowing the mount, but they would probably do the same with Paranoid Android, and LS covers all applications trying to establish external connections, a real plus in todays wired world.
Some days it's just not worth
chewing through my restraints.
I have RCDefaultApp but I only disabled the disk: and disks:, ftp: is still set to finder. The first demo did nothing. The second one certainly did mount the disk image and opened the finder to show it, but I waited quite awhile (the disk appeared in less than 2 seconds) and nothing happened. Any clues why my machine seems immune?
It's been very gratifying to read through this entire thread and realise two things.
1. No one in this thread is a professional software engineer.
2. The median age of the contributors is way under eighteen.
Ok, my configuration:
Mac OS/X 10.2.8, with all services turned off and the firewall turned on, denying everything, and all Directory Access protocols turned off (what can I say, I'm a little paranoid). I also have a hardware firewall between my laptop and my cable modem. Belt and suspenders, right?
I don't use Safari because it doesn't seem to be too stable on my machine for some reason (gypsy curse?). If I install it, it crashes on some of the sites I visit (I think this is a Java issue of some kind). So I deleted it.
For a browser, I generally use Mozilla 1.6, although I like to play with Firefox and Camino, too. I'll probably switch to Firefox permanantly when they get past the 1.0 hurdle. In my browsers, I have killed most of the plugin handlers except for the obvious ones, like mp3 and so on. Plus, I'm sadistic about popup windows and cookies.
OK, enough introduction.
I tried the vulnerability links on the site, and they didn't work on my system. The first link produced an error message claiming a "type 2" error, then a popup which said that the protocol in use was not a registered protocol. The second link didn't produce an error, but it did produce the registered protocol warning. Neither link resulted in a file being saved to my machine, or indeed any other visible effect.
Note that the website did mention that users of Jaguar might not be vulnerable, and that there was anecdocal evidence for this. So, let me add my anecdote to the collection of anecdotes already present, and say that if you're running a similar setup to mine, you might be alright.
-Phil
Farewell! It's been a fine buncha years!
I understand that this is an unwanted hole in the system... but how does that really affect me? Ok, someone can mount an image from my desktop if it has an application in it. Can they run the app too? If not, then wouldn't it be my dumbass who clicks the app that was mounted, i.e. a potential virus?
PA is intrusive. So are all the haxies from Unsanity. It's 'unsane' to use such things. It amazes me that such a thing is even possible on a supposedly secure 32-bit protected memory system, but given that PA seems to want to deposit its files in proprietary system areas, it's certainly cause for a heads-up alert. As Ken Thompson said, 'keep your hands off the drivers', and this applies to system code as well. There has to be a better solution -- this one is potentially more dangerous than the threat it addresses, and it's just downright bad programming practice period.
An important point is that this family of exploits is not the result of any programming errors. It is the result of everything working precisely as it was intended to, but there being unforeseen uses for the design as originally specified.
this 5-24-04 security update says that it does something about "helpviewer" but this topic leads me to believe its really doing something to the disk mounting.
that said....
i installed it today, and now my external firewire drive that i'm using with my powerbook randomly spins down like i ejected it. it really likes doing this in the middle of tasks. which is not any fun for me. i've already lost data because of this.
and i also can't eject it using the little eject icon next to the disk icon.
anyone else having problems like this?
anyone know of any solutions and want to help a coward out?
If the Security companies and Windows users who hate the fact that OS X gets all the attention for being more secure, why don't you all just invest in writing a virus already. If you want to "help", Call Apple, don't fill the news with, "oh my god, Apple's security sucks". If you download applications from unsecured sites or IRC or newsgroups don't come to Slashdot and say you are apalled at how unsecure a platform is. The system is built to be secure and if the user wants to leave their browser open to automount downloads go ahead, I don't think that option was ever set to default by Apple and I don't think anybody here knows how difficult is to get AFP, Samba and other protocols to work or know enough that all you are doing is trying to make a MOUNTAIN out of a MOLEHILL.
All I know, this isn't "news" per se and now I can't stand macslash or slashdot as "news" sources cuz it's nothing but conjecture.
Enjoy! all you paranoid people with tin foil hats on.