Slashdot Mirror
Yet Another Mac OS X Protocol Handler Exploit
Rosyna writes "Apple just can't get any breaks lately. First the help protocol handler exploit (which has been fixed), then the telnet handler exploit, and now an exploit for any arbitrary protocol handler: make your own, then exploit it. You can auto mount a volume in Mac OS X via the disk, afp, or ftp handlers (and probably others). Paranoid Android will help prevent exploitation until Apple fixes the problem." The hole here is that when a volume with an application on it is mounted, Apple registers the application's specified protocol handlers, without additional user action. Another option is to disable those handlers that allow volume mounting, but playing that game, obviously, isn't a guaranteed win in the long run.
Fire up MisFox again and update the help protocol helper to /System/Library/CoreServices/Help Viewer.app
If you disagree then it must be overrated, redundant or trolling.
This issue was discovered on the MacNN forum, when they were discussing the previous exploit. The accepted workaround was downloading one of the utilities to change the protocol helpers, but the user kampl refused to have any non-Apple "security fix" on his system (He never acknowledged that the utilities were not sucurity fixes at all, just tools to change user preferences). His solution was to delete the HelpViewer app from his system. One bright member of the forum pointed out that that isn't enough, you could probably just stick the HelpViewer on the .dmg image and LaunchServices would find it there. Another poster realized this might work for any application if you bind it to a bogus protocol in the Info.plist file, so there is no need for HelpViewer at all. A third poster had a sample exploit coded in no time. Apple was promptly notified, so we can expect another fix soon (hopefully).
the sample exploit is only for disk.
Try one of these if you are so confident this is a PR stunt: http://ozwix.dk/OpnAppFixer/testit.html
No, that's not it at all. They're saying is that if you visit a properly-constructed web page, that page can cause your computer to execute arbitrary code without any further intervention on your part. You just go to the URL, and a few seconds later you've been owned.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
There are a number of workarounds at the moment:
1. The best is Paranoid Android linked to in the article itself. PA itself uses the APE kernel extension from Unsanity, however, and some people have reported problems with this.
2. Another method is to use Internet Exploere, MisFox or MoreInternet to set the following protocol helpers which can mount volumes, to point to an innocuous application, such as Chess.
fpt:
afp:
disk:
disks:
3. In a public environment where there are some automatcially mounted network shares such as in a university, school or company, you would also have to take into account protocols such as:
nfs:
webdav:
smb:
cifs:
but these are less likey to be used in conjunction with this vulnerability as it would be more difficult to get one of these users to simultaneously go to a webpage that exploits this.
That's it. No web page can exploit this arbitrary protocol problem if you do step 1 above. Step 2 fixes the help: issue, and step 3 fixes all other known issues.
Why does this warrant 4 stories in 4 days?
It warranted 4 stories in 4 days because people like you misunderstand the problem.
Step 1 doesn't fix anything.. disk: ftp: afp: protocols still allow automounting of volumes from a webpage.
Step 2 fixes help and telnet, but those aren't the whole issue.
Step 3 is a step in the right direction, but you'll also need to disable ftp: and afp: since they both can be used in the same way.
Disabling ftp means you can't open any ftp volumes without jumping through hoops. I always thought it was stupid that safari didn't handle ftp directly though.
The solution isn't an easy one, and Apple is going to have to do something that MS and Linux have dealt with in the past... sacrifice ease-of-use for security.
Funny, how these assumptions happen.
/System? You can get that off of a CD in half an hour. It's the documents, pictures, movies, and music that you have that are difficult to replace, and owning your user account is enough for a virus to destroy them.
I'm a Mac owner. I've owned nothing but Apple computers, first an Apple IIGS then a series of Macs. I love them, and I think Apple is great. But that doesn't prevent me from facing reality.
The fact is, it doesn't matter if "only" your user account is compromised, and root remains secure. What can a trojan possibly do to your computer that you don't want it to do? It can delete files, spy on you, and proxy spam or other malicious network connections. It can do all of this with "only" your user account. You don't have to be root to proxy anything. You don't have to be root to run a keylogger or run a heuristic that greps for credit card numbers. You don't have to be root to trash all of the files in your home directory, which should be the only ones you care about. Who cares if the trojan can't trash the stuff in
The unix permissions model is great on multiuser systems, but on a home desktop it really just doesn't help that much. It's nice, but it fails to protect that which I care most about.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
Actually, this IS an exploit.
Using this technique, an attacker can cause a disk image to open on your machine, the OS will then faithfully install any arbitrary URL handlers that applications on that disk image say they can handle (for example a deletefile: URL handler), then the same website can forward you to a deletefile://~ URL, thus deleting your home directory.
While it would be easy to tell that the web site is opening a disk image, and the application it starts would probably appear in the Dock, it doesn't make it easy to prevent the Application on the disk image from being executed using this method.