Yet Another Mac OS X Protocol Handler Exploit

← Back to Stories (view on slashdot.org)

Yet Another Mac OS X Protocol Handler Exploit

Posted by pudge on Saturday May 22, 2004 @03:37AM from the hooray dept.

Rosyna writes "Apple just can't get any breaks lately. First the help protocol handler exploit (which has been fixed), then the telnet handler exploit, and now an exploit for any arbitrary protocol handler: make your own, then exploit it. You can auto mount a volume in Mac OS X via the disk, afp, or ftp handlers (and probably others). Paranoid Android will help prevent exploitation until Apple fixes the problem." The hole here is that when a volume with an application on it is mounted, Apple registers the application's specified protocol handlers, without additional user action. Another option is to disable those handlers that allow volume mounting, but playing that game, obviously, isn't a guaranteed win in the long run.

19 of 155 comments (clear)

Min score:

Reason:

Sort:

Re:MS influence? by Anonymous Coward · 2004-05-22 04:02 · Score: 1, Insightful

MS influence? (Score:-1, Troll)
by Anonymous Coward on 11:40 22 May 2004 (#9224915)
What'd they do, hire the security team away from Microsoft?

Troll? Have I too committed a thought crime by considering that post funny?
As an Apple Afficionado, I'm delighted. by Anonymous Coward · 2004-05-22 04:08 · Score: 5, Insightful

I love my Apple computers and I adore OS X.

That said, I'm immensley releived the floodgates to OS X exploitation have finally been thrown open.

Allow me to explain.

Too long Apple users have gloated (senselessley) that OS X is somehow more secure than Windows. This collective delusion has lulled everyone into a false sense of security. Being one of the few who bothers to "secure" his OS X installation, I am often jeered at for being paranoid - uneccesarily so, according to my detractors.

But the truth is that no software sytem is perfect. This is the wake-up call Apple and its users to realise they need to watch out too. I relish this because taking action *now* too purge OS X of its deficiencies will prevent the pitiful scene common to Windows users. I don't want OS X exploited on a daily basis as happens with Windows. I want OS X to be secure!

There will be much displeasure in the short-term, but that which does not kill us only makes us stronger.
1. Re:As an Apple Afficionado, I'm delighted. by norkakn · 2004-05-22 04:25 · Score: 3, Insightful
  
  No, it isn't perfect
  
  But I would still claim that OSX's security is better than XP's
2. Re:As an Apple Afficionado, I'm delighted. by yotaku · 2004-05-22 04:36 · Score: 5, Insightful
  
  Absolutely. And the same thing would happen with any other OS that was setup and used by anyone not in the computer elite. There will always be holes in the OS. But given careful administration, most are not too much of a problem. This is true for OS X, Windows, and *nix.
  
  I just hope, as you say that it will shut the Mac fans up about their "immune OS that will never suffer from security holes as windows does". Guess what, it will - and has.
3. Re:As an Apple Afficionado, I'm delighted. by Jord · 2004-05-22 07:32 · Score: 5, Insightful
  
  I love the way this comment was presented. Sounds like some finely crafted FUD more than anything else. Yes an exploit has been found in OSX. Does that make OSX as vulnerable as Windows, not even close, not even on the same planet.
  Windows has had so many exploits that I can't even keep track. One exploit, not even a root exploit (a very important distinction) does not make OSX as vulnerable as Windows. There still are no worms, no viruses attributed to OSX.
  Yes this was due. It was going to happen. But OSX is still infinitely more secure than windows and more than likely always will be. Lets not fly off half-cocked and make wild statements like this.
  
  --
  seSales, Point of Sale software for OS X.
4. Re:As an Apple Afficionado, I'm delighted. by mikedaisey · 2004-05-22 10:26 · Score: 4, Insightful
  
  I agree with your sentiment--I want a secure system, and seeing it challenged early will help it be so. But the fact of the matter is that OSX ships by default many degrees of magnitude more secure than Windows does.
  
  Yes, this has resulted in some unnecessary gloating from Macheads, and it makes folks lazy with their security--that's unfortunate. But that doesn't diminish the security successes Apple's had with OS X.
5. Re:As an Apple Afficionado, I'm delighted. by IntlHarvester · 2004-05-22 10:50 · Score: 2, Insightful
  
  (Should I reply to a FUD-crying astroturfer with an OSX advert in his sig? Well, OK...)
  
  In general, there's two types of security issues:
  (1) Implemenation issues -- eg buffer overflows in MSRPC or OpenSSH or Outlook MIME parsing.
  
  (2) Design issues -- such as auto-installing ActiveX, HTML preview that automatically runs scripts, and so on. These are the typical Microsoftish Ease-Versus-Security issues.
  
  Windows has hit hard by both, so it's easy to confuse the two.
  
  The thing is, Apple really isn't better at #2 than anyone else. They seem to have made similar funky "desktop integration" decisions as Microsoft, and that leads to consequences such as this. Come on, a "disk:" protocol handler? Why? There's nothing FUDish about pointing this stuff out.
  
  (Another good example is the plug-n-play directory service that gives another machine root powers over your OS X box with a simple DHCP command.)
  
  There still are no worms, no viruses attributed to OSX.
  
  Security is only measured by a worms/viruses count on the lowest level. I don't think anyone would disagree there's other factors there, such as size and concentration of the userbase, number of 'hostile' users, opinion of the vendor, etc. Classic MacOS had almost no viruses and it was not because of a secure design.
  
  --
  Business. Numbers. Money. People. Computer World.
6. Re:As an Apple Afficionado, I'm delighted. by Jord · 2004-05-22 11:09 · Score: 5, Insightful
  
  I suggest you take a look at track records before spouting off about who is better at what.
  I am not saying that OS X is perfect. Far from it, I am a programmer myself and I understand the realities of software design. However based on track records alone, OS X is far ahead of even the most current windows implementation. How many exploits are there that auto install software on OS X? None. How many worms are there for OS X? None. How many pieces of auto-installing spyware are there for OS X? None. How many viruses? None. OS X IS more secure that windows. It's not perfect but I will put my money behind the security in OS X any day.
  In any event, it was completely expected that the Windows zealots would come out of the woodwork as soon as the first vulnerability was found in OS X. Now it begins. We will see plenty of zealots crying how no operating system is safe. Guess what, windows is still a poorly written piece of garbage and no amount of throwing mud (or fud) is going to change that.
  
  --
  seSales, Point of Sale software for OS X.
7. Re:As an Apple Afficionado, I'm delighted. by AndyElf · 2004-05-23 03:47 · Score: 2, Insightful
  
  The problem with Intego is that they have blown _that_ exploit out of proportion -- as very rightly pointed out in many places _that_ exploit (or similarly crafted one) could just as easily happen to on UNIX or Windows or *any* other OS.
  
  --
  
  --AP
8. Re:As an Apple Afficionado, I'm delighted. by Anonymous Coward · 2004-05-23 14:27 · Score: 1, Insightful
  
  your tone is way too hostile and accusatory
  
  Mr. Pot, meet Mr. Kettle. Don't be a condesending prick, and people wont talk back to you as if you were a condesending prick.
9. Re:As an Apple Afficionado, I'm delighted. by Jord · 2004-05-24 02:50 · Score: 4, Insightful
  
  The large audience argument has been mentioned many many times in the past and personally I disagree with it. There is a real world example of this exact situation. Microsoft IIS. It's "market percentage" is very tiny and yet it gets hit with worms because it is insecure. On the other hand, Apache which has a huge market percentage does not get it because it is secure.
  Granted this is dumbing down the details by a HUGE amount but the point is still there. Microsoft software does not have the most worms/viruses/etc because it has the most market share, it has the most worms/viruses/etc because it is the most poorly written. Granted, if their market share was zero, then obviously the exploits would not be big news, but the clear point that is made is that if OS X were as vulnerable as Windows we would be seeing worms and viruses. The fact that there are none reported goes a long way to show the strength of the operating system.
  BTW you could easily replace OS X with BSD, Linux in this statement and the statement still holds true. Software written with security in mind is clearly more secure. Windows was clearly not written with security in mind.
  
  --
  seSales, Point of Sale software for OS X.
It just works! by OneDeeTenTee · 2004-05-22 04:29 · Score: 5, Insightful

Seriously though, once Linux becomes a real choice for average desktop users we'll be seeing Linux exploits as well.

--
Stop the world; I need to get off.
Re:How this hole was discovered by Fulkkari · 2004-05-22 05:31 · Score: 5, Insightful

I'm a bit amazed on how well the Mac community have co-operated in finding these security flaws. Even though the flaws are always bad things, this just shows how strong the community actually is. And it sure feels good to be a part of it.

--
I demand the Cone of Silence!
Re:How this hole was discovered by Midnight+Thunder · 2004-05-22 05:54 · Score: 4, Insightful

this just shows how strong the community actually

It does, but it also shows the importance of community. This is one thing that I feel should be taken into account when creating a product. If you can create a community around your product then people will dicuss what they like, what they don't like and generally people will talk about your product. All this needs be, to start with, is a help forum will provision for generalised discussion. If people are part of the community then they are likely to help push the product.

--
Jumpstart the tartan drive.
Re:Also uses meta-refresh by Graymalkin · 2004-05-22 06:00 · Score: 4, Insightful

The disk: protocol is designed to automount images off the web, that is why it exists in the first place. Developers can offer up images off their sites users can mount directly so there's no need to download the image, install the app, and delete the image. Once the app is installed the user can just unmount it. It is a nice functionality but Apple needs to sandbox the process since an image mounted off the web should be untrusted.

--
I'm a loner Dottie, a Rebel.
Re:How this hole was discovered by Fulkkari · 2004-05-22 08:41 · Score: 2, Insightful

I have to admit, I find slashdot's schizophrenic reactions to these Mac security issues quite interesting.

Slashdot is not one person. Therefore there will be different opinions about things.

I'm not usually for releasing vulnerabilities directly into the public, but this makes an exception. The findings of these new vulnerabilities are results of one conclusion after an other. In the end: does it matter if the final announcement is posted if you can read it between the lines from the earlier posts yourself?

--
I demand the Cone of Silence!
Re:Not only with disk images... by bw5353 · 2004-05-22 22:17 · Score: 2, Insightful

If the user (or the exploit!) tries to use these URL schemes before they're flagged, a dialog appears, requesting the user to accept the launch before opening the URL.
I do not have any better solution, but as the sky is overcast today I'm gonna complain about yours anyhow.
You are not alone in suggesting that the user should confirm what should happen in a dialog/pop-up/what-not. The problems are
a) There are too many clueless users out there, who have no idea of what they are doing.
b) Even if you are full of clues and the geekiest guru of the town, there will be moments when a dialog simply cannot give enough information on what can safely be done.
In an ideal system you (geek or your grandma) should never have to worry about understanding what is going on and judging whether it is safe or not.
But, as said before, that does not mean I have any suggestion on how to handle this particular problem in any better way. Sorry...
Re:Fear Bill G, Fear! by agibbs · 2004-05-23 05:21 · Score: 3, Insightful

I know you're being funny, but has anyone actually seen any malicious exploits out there for this? I haven't heard of any. Not that this lessens the gravity of this exploit, but it is interesting. Also, I don't believe this is a hole for viruses, again someone can do a hell of a lot of damage with a simple rm -rf ~ but I don't think this has the potential to open the door to worms viruses etc.
Re:Also uses meta-refresh by m3talsling3r · 2004-05-23 06:33 · Score: 2, Insightful

I must point this out. This exploit is as much of an exploit as say... http: ... or telnet: ... or (gasp) ftp: . I could go on but frankly it's pointless. This is no exploit. It is simply the proper use of a protocol.

If you want to be fair about it, to become a security risk, it would have to have access to something.

As far as the dmg thing goes, a mounted dmg shows up on your desktop right away, A screen pops up showing it mounting, etc... There's no missing what is going on by even the simplest mac user.

Disk access is another issue. Is this exploit being run as root? Administrator? Against other users of the system? Does it somehow exploit suid or chown? Is it remotely executable?

The answer is almost usaully a resounding no!

Then it's simply not an exploit. It can do nothing. End of story.

--
My sig is as boring as you...