Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yet Another Mac OS X Protocol Handler Exploit

Posted by pudge on from the hooray dept.

Rosyna writes "Apple just can't get any breaks lately. First the help protocol handler exploit (which has been fixed), then the telnet handler exploit, and now an exploit for any arbitrary protocol handler: make your own, then exploit it. You can auto mount a volume in Mac OS X via the disk, afp, or ftp handlers (and probably others). Paranoid Android will help prevent exploitation until Apple fixes the problem." The hole here is that when a volume with an application on it is mounted, Apple registers the application's specified protocol handlers, without additional user action. Another option is to disable those handlers that allow volume mounting, but playing that game, obviously, isn't a guaranteed win in the long run.

10 of 155 comments (clear)

  1. MS influence? by Anonymous Coward · · Score: 5, Funny

    What'd they do, hire the security team away from Microsoft?

  2. As an Apple Afficionado, I'm delighted. by Anonymous Coward · · Score: 5, Insightful

    I love my Apple computers and I adore OS X.

    That said, I'm immensley releived the floodgates to OS X exploitation have finally been thrown open.

    Allow me to explain.

    Too long Apple users have gloated (senselessley) that OS X is somehow more secure than Windows. This collective delusion has lulled everyone into a false sense of security. Being one of the few who bothers to "secure" his OS X installation, I am often jeered at for being paranoid - uneccesarily so, according to my detractors.

    But the truth is that no software sytem is perfect. This is the wake-up call Apple and its users to realise they need to watch out too. I relish this because taking action *now* too purge OS X of its deficiencies will prevent the pitiful scene common to Windows users. I don't want OS X exploited on a daily basis as happens with Windows. I want OS X to be secure!

    There will be much displeasure in the short-term, but that which does not kill us only makes us stronger.

    1. Re:As an Apple Afficionado, I'm delighted. by yotaku · · Score: 5, Insightful

      Absolutely. And the same thing would happen with any other OS that was setup and used by anyone not in the computer elite. There will always be holes in the OS. But given careful administration, most are not too much of a problem. This is true for OS X, Windows, and *nix.

      I just hope, as you say that it will shut the Mac fans up about their "immune OS that will never suffer from security holes as windows does". Guess what, it will - and has.

    2. Re:As an Apple Afficionado, I'm delighted. by Anonymous Coward · · Score: 5, Interesting

      I did not realize that "being secure" was a boolean.

      Too long Apple users have gloated (senselessley) that OS X is somehow more secure than Windows

      So something is either completely secure (along the lines of OpenBSD), or it is as open as Windows. And there is no middle ground there?

      Even with the current exploits, OS X is still significantly more secure than most Windows installs.

      Yes, I agree that OS X users need to take precautions and not just rely on the security of their machine. Even then, though, you can tell someone deciding between OS X and Windows "If you are reasonable careful on both platforms, you are still less likely to have problems with OS X, due to its security already in place."

    3. Re:As an Apple Afficionado, I'm delighted. by Jord · · Score: 5, Insightful
      I love the way this comment was presented. Sounds like some finely crafted FUD more than anything else. Yes an exploit has been found in OSX. Does that make OSX as vulnerable as Windows, not even close, not even on the same planet.

      Windows has had so many exploits that I can't even keep track. One exploit, not even a root exploit (a very important distinction) does not make OSX as vulnerable as Windows. There still are no worms, no viruses attributed to OSX.

      Yes this was due. It was going to happen. But OSX is still infinitely more secure than windows and more than likely always will be. Lets not fly off half-cocked and make wild statements like this.

      --
      seSales, Point of Sale software for OS X.
    4. Re:As an Apple Afficionado, I'm delighted. by Jord · · Score: 5, Insightful
      I suggest you take a look at track records before spouting off about who is better at what.

      I am not saying that OS X is perfect. Far from it, I am a programmer myself and I understand the realities of software design. However based on track records alone, OS X is far ahead of even the most current windows implementation. How many exploits are there that auto install software on OS X? None. How many worms are there for OS X? None. How many pieces of auto-installing spyware are there for OS X? None. How many viruses? None. OS X IS more secure that windows. It's not perfect but I will put my money behind the security in OS X any day.

      In any event, it was completely expected that the Windows zealots would come out of the woodwork as soon as the first vulnerability was found in OS X. Now it begins. We will see plenty of zealots crying how no operating system is safe. Guess what, windows is still a poorly written piece of garbage and no amount of throwing mud (or fud) is going to change that.

      --
      seSales, Point of Sale software for OS X.
  3. It just works! by OneDeeTenTee · · Score: 5, Insightful

    Seriously though, once Linux becomes a real choice for average desktop users we'll be seeing Linux exploits as well.

    --
    Stop the world; I need to get off.
  4. How this hole was discovered by mst76 · · Score: 5, Informative

    This issue was discovered on the MacNN forum, when they were discussing the previous exploit. The accepted workaround was downloading one of the utilities to change the protocol helpers, but the user kampl refused to have any non-Apple "security fix" on his system (He never acknowledged that the utilities were not sucurity fixes at all, just tools to change user preferences). His solution was to delete the HelpViewer app from his system. One bright member of the forum pointed out that that isn't enough, you could probably just stick the HelpViewer on the .dmg image and LaunchServices would find it there. Another poster realized this might work for any application if you bind it to a bogus protocol in the Info.plist file, so there is no need for HelpViewer at all. A third poster had a sample exploit coded in no time. Apple was promptly notified, so we can expect another fix soon (hopefully).

    1. Re:How this hole was discovered by Fulkkari · · Score: 5, Insightful

      I'm a bit amazed on how well the Mac community have co-operated in finding these security flaws. Even though the flaws are always bad things, this just shows how strong the community actually is. And it sure feels good to be a part of it.

      --
      I demand the Cone of Silence!
  5. Much Ado About Not Much... by lgw4 · · Score: 5, Interesting
    I think this is mainly a PR stunt.
    <quote>
    Sample Exploit

    Ive written a sample exploit that delivers and executes its payload without user intervention and operates by registering its own URL scheme handler. Until Paranoid Android, there was no way of protecting against this attack, which freaked me out enough to write Paranoid Android.:)

    If you click the sample exploit link below, heres what will happen:

    • A disk image named MalwareDiskImage will be mounted on your desktop.
    • LaunchServices will read the Info.plist file of the application in this disk image automatically, and register the application as the default handler for URLs with a 'malware' scheme.
    • The webpage will wait 10 seconds, and then redirect to malware:unused, causing LaunchServices to launch the payload application within the disk image.
    • The application within the disk image will write a text file to the users home directory called owned.txt explaining that the machine has been exploited, will present an alert to the user, and will eject the disk image.

    Because this sample exploit registers its own URL scheme, none of the methods people had been using involving disabling certain scripts, moving Help.app or changing the 'help' URL scheme would protect against it. At this time, only Paranoid Android provides protection from it.

    benign sample exploit -->innocousPage.html

    Portions of this sample exploit are based heavily on a prior sample exploit at insecure.ws Conclusions

    Until Apple fixes this vulnerability, you should install Paranoid Android and surf safely.

    Copyright Jason Harris, 2004, All Rights Reserved

    </quote>
    I'm using 10.3.3 and when I click on the sample exploit URI, nothing happens -- nothing. I've tried this thing 10+ times, scoured my HD for "owned.txt" and can find nothing. Of course, I installed the RCDefaultApp PreferencePane a couple of days ago and had already followed the suggestions posted by John Gruber on http://daringfireball.net but since Paranoid Android is the ONLY thing that can protect against this exploit, I'm at a loss as to explain why my machines aren't affected.