Apple Addresses URI Handler Issues

← Back to Stories (view on slashdot.org)

Apple Addresses URI Handler Issues

Posted by pudge on Monday June 7, 2004 @09:14AM from the hooray dept.

das writes "Apple released Security Update 2004-06-07 via Software Update. From the brief description: 'Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. [...] Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application.'" This also fixes some related security problems with Terminal.app, Safari, and DiskImageMounter. No word in given regarding how the average user should know whether or not to approve the request.

106 comments

Min score:

Reason:

Sort:

No word? by daveschroeder · 2004-06-07 09:16 · Score: 4, Insightful

"No word in given regarding how the average user should know whether or not to approve the request?"

Well, first of all, this security update takes the issue completely from the realm of a an automated exploit that could execute arbitrary code simply by visiting a web page with no user interaction or warning, to what can now only be described, more or less, as a social engineering exploit. If you download a new application, like, say an RSS reader, the OS will prompt you to add, for example, the 'feed:' URI handler:

- ONLY the first time, and

- ONLY if it's invoked remotely, e.g., via a web page, URL in an email message, etc.

And since the only value of this exploit came from it being used in two HTML frames with two META REFRESH tags, via a browser, to cause some type of remote volume to mount (or a file to download) AND then have the newly registered URI remotely called, this completely and totally fixes the issue, without hurting the normal functionality of having new URIs get registered when you launch an application. Saying "No word in given regarding how the average user should know whether or not to approve the request" is tantamount to saying that no guidance is given on whether or not a user should even know to open, say, a shareware app they've downloaded for the first time.

On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue. This addresses the core of the issue, which was several OS features interacting to essentially enable an automated exploit; that capability is now completely disabled. Apple even went further and removed some suspect handlers (disk:) completely, even though this fix makes it unnecessary.

Also, detailed information on what exactly was changed is here:

http://www.info.apple.com/kbnum/n61798

...as well as a description of what exactly occurs if this situation is encountered:

http://www.info.apple.com/kbnum/n25785

You can verify that these issues are fixed by using the following test site: http://test.doit.wisc.edu/
1. Re:No word? by pudge · 2004-06-07 09:20 · Score: 4, Funny
  
  On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue.
  
  You think much more highly of the average user than I do.
2. Re:No word? by yotaku · 2004-06-07 09:26 · Score: 5, Insightful
  
  "On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue."
  
  Yes just like a windows user knows to say no to those ActiveX dialogs. I'm sorry but this does NOT solve the problem. Research shows that when a user is exposed to such a dialog they get confused and pick a random option.
  
  This is a fix for semi-intelligent computer users. It does not help the average user. If this really worked then no-one would still be installing Gator.
3. Re:No word? by Anonymous Coward · 2004-06-07 09:27 · Score: 0, Insightful
  
  Exactly what I was thinking. This already occurs quite frequently in Windows and most people just click Ok when it comes up. That is why I have to clean a ton of spyware off people's computers.
4. Re:No word? by baur · 2004-06-07 09:31 · Score: 5, Insightful
  
  You think much more highly of the average user than I do.
  
  If you have that low an opinion of people, then you should realize that there is almost nothing that can be done to protect them. At some point, a user has to be allowed to run programes - and new ones at that. If not, then the computer is nearly useless.
  
  Social engineering is always possible. Heck, there are windows viruses that spread using a password protected zip file. That means that the user has to be convinced to download the file, open it, put in a password and then run the trojan. Sure, some people are dumb enough to go through all of that (the fact that its spreading at all is proof of that) - but how many hoops are reasonable to jump though to protect the user? At some point, the OS has to step back and let the user do what they want, or else they'll go use something that gives them more control.
5. Re:No word? by pudge · 2004-06-07 09:37 · Score: 2, Interesting
  
  If you have that low an opinion of people, then you should realize that there is almost nothing that can be done to protect them. At some point, a user has to be allowed to run programes - and new ones at that. If not, then the computer is nearly useless.
  
  You're committing the Excluded Middle fallacy here. There are degrees. In this case, we are talking about a remote attacker doing things without user interaction, except to click on a dialog box *they don't understand*. They only have two options, and they don't know which is the right one. And no matter what the dialog says, that won't change. This is very different from a user going and clicking to open an application of their own accord.
  
  IMO, the way this should work is to disallow an app to be executed for the first time, period, except explicitly. There should be no dialog asking them if they want to open it for the first time, it should simply be disallowed, period.
6. Re:No word? by falcon5768 · 2004-06-07 10:19 · Score: 1
  
  At least we run a OS where both a comp sci major and a novice would feel at home
  
  --
  "Slashdot, where telling the truth is overrated but lying is insightful."
7. Re:No word? by jdb8167 · 2004-06-07 10:23 · Score: 2, Insightful
  
  Unlike windows, running a new, untrusted application installed from the browser is a very unusual circumstance on the Mac. It just doesn't happen. For most users, a new application is installed in /Applications. Since you can't do that without an Admin password, any legitimate Application already has to be installed with a users consent.
  
  Users definitely need a quick tutorial on this potential security issue, but if and when they get this dialog they will know something is up. If they are running a new plug-in that they explicitly want, they simply click OK, if not then click Cancel and report the incident as suspicious.
  
  Nothing should ever be installed on your computer via a browser without your express consent. Knowing when to accept or not isn't as big a problem as it is made out to be.
8. Re:No word? by Black+Art · 2004-06-07 10:28 · Score: 2, Funny
  
  Research shows that when a user is exposed to such a dialog they get confused and pick a random option.
  And here I thought that only trademark lawyers were that easily confused...
  
  --
  "Trademarks are the heraldry of the new feudalism."
9. Re:No word? by jdb8167 · 2004-06-07 10:32 · Score: 1
  
  Hmm, easy then. Tell any unsophisticated OS X user to always click cancel. Always. Now the user only has to go find the actual application on their disk and click on it deliberately in the finder.
  
  Go back to the same web page, if the dialog is gone, it was legitimate, if it still present when they go back then it is malware. Easy. Even the most unsophisticated user can follow those easy instructions. They are not going to get bombarded with this dialog. It is going to be a rare event for the average user.
  
  I think you are overstating the problem.
10. Re:No word? by jdb8167 · 2004-06-07 10:38 · Score: 1
  
  In addition, the dialog only appears the first time you open an app and only if you open it with an associated URI or document. If the user opens the application by double-clicking the application icon, then it opens without a warning, as expected. The issue Apple had to solve is how to inform the user of a new association of documents or URI handlers. Apple has solved it in the only way I can think of.
11. Re:No word? by merdark · 2004-06-07 10:40 · Score: 4, Insightful
  
  IMO, the way this should work is to disallow an app to be executed for the first time, period, except explicitly.
  
  This is what clicking 'Yes' in the dialog box does. Explicitly runs an app.
  
  There should be no dialog asking them if they want to open it for the first time, it should simply be disallowed, period.
  
  This you may as well remove the functionality completely, considering you just removed the only way to run a handler explicitly.
  
  There is no way around this. Either a user knows that an app is safe to run, or they don't. I haven't tried it yet so I don't know if this is the case already, but the ONLY solution to the user problem is the solution taken by windows. Every time the dialog pops up, put a phrase saying "If you don't understand, click no because you could be hax0red".
12. Re:No word? by pudge · 2004-06-07 10:45 · Score: 1
  
  Tell any unsophisticated OS X user to always click cancel. Always.
  
  They won't hear you tell them, and they won't remember you told them. Even if it is in the dialog box itself -- which it is not -- it won't help.
  
  Even the most unsophisticated user can follow those easy instructions.
  
  No, they cannot.
  
  It is going to be a rare event for the average user.
  
  Which only hurts your argument, as infrequency dulls the memory. There is no chance, for some of them, that they will recognize the dialog box for what it is, and remember that you told them to do something, and remember what that thing is.
  
  I think you are overstating the problem.
  
  I am absolutely certain you are overestimating users.
  
  Any rule as or more complex than "don't open unknown email attachments" is a proven failure. How are you not getting this? If they can't follow that, which is far simpler, far easier to understand the problem, and happens far more frequently ... how can you reasonably expect theycan follow what you say? You're not living in the real world.
13. Re:No word? by drsmithy · 2004-06-07 10:53 · Score: 1
  
  Unlike windows, running a new, untrusted application installed from the browser is a very unusual circumstance on the Mac.
  This might mean something to experienced, knowledgable users. The rest of them are just going to click "Yes".
  Since you can't do that without an Admin password, any legitimate Application already has to be installed with a users consent.
  Since the default group for the first user is admin, most users will be running as an admin user and can happily copy stuff into /Applications with no prompting whatsoever.
14. Re:No word? by pudge · 2004-06-07 10:59 · Score: 1, Insightful
  
  This is what clicking 'Yes' in the dialog box does. Explicitly runs an app.
  
  The user doesn't understand that, let alone its implications. Users are stupid. You must assume, for the sake of security, that the dialog reads "Kdas Huhuadsd Dudhasd Zdhasd." They will not understand it. I am not trying to be mean, I am not trying to be a snob, I am just being realistic.
  
  This you may as well remove the functionality completely, considering you just removed the only way to run a handler explicitly.
  
  Remove the URI handling functionality? If that is what you mean, you're missing the point. You must run the app the first time. After that, a handler for it will work. The issue is a new app sneaking its way onto your system and being executed remotely.
  
  Every time the dialog pops up, put a phrase saying "If you don't understand, click no because you could be hax0red".
  
  It would be far better if the language were this strong (it is not), but even still, most users won't understand it. You must assume they won't understand the question you are asking them, because the fact is, they won't.
  
  And again, I am only so strict about this because it is a remote attack. Yes, users, can do lots of damage to their own system, of their own accord. But this attack will succeed if the user simply clicks the wrong button, and the fact is that they will.
15. Re:No word? by coolgeek · 2004-06-07 11:10 · Score: 1
  
  Have either of you guys actually seen the text of this message?
  
  Neither have I but I am sure (because it's Mac OS X) it goes a lot farther to empower and help the user understand the implications of their actions than the 'Always Trust Content from Gator Corp.' dialog you get with Internet Exploder.
  
  --
  
  cat /dev/null >sig
16. Re:No word? by jdb8167 · 2004-06-07 11:14 · Score: 1
  
  How is click cancel when you see this dialog any more complicated then "don't open unknown email attachments"? Seems about the same level of complexity to me.
  
  And you are probably correct that some people will never learn and will eventually get hit by this potential problem. But I'm at a loss to what you can do to prevent it? Any suggestions for the very weak minded who can't follow even the simplest of advice?
  
  There are untold numbers of things you can do to people who don't learn to distrust software delivered to them without their express cooperation. I don't see how you can ever solve that problem except by doing the Microsoft thing and preventing software from being installed unless it is approved by some central approval agency. I wouldn't want that for OS X.
17. Re:No word? by pudge · 2004-06-07 11:36 · Score: 2
  
  Have either of you guys actually seen the text of this message?
  
  Yes, it is in one of the links I put in the story. :-)
  
  Neither have I but I am sure (because it's Mac OS X) it goes a lot farther to empower and help the user understand the implications of their actions than the 'Always Trust Content from Gator Corp.' dialog you get with Internet Exploder./em?
  
  It doesn't. It says "if you were not expecting this application to open, click Cancel." I am not arguing about this dialog specifically, but the fact of having a dialog at all, which will confuse and scare many users, and they will not understand what to do, no matter what it says. If I were arguing about this specific dialog box, my task here would be far easier, because it really stinks. :-)
18. Re:No word? by pudge · 2004-06-07 11:42 · Score: 2, Insightful
  
  How is click cancel when you see this dialog any more complicated then "don't open unknown email attachments"?
  
  You were talking about how the user would then go and find the application to open manually. Even if you had left it at only this point, it is more complicated because you are forced to make a choice, one you don't understand the meaning or ramifications of. With email attachments, you merely don't have to take a particular action.
  
  But I'm at a loss to what you can do to prevent it?
  
  As I've said many times: DO NOT register apps until they are first explicitly launched. This dialog would not come up because the action would not be possible.
  
  There are untold numbers of things you can do to people who don't learn to distrust software delivered to them without their express cooperation.
  
  Yet another Excluded Middle fallacy. There are levels, and I am simply saying you should not rely on an on-the-spot user choice when it comes to a potential remote attack. This should be a bottom-line rule. What if Mac OS X were to pop up a dialog, saying, "An incoming packet on port 23 is detected, but telnetd is not currently running. Shall I start telnetd to allow the connection to go through?" That's what this is basically doing.
19. Re:No word? by Anonymous Coward · 2004-06-07 11:52 · Score: 0
  
  > Tell any unsophisticated OS X user to always click cancel. Always.
  
  In that case there is no point in popping up a dialog. The functionality should just be off by default. Leave it to sophisticated users to turn it on themselves if they really want to. Security by default, you know?
20. Re:No word? by shendart · 2004-06-07 12:04 · Score: 5, Funny
  
  You forget that we're not talking about the average user, but rather the average APPLE user.
  
  Everyone knows that we're taller, more attractive, more aromatically enticing, (prone to verbose grammer), and more intelligent than the average computer user.
21. Re:No word? by Lars+T. · 2004-06-07 12:41 · Score: 5, Insightful
  
  What happened to the Apple HIG mantra "Press Enter and the safe option will be activated"?
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
22. Re:No word? by SilentChris · 2004-06-07 13:52 · Score: 1
  
  "On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue. "
  
  I can argue vehementally, without a doubt, that this is totally, utterly incorrect for most users. The average user can barely tell what an "application" is, let alone know what to click.
  
  It isn't clear in the screenshots (I'm going to test this on my iBook) whether or not Cancel is the default. If it's an IE 6 "press enter and OK is chosen automatically to install the searchbar/adware/spyware", OS X help desk people are still in a world of hurt.
  
  What they should do is similar to XP SP2: make Cancel the default on remotely triggered applcations (all applications, which would cover installs). I can't tell you the number of times I've heard from secretaries that they pushed enter on some random internet dialog box "without thinking".
23. Re:No word? by troc · 2004-06-07 18:40 · Score: 1
  
  We are the Yogi Bears of the Computing World?
  
  Cool.
  
  Troc.
  
  --
  Troc's dubious podcast and blog: http://www.trocnet.net
24. Re:No word? by geoffspear · 2004-06-08 03:30 · Score: 1
  
  So if a user has ever run Help.app, Safari should allow any webpage to run the Help.app remote exploits, since the user launched the program himself once?
  
  --
  Don't blame me; I'm never given mod points.
25. Re:No word? by pudge · 2004-06-08 03:40 · Score: 1
  
  I never implied any such thing, sorry. This is only one piece to the puzzle. Every app the Apple has that accepts data from URI handlers must be audited to make sure it does nothing potentially unsafe with that data. They are two separate, but related, issues.
26. Re:No word? by baur · 2004-06-08 05:35 · Score: 2, Insightful
  
  Yet another Excluded Middle fallacy
  
  You know, you keep saying that, but it sounds like you are doing the same thing. You seem to be claiming that no "typical" users are smart enough to figure out what's going on. There are not just smart and dumb users, there is a range. Designing things like this means striking a balanace between security and convience. There are no hard-and-fast rules about it.
  
  The main reason I responded though was just to complain about your analogy. It doesn't fit. The remote exploit that this is all about is not completely automatic. It requires the user to browse the internet to a malicious site. Your example describes a more dangerous situation where a users machine is at risk randomly and needs to only be connected for it to happen.
  
  My only reason for mentioning this is that, since the user is already activly involved in the process, its not a great leap to have some instructions on the site like: "A new volume should show up on your computer, please double click the file in there to see the cool cartoon."
  
  I know what you're going to say, this is an "Excluded Middle Fallacy." No more than what you've proposed. What I'm trying to say (and I suspect a few others) is that you have to trust the user to do the right thing *at some point* - although I'll grant its debatable at what point that occurs. There is some anecdotal evidence that dialogs are not always read and understood, but this still turns an automated exploit into one that requires an extra step of user interaction. This is not a dialog that users will see frequently, and so it isn't one that they will become jaded by. I understand your position, but - for me - it restricts features a little too much. There are cases where you would want to say "Ok" to this dialog (like a help:// tag, for example - I would be very annoyed if I had to go an find the help app just to launch it once before it could be used). There are other situations as well.
  
  As I've said many times: DO NOT register apps until they are first explicitly launched.
  
  This sounds good on the surface, but think about it - do you want to have to explicity lauch every helper app before it gets used automatically? (Although its not quite true, let's assume this afects pre-installed apps as well.) Want to unstuff and app? Sorry, you need to hand launch Stuffit Expander once first. Want to use the Citrix client to connect to a remote server? Sorry, gotta launch the client once (never mind that it makes no sense to do so without a connection file).
  
  I don't want to deal with that, because I don't like my computer getting in the way of what I'm doing - and I don't feel that its a great compromise of security to have a dialog box appear (although I do think the default should be cancel).
27. Re:No word? by pudge · 2004-06-08 06:08 · Score: 1
  
  You know, you keep saying that, but it sounds like you are doing the same thing.
  
  But I am not.
  
  You seem to be claiming that no "typical" users are smart enough to figure out what's going on.
  
  I claimed no such thing, sorry. I never said or implied anything similar to that. What I said is not that NO typical users will, but that SOME will not.
  
  The main reason I responded though was just to complain about your analogy. It doesn't fit. The remote exploit that this is all about is not completely automatic. It requires the user to browse the internet to a malicious site.
  
  Only if you define "malicious" loosely. Due to the great many sites that allow comments to be posted on them, many of which have XSS vulnerabilities, this simply isn't the case with most definitions of "malicious." If someone found a way to exploit Slashdot so you could redirect a user, then boom!
  
  [Now, of course, right now, there is no known way to automatically get an app registered in the first place, because the various disk/afp/etc. handlers were apparently closed. But that doesn't mean a new way won't be found, so it's beside the point.]
  
  This sounds good on the surface, but think about it - do you want to have to explicity lauch every helper app before it gets used automatically?
  
  For the first time? Yes, absolutely. No question about it. This is precisely what I want. No app gets launched until I do the launchin'.
  
  Want to unstuff and app? Sorry, you need to hand launch Stuffit Expander once first.
  
  Since Expander comes preinstalled, Apple can grandfather it in, like all other preinstalled apps.
  
  Want to use the Citrix client to connect to a remote server? Sorry, gotta launch the client once
  
  Good! How is this a problem? You install a new app, so you run it once. This is not hard, difficult, or burdensome in any reasonable way. I agree that there is a SLIGHT burden that WOULD be useless if there was no reason for it, but clearly, here, there is a security problem, that entirely mitigates this slight burden.
28. Re:No word? by squiggleslash · 2004-06-08 08:21 · Score: 2, Informative
  
  You don't have to put an Application in /Applications for it to be runnable.
  The only reason it's slightly harder to run an OS X app from the browser is that OS X apps tend to be whole directories rather than just a single file, and older OS 1-9 files have "forks" which the standard Web download model doesn't really support. Of course, there's always AppleScript.
  "Installing" an OS X app is a matter of putting it on your disk. Anywhere. (Well, anywhere except the Trash can.) You can put it on your desk top, you can put it in your Documents folder, you can put it pretty much anywhere. You can associate a file with it, run it, move it somewhere else, and still have that file open your moved program.
  It's all rather funky. But, no, there's no security provided by the /Applications folder, and indeed /Applications is writable by most users by default anyway.
  
  --
  You are not alone. This is not normal. None of this is normal.
29. Re:No word? by Anonymous Coward · 2004-06-08 11:24 · Score: 0
  
  Okay.
  
  In a revision, the default behavior will be to kick the user in the nuts if he tries to open an application in that context.
30. Re:No word? by TechniMyoko · 2004-06-08 17:00 · Score: 1
  
  you didnt have to post as Anonymous Coward, Im sure many of us have to do the same thing, I do all time. Theres not a computer i touch that i dont install adaware on
31. Re:No word? by rixstep · 2004-06-08 19:48 · Score: 1
  
  Thank you, Dave, that was very well put. I must also say that after wandering through the Apple documents at the URLs below, I am duly impressed. It's clear to me Cupertino are very concerned about anyone punching holes in their OS. If others (nod towards Redmond) could show the same concern and efficiency... Really, I am impressed, and I don't fall for that very easily. I really hadn't expected Apple to do anymore. I should have been more patient. Cheers.
  
  http://docs.info.apple.com/article.html?artnum=2 57 85
  http://docs.info.apple.com/article.html?artnum =108 009
32. Re:No word? by Anonymous Coward · 2004-06-08 20:03 · Score: 0
  
  prone to verbose grammer
  
  And spelling bloopers too evidently.
33. Re:No word? by rixstep · 2004-06-08 20:13 · Score: 1
  
  I disagree. ActiveX is one thing, but as they've all pointed out, if this is the first you've heard of the app (and you're told even where it's located) it's a pretty good clue if you are ever going to know what you're doing - and if you aren't, then precious little will help you.
  
  A lot is dependent on the system becoming aware of schemes and file types. I don't take it as a given that a new file type will be recognised simply because I've unzipped a package off the net with its handler inside. I do expect the file types (and schemes) to be recognised once the handler runs. If the system automatically checks DMGs when it opens them - then OK, yes, there is a minimal danger. But I hate DMGs anyway and personally avoid them because I can't know exactly what's going on inside and with the system. There is a great comfort in gzip and bzip2... And funky malicious DMGs are going to get past any sort of speed bump here anyway - just as an installer that asks for your administrator passphrase can do it (one more reason to give that passphrase to no one).
  
  Does anyone remember what MS did after ILOVEYOU? They recommended people not open attachments that belonged to messages with the 'I Love You' subject line. Outlook was made to stop when opening any attachment with a script. No, it's nuts to have scripts in email, but the Apple solution is to raise an eyebrow to anything that's not been run on the system before - that's the essence of it: if you've run it, and are still here, it's probably all right. Maybe you can have it fairer than that, but I don't see how at the moment.
34. Re:No word? by Anonymous Coward · 2004-06-08 20:17 · Score: 0
  
  Exactly how do you propose an operating system is going to audit all code in realtime for possible malfeasance?
35. Re:No word? by Anonymous Coward · 2004-06-08 20:23 · Score: 0
  
  So the first time I try to run any app you're going to disallow it?
  
  That should work great in the debugger.
  
  What happens if I just go ahead and try to run it again?
36. Re:No word? by rixstep · 2004-06-08 20:28 · Score: 1
  
  Wording and wording...
  
  It's my impression Apple got at the crux of the issue: indirectly running code you know nothing about. If you've run the code before and are still here...
  
  You can argue till the end of the year whether the wording is appropriate, or how many nimrods will get 0wned anyway, but the technical side of it is very well I think: the essence of the 'hole' was that any protocol could be made up. This does a good job of watching out.
37. Re:No word? by rixstep · 2004-06-08 20:33 · Score: 1
  
  Kdas Huhuadsd Dudhasd Zdhasd
  
  I ate there once. Great place, great food, great service. I left a huge tip,
38. Re:No word? by pudge · 2004-06-09 03:35 · Score: 1
  
  "In realtime"? I am talking about developers fixing applications. For example, Apple developers looking at Help Viewer.app and saying, "OK, we accept all this data from URI handlers, and we do this with that data. Is anything here potentially dangerous?" And then they either remove runscript, or they restrict its use internally (which is what Apple chose), or they take some other measure to prevent the unsafe operation. This work is *necessary*, not optional, no matter what else Apple does to attempt to prevent abuse.
39. Re:No word? by pudge · 2004-06-09 03:38 · Score: 1
  
  So the first time I try to run any app you're going to disallow it?
  
  No. This is all over your head, isn't it? The problem is that apps are automatically registered, and can be run *for the very first time* without *explicitly* running the application (such as, by opening a file of a certain type, or using a URI handler). "For the first time" is the key here: no app should be automatically registered, and should require explicit execution before it is registered. After this initial execution, everything else would be normal.
  
  Requiring that a user manually run an application for the very first time is not a significant burden for the overwhelming majority of users.
40. Re:No word? by pudge · 2004-06-09 03:40 · Score: 1
  
  You can argue till the end of the year whether the wording is appropriate, or how many nimrods will get 0wned anyway, but the technical side of it is very well I think: the essence of the 'hole' was that any protocol could be made up. This does a good job of watching out.
  
  Only if you understand the warning message (or have access to someone who does, who can tell you what to do). If you don't, then all it's done is reduce your chances of being exploited by 50%.
41. Re:No word? by Angostura · 2004-06-14 06:43 · Score: 1
  
  And what if the application is such that it makes no sense for it to be invoked by the user? (such as a daemon or somesuch)
42. Re:No word? by Angostura · 2004-06-14 06:48 · Score: 1
  
  How's Apple going to fix the problem of users not understanding the dialogue boxes which say 'Do you want to save changes you made to this document?'.
43. Re:No word? by pudge · 2004-06-14 07:22 · Score: 1
  
  Who cares? Run it once, it won't hurt you.
No word is given? by cbiffle · 2004-06-07 09:16 · Score: 4, Informative

That's not entirely true. The KB article linked from the SecUpd description provides a screenshot of the approval dialog.

Basically, it notes that the app is being started for the first time, and it says that unless you expected to see that app come up in response to whatever you just did, kill it by pressing 'Cancel.'

I think this is a pretty good way of handling the situation. They could have left the hole unplugged, or simply disabled the functionality in general. The dialog box strikes me as a good compromise.

However, I do think a little more info might be nice, like how long ago the app was installed, etc. Might make it harder for a new app to masquerade under the name of an old app.
Sure there is. Well, sorta. by Anonymous Coward · 2004-06-07 09:18 · Score: 3, Informative

If you read the links apple provided, you will eventually end up here: http://docs.info.apple.com/article.html?artnum=257 85
Usability Growing Pains by yotaku · 2004-06-07 09:21 · Score: 2, Interesting

It sounds to me that Apple is begining to have the problems that Windows suffers from. The impossible task of making an OS user friendly enough for an average user, while maintaining security. The integration of the URI stuff is needed for usabilty reasons, but it does present a huge problem from a security angle. Usabilty research on windows has shown that in most cases these dialogs do not help the average user. The average Joe does not understand the dialog, and when they dont understand it, you know what they do? They hit a random option.

I welcome Apple to the problems of making an OS for people other than the tech savy.
1. Re:Usability Growing Pains by MoneyT · 2004-06-07 09:35 · Score: 4, Interesting
  
  I wonder if there's any benifit to how the dialouge is worded. Many of the ones I see often say "If you trust this document to be certified click OK" or "If you're sure you want to do this, click OK" Essentialy it tells you to click OK. This dialouge asks you if you're sure you want to open an application and specificaly says that if you were not expecting this, to click cancel.
  
  Who knows, it might be a good experiment.
  
  --
  T Money
  World Domination with a plastic spoon since 1984
2. Re:Usability Growing Pains by baur · 2004-06-07 09:38 · Score: 2, Interesting
  
  I think they've done a decent job of avoiding knee-jerk reactions on this one. The way it's designed, the dialog will very rarely come up, so the user will (hopefully) not become jaded as to its meaning. When it does appear, it should seem out of the ordinary, causing most reasonable people to at least give it a quick read.
  
  Does this solve the problem completely? Of course not, but this is a fairly good solution that covers most cases, makes the majority of people more secure and doesn't keep me from using my computer the way I want to.
3. Re:Usability Growing Pains by lullabud · 2004-06-07 10:29 · Score: 2, Informative
  
  I welcome Apple to the problems of making an OS for people other than the tech savy.
  OS for people other than the tech savy? I think Apple's been doing that for a looooong time. However, making an OS that doesn't suck for the techies yet remains usable for the dummies is another story.
  
  All in all though I think they've done a fine job. My mom got an iBook about 8 months ago and She hasn't called me with questions for the last 6 months. When she had Windows she called me frequently... for years...
4. Re:Usability Growing Pains by hondo77 · 2004-06-07 11:19 · Score: 2, Informative
  
  I welcome Apple to the problems of making an OS for people other than the tech savy.
  
  Um, yes...because...goodness knows...that Apple, um...hasn't been doing that for the past twenty years! What other company could you possibly be comparing them to with a statement like that?
  
  --
  I live ze unknown. I love ze unknown. I am ze unknown.
5. Re:Usability Growing Pains by Lars+T. · 2004-06-07 12:59 · Score: 1
  
  When ever I think that, something in Windowsland will get worse. There's a new bug in (fully patched) IE that will let any webpage download and execute arbitrary code on your computer. And it has been used in the wild for quite some time - no hypothetical exploit.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
6. Re:Usability Growing Pains by kerry-buckley · 2004-06-07 19:45 · Score: 1
  
  I welcome Apple to the problems of making an OS for people other than the tech savy.
  You don't think twenty years' experience of making "computers for the rest of us" might have given them some insight in this area already?
7. Re:Usability Growing Pains by mbbac · 2004-06-08 05:45 · Score: 4, Insightful
  
  It also doesn't say 'OK' or 'Cancel.' Like most good Mac dialogs, it uses action verbs. In this case the options are 'Open' or 'Cancel.'
  
  --
  mbbac
8. Re:Usability Growing Pains by argent · 2004-06-09 02:23 · Score: 1
  
  It is NOT an impossible task.
  
  It is possible to prevent this entire class of attacks while retaining user-friendliness.
  
  The way you do this is realise that the Internet is a hostile environment, and that the services and resources appropriate for local applications are NOT always the right thing to open when requested by a remote and untrusted web page. Some protocols simply make no sense for remote requests (mounting a disk, for example, opens up a whole class of potential attacks), and in other cases you want to provide a different interface for untrusted data.
  
  On Windows, if you use Internet Explorer and Outlook, you're using the same list of helper applications for both local and remote requests. If you use other webservers and mail readers you're using different lists, because they're not implemented using the Microsoft equivalent of Webkit and LaunchServices.
  
  When Microsoft merged the desktop and the browser, almost a decade ago, I managed to get IE and Outlook banned at work. We continued to use other Windows-based applications like Netscape and Eudora, we just avoided the Microsoft HTML control. I didn't know *what* would break, but I knew that this opened up a new class of exploits... and should be avoided.
  
  The result? Despite using no other antivirus techniques for many years we had no major virus outbreaks... and the people who did get infected were often using Outlook against our policy. We eventually deployed A/V software, but so did other parts of the company and we remained a relatively virus-free outpost... until they integrated our domains and tossed the "no IE" policy out the window...
  
  Apple is following the same path, but they have also convinced other browser makers to use LaunchServices as well. This has the potential of being a worse security nightmare than Windows and IE/outlook!
  
  Just split out a "WebServices" from "LaunchServices", and restrict "WebServices" to those protocols that make sense for a web page. This won't prevent an application from using the full LaunchServices where it needs to, but it will give it a way to know what protocols it should expose to the Internet.
9. Re:Usability Growing Pains by rixstep · 2004-06-15 07:22 · Score: 1
  
  Sorry, but this is so much unadulterated tommy-rot.
  
  Microsoft have never tried to make their operating systems 'user friendly enough for the average user'. There is no such thing in the Microsoft camp. Microsoft have equipped their software with 'showroom flash', fully aware of the fact that most users dating back to 1995 have not had a clue about inherent dangers while surfing like that online.
  
  Further, Microsoft's typical answer to JavaScript was a scripting system that did not respect security as JavaScript did. F-Secure, at the time of the ILOVEYOU outbreak, noted that the features in Microsoft scripting that caused the damage were features almost no one ever used. So much for 'user friendliness'.
  
  Further, the Microsoft target demographic is invariably not the 'average user' but the 'way below average user'. Gates is a pusher man. If all he wanted to do was get a product out that both addressed the needs of the 'real average' user and also provided a gratifying learning curve, the 'average users' you reference would be left in the cold. Microsoft's 'average users' are the 'dumb users' - the people with no inherent aptitude for even sitting at a keyboard. Microsoft see these people as crucial, for the ambition is not to get a computer in every home and on every office desktop, but to sell software to all those locations and have a monopoly there as well. By cutting out the intelligent users and even the average users and by directing software towards the truly cerebrally disenfranchised, Microsoft hope to reach that goal, even more than they have today.
  
  Many are the constant complaints about the fact that there is no gradient in using Microsoft technology. Things may seem crystal clear when you first boot into a Microsoft system for the first time. But they're aggravating for ordinary users as well because they spell out way too many things. And then of course there's real annoyances like Clippy. Once the user understands how the system works, the user wants to streamline his workday, and to do that he must circumvent all these 'user friendly' features which become tantamount to a bad marriage: way too much interactivity. Most people are NOT that stupid, and referring to them as 'average' is simply wrong.
  
  The parent also implies that Microsoft have done far more work and are miles ahead of Apple in all respects, which is just downright ridiculous. Apple may be new at the 32-bit protected mode game, but Unix is not, and Microsoft will never come close to even the shadow of Unix.
How will they know? by teamhasnoi · 2004-06-07 09:23 · Score: 4, Funny

With a non-descriptive name like EvilWare, how is anyone going to know if it is ok or not?
Yes, I was just about to hit SubmitStory, and yes, I'm still bitter. ;P
1. Re:How will they know? by ernstp · 2004-06-07 09:43 · Score: 1
  
  If you
  1) go to a webpage (and only that!)
  2) and suddenly an application launches,
  without you doing anything, you know you don't want it to open!
  
  I assume Cancel is the default button?
2. Re:How will they know? by jimbolaya · 2004-06-07 14:56 · Score: 4, Funny
  
  Notice that the name of the application in the image has been changed. Apple had to stop using the name "EvilWare" because that product is trademarked by Microsoft.
  
  --
  There ain't no rules here; we're trying to accomplish something.
Change in text maybe? by wedding · 2004-06-07 09:32 · Score: 5, Insightful

I like the idea, but couldn't the wording of the alert be simpler?

Why not ask "The document you're opening is trying to open and run _____. If you don't want to do this, click CANCEL."

The message makes sense to a geek, but I'm with an earlier poster, many users will just click OK out of confusion.
1. Re:Change in text maybe? by cheide · 2004-06-07 09:47 · Score: 2, Insightful
  
  The goal here is to get the user to think "Hey, I wasn't expecting this! Hmmm, if I wasn't expecting it, then I better cancel it..." People tend to become complacent and click Yes/OK to any old 'plain' dialog that comes along, though, so wording that has a bit of a warning tone to it and an attention-grabbing graphic might get them to take notice.
  
  Of course then the danger is that they might be too cautious and cancel it when they should have let it run, and then their app or web page doesn't work, but at least that's a safer failure mode.
2. Re:Change in text maybe? by PierceLabs · 2004-06-07 10:07 · Score: 3, Insightful
  
  True, but the ocurrence of that is currently pretty rare since most poeple never really encountered the URI exploit in the wild and almost no real application would require that functionality to be exposed to the user in that manner.
  
  I think this fix is reasonable in that it won't be popping up all the time and when it finally does - it will look out of place and the default behavior should be to cancel (not allow) the operation to continue.
3. Re:Change in text maybe? by justMichael · 2004-06-07 11:35 · Score: 5, Insightful
  
  The message makes sense to a geek, but I'm with an earlier poster, many users will just click OK out of confusion.
  While this is true in Windows, the dialogs are worded very poorly and usually only have OK CANCEL. The dialogs in OS X are usually worded in such a way as to make sense and the buttons usually have words on them directly related to what they do.
  
  Even in this example, Cancel Open, so you know even without reading the dialog that one button is going to open something and the other is going to cancel.
  
  Where as OK CANCEL is completely reliant on someone reading the dialog (not normally going to happen) or click OK and see what happens.
  
  The action you are trying to perform will destroy data and we have stopped it, do you wish to allow it to continue? OK CANCEL
  
  The action you are trying to perform will destroy data, do you want us to stop this from happening? OK CANCEL
Doesn't break Paranoid Android by teamhasnoi · 2004-06-07 09:39 · Score: 4, Funny

I've just confirmed that Paranoid Android still works, and hollers about the exploit before Apple's fix.
What that means, I don't know. I'm an Apple user. Hold me.
Doesn't work? by MoneyT · 2004-06-07 10:06 · Score: 3, Informative

Well this one is odd to me. The update didn't appear to work. Trying the tests at the following link I get the following:

4 tests

The first one does not execute, but no dialouge is presented.

The second one executes.

The third does not execute, but does launch help viewer, no dialouge

The fourth does not mount or execute on the volume, but does launch a terminal trying to access the volume.

The only reason I can think of why this didn't take may be because I have PA installed but diabled, and it may be interfering with the patch.

Is anyone else having this issue?

--
T Money
World Domination with a plastic spoon since 1984
1. Re:Doesn't work? by jokell82 · 2004-06-07 10:21 · Score: 4, Informative
  My experience, having never installed PA:
  
  First does not execute, no dialog presented.
  
  Second one does not execute, but does connect to the FTP (which I would expect it to do), again no dialog.
  
  Third launches help viewer, but does nothing else, no dialog.
  
  Fourth does not mount or execute the volume, but does launch the terminal, again non dialog.
  
  It appears to be all fixed, as some of the methods to install the exploits still work, but the exploits themselves do not run. I wonder if anyone will find a way around the fixes.
  --
  I dunno who it is
  but it prolly is fhqwhgads.
2. Re:Doesn't work? by MoneyT · 2004-06-07 10:26 · Score: 1
  
  On the second one, after the FTP loads, reload the page and see if it executes.
  
  --
  T Money
  World Domination with a plastic spoon since 1984
3. Re:Doesn't work? by jokell82 · 2004-06-07 10:34 · Score: 1
  
  I did, it didn't. All it did was try to connect to the ftp again.
  
  --
  I dunno who it is
  but it prolly is fhqwhgads.
4. Re:Doesn't work? by MoneyT · 2004-06-07 10:43 · Score: 1
  
  Also on the 4th, does it launch the terminal and attempt to access the disk or just launch the terminal?
  
  --
  T Money
  World Domination with a plastic spoon since 1984
5. Re:Doesn't work? by jokell82 · 2004-06-07 10:59 · Score: 1
  
  It launches the terminal and tries to fire up ssh. Here's the terminal contents:
  
  ssh: a -F /Volumes/ssh/config: No address associated with nodename
  [Process exited - exit code 255]
  
  --
  I dunno who it is
  but it prolly is fhqwhgads.
6. Re:Doesn't work? by gsfprez · 2004-06-07 11:55 · Score: 0
  
  this exploit is not fixed.
  
  test 1 - nothing seems to happen - no autostart, no dialog... no nothing.
  
  test 2 - "idisk" mounts, but it brings up the new dialog.
  
  test 3 - help viewer launched and remote disk "idisk" mounted. Then it sat there. If there would have been folder actions accosicated with this share - i'm sure i would have been boned.
  
  test 4 - terminal launches, and attempts to connect to a remote site - appears that if it were a malicious site, it would have worked.
  
  i have nothing from insanity installed, and i've changed no options in Safari other than to enable tabbing.
  
  damnit.
  
  --
  guns kill people like spoons make Rosie O'Donnell fat.
7. Re:Doesn't work? by FredFnord · 2004-06-07 13:11 · Score: 4, Insightful
  
  > test 2 - "idisk" mounts, but it brings up the new dialog.
  
  That's the fixed part.
  
  > test 4 - terminal launches, and attempts to connect to a remote site -
  > appears that if it were a malicious site, it would have worked.
  
  A malicious... telnet... site? Er, whee, lookit the pretty birdies.
  
  The telnet: URL handler is *supposed* to open a telnet connection. It doesn't install any code, it doesn't download anything, it doesn't even execute any commands. It just opens a telnet connection.
  
  The issue that is fixed here is having a disk image mount and create a new URI handler, and then a redirect on your web browser launching the application using the new handler.
  
  This doesn't affect telnet handlers, which are already registered and don't run anything on random mounted disk images.
  
  It doesn't affect helpviewer, which has already been patched and fixed. That is, helpviewer can no longer run arbitrary scripts, so the fact that the disk image mounted doesn't make a damn bit of difference.
  
  Basically, don't post warnings about things you have no clue about.
  
  -fred
  
  --
  Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
8. Re:Doesn't work? by Anonymous Coward · 2004-06-07 13:12 · Score: 0
  
  My guess is that your previously running those test exploits (before installing the security update) registered the test applications as having been explicitly approved. So you didn't get a dialog.
  
  What's the reasoning behind this, if it is the case? Since there have not been any real exploits yet, Apple is probably assuming that no one has ever launched one on their Mac, and so anything they have launched counts as "safe" (already explicitly approved).
  
  So basically, you need to try the exploits on a different Mac.
9. Re:Doesn't work? by dunderwo · 2004-06-07 13:44 · Score: 3, Informative
  
  this exploit is not fixed.
  
  Yes it is.
  
  If you ran the test exploits before installing the update, then the applications that they run are already "trusted" in the sense that they were already on your computer as registered handlers for those URI types, so the dialog does not appear (if the dialog appeared for every preexisting application on your computer, then its meaning would be diluted to the point of uselessness). Since these proof-of -concept applications are harmless, there's nothing to worry about. Any new applications run by a URI will make the dialog appear as it should.
10. Re:Doesn't work? by MalleusEBHC · 2004-06-07 13:46 · Score: 1
  
  The parent brings up a good point. I just tried all the linked exploits from the grandparent on a PowerBook that I have tried no exploits on so far.
  
  The first one does nothing.
  
  The second one mounts the volume "idink" and presents me with the new dialogue.
  
  The third doesn't mount a volume, but it launches the Help Viewer.
  
  The fourth doesn't mount a volume, but it pops up Terminal.app with the ssh command mentioned earlier.
  
  That's a nice 0 for 4, but given that I only got the dialogue on one, so I tried three (AFP, FTP, and Disk) of the tests on http://test.doit.wisc.edu/. On all three, the volume mounted properly and I got the dialogue. As far as I can tell, everything is fine now. Maybe you just need to remove the previously registered the helpers.
11. Re:Doesn't work? by Anonymous Coward · 2004-06-07 15:06 · Score: 0
  
  I am the grandparent. Hi. :-)
  
  Considering that you report the same results (for the group of four exploits, not the three you tried in the last paragraph there) as the great-grandparent, perhaps he's right after all, although it looks like someone else has chimed in to support me, so...big fat *shrug*
  
  It still seems to me like things are fixed, until someone can prove otherwise.
  
  Yeah, real helpful post, I know. :-D
12. Re:Doesn't work? by Have+Blue · 2004-06-07 19:11 · Score: 3, Informative
  First exploit succeeds.
  
  Second exploit brings up the warning dialog.
  
  Third exploit launches Help Viewer but fails to execute the payload.
  
  Fourth exploit launches terminal, fails to execute payload.
13. Re:Doesn't work? by argent · 2004-06-09 02:09 · Score: 1
  
  if the dialog appeared for every preexisting application on your computer, then its meaning would be diluted to the point of uselessness
  
  Since the exploit was found in existing code that almost any user would already have run, how precisely would this have provided any protection?
  
  Basically, this dialog provides nothing but a false sense of security.
  
  The real fix is to have a separate list of URIs that browsers and other programs using untrusted software will use. Not only are many applications unnecessarily being exposed to exploits, but in many cases the behaviour appropriate for trusted and untrusted data sources is quite different (for example, "open ftp://server/path/to/directory" could reasonably mount that directory on your desktop, but "a href=ftp://" should bring up a listing in a browser).
Dumb People... by wwvuillemot · 2004-06-07 10:10 · Score: 5, Interesting

No word in given regarding how the average user should know whether or not to approve the request.

What I do not understand is how you can completely eliminate danger from ill-formed people. The fact of the matter is that people are responsible for using computers. We can either have completely dumbed-down OS's (namely, companies such as Apple and M$ take complete responsibility for every sort of sescutiry isssue and to do so ensure they strict limit our use of their products to help mitigate their risk to such a godly -- and equally inane -- level of responsibility) or we accept the fact that the end-users have some responsibility, too. So how should the user know whether to accept or deny...read a book, google it up, or any other of a thousand ways people have spent millenia educating themselves...

Granted, the dialog that Apple has implemented could include some more information, but it is certainly in the right direction. As I am away from a Mac for a week, I am not positive how the new system works. I am not sure if you can say "Always permit this URI..." or if permission is on a per session basis. If the latter that might become annoying...and it might be nice to say "Forever Accept/Deny" in those cases where I feel confident that I can/should do that. Having said that, the one thing that I'd like to see is a list of those apps/URIs I have granted/stripped permission to/from so I have better management over the system....esp. after I FUBAR and grant permission to EvilWare!
1. Re:Dumb People... by argent · 2004-06-09 02:03 · Score: 1
  
  The dialog that apple provides doesn't do anything to protect the user, because the problem is not that you're launching an application through a URI, but how it's being launched and from where it's being launched. Also, the dialog isn't called for Apple's own tools.
  
  As proof of the ineffectiveness, if this had been in place when the "help:" hole was discovered, it wouldn't have triggered: it's Apple's own tool!
  
  I am not installing this update, because it interferes with Paranoid Android, which actually DOES propvide some protection.
  
  More info on my page:
  
  http://www.scarydevil.com/~peter/io/apple.html
More information by MoneyT · 2004-06-07 11:17 · Score: 1

Upon removal of PA (but keeping APE) and a reboot:

the first does not execute and no dialouge is presented

The second does not execute, it mounts the server and brings up the dialouge.

The third does not execute but does launch teh help viewer

The forth does not execute but launches the terminal as per the thread in the replies above this one.

--
T Money
World Domination with a plastic spoon since 1984
Dang it! by inertia187 · 2004-06-07 11:32 · Score: 4, Funny

These stupid updates are ruining my laptop's uptime.
uniblab:~ anthony$ uptime 16:31 up 12 days, 2 hrs, 1 user, load averages: 0.80 1.32 1.47 uniblab:~ anthony$

--
A programmer is a machine for converting coffee into code.
The exploit IS fixed by Anonymous Coward · 2004-06-07 13:03 · Score: 0

I don't know what the fuck you guys are doing, but just go here:

http://test.doit.wisc.edu/

All the exploits on one page.
Don't be ridiculous by FredFnord · 2004-06-07 13:17 · Score: 2, Interesting

You're crediting Slashdot with far, far, FAR too much organizational ability.

Trust me. If Slashdot was trying to hide something, they would post it on the front page, in foot-high green letters. Using the 'flash' tag. By accident.

Besides, I frankly think that none of those deserved to be on the main page, including this last one. Basically, they're of interest if you're a Mac user, a Mac admirer, or a Mac basher, and all three of those types already read the apple.slashdot.org section.

And likewise, if they were trying to keep these things hushed up, why would they have posted them at all? Anyone who has any interest in Apple, pro or con, already reads the Apple section, so it's not like they're being very effectively hidden. And nobody else who saw them on the main page would remember that they saw them fifteen minutes later.

There are plenty of conspiracies out there. Go pick a real one to pick on. For example, if you find out what happened to all my damn missing socks, I'll give you a medal.

-fred

--
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
1. Re:Don't be ridiculous by skinfitz · 2004-06-07 13:38 · Score: 0, Flamebait
  
  So why post the fact that they are fixed on the front page? By your logic this information is purely of use to Mac owners, and would not be interesting to non-Mac owners, yet it gets on the front page.
2. Re:Don't be ridiculous by MoneyT · 2004-06-07 15:31 · Score: 1
  
  Because the first exploit found was on the front page, and I seem to remember a follow up or two being there too.
  
  --
  T Money
  World Domination with a plastic spoon since 1984
3. Re:Don't be ridiculous by Anonymous Coward · 2004-06-07 16:40 · Score: 0
  
  For example, if you find out what happened to all my damn missing socks, I'll give you a medal.
  They're stuck to the back of your shirt.
4. Re:Don't be ridiculous by skinfitz · 2004-06-07 18:10 · Score: 1
  
  Besides, I frankly think that none of those deserved to be on the main page, including this last one. Basically, they're of interest if you're a Mac user, a Mac admirer, or a Mac basher, and all three of those types already read the apple.slashdot.org section.
  
  Um...?
5. Re:Don't be ridiculous by FredFnord · 2004-06-08 07:26 · Score: 1
  
  No, that's a 'kick me' sign.
  
  Keep looking.
  
  -fred
  
  --
  Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
ill-formed people by exp(pi*sqrt(163)) · 2004-06-07 14:01 · Score: 3, Funny

I know. Those hunchbacks are always cracking my system.

--
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
arg! by prockcore · 2004-06-07 14:29 · Score: 2

Did anyone elses machine totally lock up while installing this security update?

Software Update now claims I'm all up to date, but now I'm not so sure.
1. Re:arg! by narratorDan · 2004-06-07 15:57 · Score: 4, Informative
  
  Look for the file "SecUpd2004-06-07Pan.pkg" in /Library/Receipts. If it is there then you're probably safe as this file is added after it is installed to indicate a complete install.
  In the future, instead of clicking on the button, use the menu "Update > Download Only" for your updates. It will download the update and keep it so that if the machine locks up or the powergoes out you can re-install from the saved .pkg which can be found in /Library/Packages. Another benefit is that you can collect all the updates on a CD just incase you have to do a full install again but don't want to download all the patches. (That is mostly for those of us who have 56k connections)
  
  NarratorDan
  
  --
  "If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr
Malicious telnet: how the exploit works. by Beryllium+Sphere(tm) · 2004-06-07 14:39 · Score: 1

>The telnet: URL handler is *supposed* to open a telnet connection. It doesn't install any code, it doesn't download anything, it doesn't even execute any commands. It just opens a telnet connection.

telnet::-nmbox will create a trace file of zero length named "mbox". If there was already a file by the same name then the pre-existing file will be silently deleted.

The same exploit could zero out any file with a predictable path name to which the user has write access.

That's what test 4 is about. It's a separate issue from the autoregistration problems but was discovered about the same time.
1. Re:Malicious telnet: how the exploit works. by Anonymous Coward · 2004-06-07 16:11 · Score: 2, Informative
  
  But the Telnet '-n' exploit has already been fixed.
2. Re:Malicious telnet: how the exploit works. by M.+Baranczak · 2004-06-08 05:36 · Score: 1
  
  telnet::-nmbox will create a trace file of zero length named "mbox". If there was already a file by the same name then the pre-existing file will be silently deleted.
  
  Nope. Tried it just now - all it does is open Terminal.app; no other effects that I can see.
sshLogin needs to be reinstalled by Yeechang+Lee · 2004-06-07 16:35 · Score: 2, Informative

For those who use the very useful SSH agent sshLogin, I found that I needed to reinstall it after the upgrade, in contrast to the many other OS security updates I've installed since February.
1. Re:sshLogin needs to be reinstalled by Anonymous Coward · 2004-06-07 22:50 · Score: 1, Informative
  
  I use sshLogin 1.3 and it continues working properly after installing the 2004-06-07 security update.
GRAMMAR by Anonymous Coward · 2004-06-07 17:52 · Score: 0

Please notice the spelling in the subject. If you're going to laud the intelligence of my community, I'd prefer that you spell correctly when you do.

THANKS D000D!!!!!
Re:Front page? How strange by Anonymous Coward · 2004-06-07 20:32 · Score: 0

/. prejudiced? Shurely not.
/. posters use dictionaries? Surely not.
It was... by FredFnord · 2004-06-08 07:17 · Score: 1

But that exploit has already been fixed.

-fred

--
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
Did you read my post before rebutting it? by FredFnord · 2004-06-08 07:24 · Score: 1

So why post the fact that they are fixed on the front page? By your logic this information is purely of use to Mac owners, and would not be interesting to non-Mac owners, yet it gets on the front page.
Oh yes... yes... agree with me *harder*!

From my original post:
Besides, I frankly think that none of those deserved to be on the main page, including this last one. Basically, they're of interest if you're a Mac user, a Mac admirer, or a Mac basher, and all three of those types already read the apple.slashdot.org section.
That is to say, 'I think posting this on the front page was a mistake because it's not that important.'

Saying they're trying to hide things about the Mac by posting them in the Mac section is silly. Saying that they're trying to hide bad things about the Mac by posting the fixes to those problems on the front page (which automatically lets people know that the problem existed, even if they didn't know before) is logic I am used to from my glue-sniffing comrades of yore. Easy on the recreational substances and the paranoia will fade after a while.

-fred

--
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
CNET story by sparkywonderchicken · 2004-06-10 09:18 · Score: 0

Here's the beginning of the CNET article Apple Computer on Monday released a security patch that fixes what the company called the first "critical" Mac OS X flaw. A combination of holes disclosed by security researchers last month could have allowed an attacker to take over a vulnerable Macintosh, though no such exploits have been reported. Apple issued a partial fix last month, but security researchers had said that the Mac remained open to attack. http://news.com.com/Apple+patches+%27critical%27+O S+X+flaw/2100-7355_3-5228038.html?tag=nefd.top Can I say "yeah right!" and get away with it? Sounds/smells offaly fishy.