Apple Addresses URI Handler Issues

← Back to Stories (view on slashdot.org)

Apple Addresses URI Handler Issues

Posted by pudge on Monday June 7, 2004 @09:14AM from the hooray dept.

das writes "Apple released Security Update 2004-06-07 via Software Update. From the brief description: 'Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. [...] Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application.'" This also fixes some related security problems with Terminal.app, Safari, and DiskImageMounter. No word in given regarding how the average user should know whether or not to approve the request.

13 of 106 comments (clear)

Min score:

Reason:

Sort:

No word is given? by cbiffle · 2004-06-07 09:16 · Score: 4, Informative

That's not entirely true. The KB article linked from the SecUpd description provides a screenshot of the approval dialog.

Basically, it notes that the app is being started for the first time, and it says that unless you expected to see that app come up in response to whatever you just did, kill it by pressing 'Cancel.'

I think this is a pretty good way of handling the situation. They could have left the hole unplugged, or simply disabled the functionality in general. The dialog box strikes me as a good compromise.

However, I do think a little more info might be nice, like how long ago the app was installed, etc. Might make it harder for a new app to masquerade under the name of an old app.
Sure there is. Well, sorta. by Anonymous Coward · 2004-06-07 09:18 · Score: 3, Informative

If you read the links apple provided, you will eventually end up here: http://docs.info.apple.com/article.html?artnum=257 85
Doesn't work? by MoneyT · 2004-06-07 10:06 · Score: 3, Informative

Well this one is odd to me. The update didn't appear to work. Trying the tests at the following link I get the following:

4 tests

The first one does not execute, but no dialouge is presented.

The second one executes.

The third does not execute, but does launch help viewer, no dialouge

The fourth does not mount or execute on the volume, but does launch a terminal trying to access the volume.

The only reason I can think of why this didn't take may be because I have PA installed but diabled, and it may be interfering with the patch.

Is anyone else having this issue?

--
T Money
World Domination with a plastic spoon since 1984
1. Re:Doesn't work? by jokell82 · 2004-06-07 10:21 · Score: 4, Informative
  My experience, having never installed PA:
  
  First does not execute, no dialog presented.
  
  Second one does not execute, but does connect to the FTP (which I would expect it to do), again no dialog.
  
  Third launches help viewer, but does nothing else, no dialog.
  
  Fourth does not mount or execute the volume, but does launch the terminal, again non dialog.
  
  It appears to be all fixed, as some of the methods to install the exploits still work, but the exploits themselves do not run. I wonder if anyone will find a way around the fixes.
  --
  I dunno who it is
  but it prolly is fhqwhgads.
2. Re:Doesn't work? by dunderwo · 2004-06-07 13:44 · Score: 3, Informative
  
  this exploit is not fixed.
  
  Yes it is.
  
  If you ran the test exploits before installing the update, then the applications that they run are already "trusted" in the sense that they were already on your computer as registered handlers for those URI types, so the dialog does not appear (if the dialog appeared for every preexisting application on your computer, then its meaning would be diluted to the point of uselessness). Since these proof-of -concept applications are harmless, there's nothing to worry about. Any new applications run by a URI will make the dialog appear as it should.
3. Re:Doesn't work? by Have+Blue · 2004-06-07 19:11 · Score: 3, Informative
  First exploit succeeds.
  
  Second exploit brings up the warning dialog.
  
  Third exploit launches Help Viewer but fails to execute the payload.
  
  Fourth exploit launches terminal, fails to execute payload.
Re:Usability Growing Pains by lullabud · 2004-06-07 10:29 · Score: 2, Informative

I welcome Apple to the problems of making an OS for people other than the tech savy.
OS for people other than the tech savy? I think Apple's been doing that for a looooong time. However, making an OS that doesn't suck for the techies yet remains usable for the dummies is another story.

All in all though I think they've done a fine job. My mom got an iBook about 8 months ago and She hasn't called me with questions for the last 6 months. When she had Windows she called me frequently... for years...
Re:Usability Growing Pains by hondo77 · 2004-06-07 11:19 · Score: 2, Informative

I welcome Apple to the problems of making an OS for people other than the tech savy.

Um, yes...because...goodness knows...that Apple, um...hasn't been doing that for the past twenty years! What other company could you possibly be comparing them to with a statement like that?

--
I live ze unknown. I love ze unknown. I am ze unknown.
Re:arg! by narratorDan · 2004-06-07 15:57 · Score: 4, Informative

Look for the file "SecUpd2004-06-07Pan.pkg" in /Library/Receipts. If it is there then you're probably safe as this file is added after it is installed to indicate a complete install.
In the future, instead of clicking on the button, use the menu "Update > Download Only" for your updates. It will download the update and keep it so that if the machine locks up or the powergoes out you can re-install from the saved .pkg which can be found in /Library/Packages. Another benefit is that you can collect all the updates on a CD just incase you have to do a full install again but don't want to download all the patches. (That is mostly for those of us who have 56k connections)

NarratorDan

--
"If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr
Re:Malicious telnet: how the exploit works. by Anonymous Coward · 2004-06-07 16:11 · Score: 2, Informative

But the Telnet '-n' exploit has already been fixed.
sshLogin needs to be reinstalled by Yeechang+Lee · 2004-06-07 16:35 · Score: 2, Informative

For those who use the very useful SSH agent sshLogin, I found that I needed to reinstall it after the upgrade, in contrast to the many other OS security updates I've installed since February.
1. Re:sshLogin needs to be reinstalled by Anonymous Coward · 2004-06-07 22:50 · Score: 1, Informative
  
  I use sshLogin 1.3 and it continues working properly after installing the 2004-06-07 security update.
Re:No word? by squiggleslash · 2004-06-08 08:21 · Score: 2, Informative

You don't have to put an Application in /Applications for it to be runnable.
The only reason it's slightly harder to run an OS X app from the browser is that OS X apps tend to be whole directories rather than just a single file, and older OS 1-9 files have "forks" which the standard Web download model doesn't really support. Of course, there's always AppleScript.
"Installing" an OS X app is a matter of putting it on your disk. Anywhere. (Well, anywhere except the Trash can.) You can put it on your desk top, you can put it in your Documents folder, you can put it pretty much anywhere. You can associate a file with it, run it, move it somewhere else, and still have that file open your moved program.
It's all rather funky. But, no, there's no security provided by the /Applications folder, and indeed /Applications is writable by most users by default anyway.

--
You are not alone. This is not normal. None of this is normal.