Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Addresses URI Handler Issues

Posted by pudge on from the hooray dept.

das writes "Apple released Security Update 2004-06-07 via Software Update. From the brief description: 'Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. [...] Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application.'" This also fixes some related security problems with Terminal.app, Safari, and DiskImageMounter. No word in given regarding how the average user should know whether or not to approve the request.

7 of 106 comments (clear)

  1. No word is given? by cbiffle · · Score: 4, Informative

    That's not entirely true. The KB article linked from the SecUpd description provides a screenshot of the approval dialog.

    Basically, it notes that the app is being started for the first time, and it says that unless you expected to see that app come up in response to whatever you just did, kill it by pressing 'Cancel.'

    I think this is a pretty good way of handling the situation. They could have left the hole unplugged, or simply disabled the functionality in general. The dialog box strikes me as a good compromise.

    However, I do think a little more info might be nice, like how long ago the app was installed, etc. Might make it harder for a new app to masquerade under the name of an old app.

  2. Sure there is. Well, sorta. by Anonymous Coward · · Score: 3, Informative

    If you read the links apple provided, you will eventually end up here: http://docs.info.apple.com/article.html?artnum=257 85

  3. Doesn't work? by MoneyT · · Score: 3, Informative

    Well this one is odd to me. The update didn't appear to work. Trying the tests at the following link I get the following:

    4 tests

    The first one does not execute, but no dialouge is presented.

    The second one executes.

    The third does not execute, but does launch help viewer, no dialouge

    The fourth does not mount or execute on the volume, but does launch a terminal trying to access the volume.

    The only reason I can think of why this didn't take may be because I have PA installed but diabled, and it may be interfering with the patch.

    Is anyone else having this issue?

    --
    T Money
    World Domination with a plastic spoon since 1984
    1. Re:Doesn't work? by jokell82 · · Score: 4, Informative
      My experience, having never installed PA:
      • First does not execute, no dialog presented.
      • Second one does not execute, but does connect to the FTP (which I would expect it to do), again no dialog.
      • Third launches help viewer, but does nothing else, no dialog.
      • Fourth does not mount or execute the volume, but does launch the terminal, again non dialog.

        It appears to be all fixed, as some of the methods to install the exploits still work, but the exploits themselves do not run. I wonder if anyone will find a way around the fixes.
      --
      I dunno who it is
      but it prolly is fhqwhgads.
    2. Re:Doesn't work? by dunderwo · · Score: 3, Informative

      this exploit is not fixed.

      Yes it is.

      If you ran the test exploits before installing the update, then the applications that they run are already "trusted" in the sense that they were already on your computer as registered handlers for those URI types, so the dialog does not appear (if the dialog appeared for every preexisting application on your computer, then its meaning would be diluted to the point of uselessness). Since these proof-of -concept applications are harmless, there's nothing to worry about. Any new applications run by a URI will make the dialog appear as it should.

    3. Re:Doesn't work? by Have+Blue · · Score: 3, Informative
      • First exploit succeeds.
      • Second exploit brings up the warning dialog.
      • Third exploit launches Help Viewer but fails to execute the payload.
      • Fourth exploit launches terminal, fails to execute payload.
  4. Re:arg! by narratorDan · · Score: 4, Informative

    Look for the file "SecUpd2004-06-07Pan.pkg" in /Library/Receipts. If it is there then you're probably safe as this file is added after it is installed to indicate a complete install.
    In the future, instead of clicking on the button, use the menu "Update > Download Only" for your updates. It will download the update and keep it so that if the machine locks up or the powergoes out you can re-install from the saved .pkg which can be found in /Library/Packages. Another benefit is that you can collect all the updates on a CD just incase you have to do a full install again but don't want to download all the patches. (That is mostly for those of us who have 56k connections)

    NarratorDan

    --
    "If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr