Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Addresses URI Handler Issues

Posted by pudge on from the hooray dept.

das writes "Apple released Security Update 2004-06-07 via Software Update. From the brief description: 'Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. [...] Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application.'" This also fixes some related security problems with Terminal.app, Safari, and DiskImageMounter. No word in given regarding how the average user should know whether or not to approve the request.

3 of 106 comments (clear)

  1. No word is given? by cbiffle · · Score: 4, Informative

    That's not entirely true. The KB article linked from the SecUpd description provides a screenshot of the approval dialog.

    Basically, it notes that the app is being started for the first time, and it says that unless you expected to see that app come up in response to whatever you just did, kill it by pressing 'Cancel.'

    I think this is a pretty good way of handling the situation. They could have left the hole unplugged, or simply disabled the functionality in general. The dialog box strikes me as a good compromise.

    However, I do think a little more info might be nice, like how long ago the app was installed, etc. Might make it harder for a new app to masquerade under the name of an old app.

  2. Re:Doesn't work? by jokell82 · · Score: 4, Informative
    My experience, having never installed PA:
    • First does not execute, no dialog presented.
    • Second one does not execute, but does connect to the FTP (which I would expect it to do), again no dialog.
    • Third launches help viewer, but does nothing else, no dialog.
    • Fourth does not mount or execute the volume, but does launch the terminal, again non dialog.

      It appears to be all fixed, as some of the methods to install the exploits still work, but the exploits themselves do not run. I wonder if anyone will find a way around the fixes.
    --
    I dunno who it is
    but it prolly is fhqwhgads.
  3. Re:arg! by narratorDan · · Score: 4, Informative

    Look for the file "SecUpd2004-06-07Pan.pkg" in /Library/Receipts. If it is there then you're probably safe as this file is added after it is installed to indicate a complete install.
    In the future, instead of clicking on the button, use the menu "Update > Download Only" for your updates. It will download the update and keep it so that if the machine locks up or the powergoes out you can re-install from the saved .pkg which can be found in /Library/Packages. Another benefit is that you can collect all the updates on a CD just incase you have to do a full install again but don't want to download all the patches. (That is mostly for those of us who have 56k connections)

    NarratorDan

    --
    "If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr