Apple Addresses URI Handler Issues

← Back to Stories (view on slashdot.org)

Apple Addresses URI Handler Issues

Posted by pudge on Monday June 7, 2004 @09:14AM from the hooray dept.

das writes "Apple released Security Update 2004-06-07 via Software Update. From the brief description: 'Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. [...] Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application.'" This also fixes some related security problems with Terminal.app, Safari, and DiskImageMounter. No word in given regarding how the average user should know whether or not to approve the request.

10 of 106 comments (clear)

Min score:

Reason:

Sort:

No word? by daveschroeder · 2004-06-07 09:16 · Score: 4, Insightful

"No word in given regarding how the average user should know whether or not to approve the request?"

Well, first of all, this security update takes the issue completely from the realm of a an automated exploit that could execute arbitrary code simply by visiting a web page with no user interaction or warning, to what can now only be described, more or less, as a social engineering exploit. If you download a new application, like, say an RSS reader, the OS will prompt you to add, for example, the 'feed:' URI handler:

- ONLY the first time, and

- ONLY if it's invoked remotely, e.g., via a web page, URL in an email message, etc.

And since the only value of this exploit came from it being used in two HTML frames with two META REFRESH tags, via a browser, to cause some type of remote volume to mount (or a file to download) AND then have the newly registered URI remotely called, this completely and totally fixes the issue, without hurting the normal functionality of having new URIs get registered when you launch an application. Saying "No word in given regarding how the average user should know whether or not to approve the request" is tantamount to saying that no guidance is given on whether or not a user should even know to open, say, a shareware app they've downloaded for the first time.

On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue. This addresses the core of the issue, which was several OS features interacting to essentially enable an automated exploit; that capability is now completely disabled. Apple even went further and removed some suspect handlers (disk:) completely, even though this fix makes it unnecessary.

Also, detailed information on what exactly was changed is here:

http://www.info.apple.com/kbnum/n61798

...as well as a description of what exactly occurs if this situation is encountered:

http://www.info.apple.com/kbnum/n25785

You can verify that these issues are fixed by using the following test site: http://test.doit.wisc.edu/
1. Re:No word? by yotaku · 2004-06-07 09:26 · Score: 5, Insightful
  
  "On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue."
  
  Yes just like a windows user knows to say no to those ActiveX dialogs. I'm sorry but this does NOT solve the problem. Research shows that when a user is exposed to such a dialog they get confused and pick a random option.
  
  This is a fix for semi-intelligent computer users. It does not help the average user. If this really worked then no-one would still be installing Gator.
2. Re:No word? by baur · 2004-06-07 09:31 · Score: 5, Insightful
  
  You think much more highly of the average user than I do.
  
  If you have that low an opinion of people, then you should realize that there is almost nothing that can be done to protect them. At some point, a user has to be allowed to run programes - and new ones at that. If not, then the computer is nearly useless.
  
  Social engineering is always possible. Heck, there are windows viruses that spread using a password protected zip file. That means that the user has to be convinced to download the file, open it, put in a password and then run the trojan. Sure, some people are dumb enough to go through all of that (the fact that its spreading at all is proof of that) - but how many hoops are reasonable to jump though to protect the user? At some point, the OS has to step back and let the user do what they want, or else they'll go use something that gives them more control.
3. Re:No word? by merdark · 2004-06-07 10:40 · Score: 4, Insightful
  
  IMO, the way this should work is to disallow an app to be executed for the first time, period, except explicitly.
  
  This is what clicking 'Yes' in the dialog box does. Explicitly runs an app.
  
  There should be no dialog asking them if they want to open it for the first time, it should simply be disallowed, period.
  
  This you may as well remove the functionality completely, considering you just removed the only way to run a handler explicitly.
  
  There is no way around this. Either a user knows that an app is safe to run, or they don't. I haven't tried it yet so I don't know if this is the case already, but the ONLY solution to the user problem is the solution taken by windows. Every time the dialog pops up, put a phrase saying "If you don't understand, click no because you could be hax0red".
4. Re:No word? by Lars+T. · 2004-06-07 12:41 · Score: 5, Insightful
  
  What happened to the Apple HIG mantra "Press Enter and the safe option will be activated"?
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Change in text maybe? by wedding · 2004-06-07 09:32 · Score: 5, Insightful

I like the idea, but couldn't the wording of the alert be simpler?

Why not ask "The document you're opening is trying to open and run _____. If you don't want to do this, click CANCEL."

The message makes sense to a geek, but I'm with an earlier poster, many users will just click OK out of confusion.
1. Re:Change in text maybe? by PierceLabs · 2004-06-07 10:07 · Score: 3, Insightful
  
  True, but the ocurrence of that is currently pretty rare since most poeple never really encountered the URI exploit in the wild and almost no real application would require that functionality to be exposed to the user in that manner.
  
  I think this fix is reasonable in that it won't be popping up all the time and when it finally does - it will look out of place and the default behavior should be to cancel (not allow) the operation to continue.
2. Re:Change in text maybe? by justMichael · 2004-06-07 11:35 · Score: 5, Insightful
  
  The message makes sense to a geek, but I'm with an earlier poster, many users will just click OK out of confusion.
  While this is true in Windows, the dialogs are worded very poorly and usually only have OK CANCEL. The dialogs in OS X are usually worded in such a way as to make sense and the buttons usually have words on them directly related to what they do.
  
  Even in this example, Cancel Open, so you know even without reading the dialog that one button is going to open something and the other is going to cancel.
  
  Where as OK CANCEL is completely reliant on someone reading the dialog (not normally going to happen) or click OK and see what happens.
  
  The action you are trying to perform will destroy data and we have stopped it, do you wish to allow it to continue? OK CANCEL
  
  The action you are trying to perform will destroy data, do you want us to stop this from happening? OK CANCEL
Re:Doesn't work? by FredFnord · 2004-06-07 13:11 · Score: 4, Insightful

> test 2 - "idisk" mounts, but it brings up the new dialog.

That's the fixed part.

> test 4 - terminal launches, and attempts to connect to a remote site -
> appears that if it were a malicious site, it would have worked.

A malicious... telnet... site? Er, whee, lookit the pretty birdies.

The telnet: URL handler is *supposed* to open a telnet connection. It doesn't install any code, it doesn't download anything, it doesn't even execute any commands. It just opens a telnet connection.

The issue that is fixed here is having a disk image mount and create a new URI handler, and then a redirect on your web browser launching the application using the new handler.

This doesn't affect telnet handlers, which are already registered and don't run anything on random mounted disk images.

It doesn't affect helpviewer, which has already been patched and fixed. That is, helpviewer can no longer run arbitrary scripts, so the fact that the disk image mounted doesn't make a damn bit of difference.

Basically, don't post warnings about things you have no clue about.

-fred

--
Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
Re:Usability Growing Pains by mbbac · 2004-06-08 05:45 · Score: 4, Insightful

It also doesn't say 'OK' or 'Cancel.' Like most good Mac dialogs, it uses action verbs. In this case the options are 'Open' or 'Cancel.'

--
mbbac