Apple Addresses URI Handler Issues

das writes "Apple released Security Update 2004-06-07 via Software Update. From the brief description: 'Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. [...] Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application.'" This also fixes some related security problems with Terminal.app, Safari, and DiskImageMounter. No word in given regarding how the average user should know whether or not to approve the request.

Usability Growing Pains

[yotaku]

It sounds to me that Apple is begining to have the problems that Windows suffers from. The impossible task of making an OS user friendly enough for an average user, while maintaining security. The integration of the URI stuff is needed for usabilty reasons, but it does present a huge problem from a security angle. Usabilty research on windows has shown that in most cases these dialogs do not help the average user. The average Joe does not understand the dialog, and when they dont understand it, you know what they do? They hit a random option.

I welcome Apple to the problems of making an OS for people other than the tech savy.

Re:Usability Growing Pains

[MoneyT]

I wonder if there's any benifit to how the dialouge is worded. Many of the ones I see often say "If you trust this document to be certified click OK" or "If you're sure you want to do this, click OK" Essentialy it tells you to click OK. This dialouge asks you if you're sure you want to open an application and specificaly says that if you were not expecting this, to click cancel.

Who knows, it might be a good experiment.

Re:Usability Growing Pains

[baur]

I think they've done a decent job of avoiding knee-jerk reactions on this one. The way it's designed, the dialog will very rarely come up, so the user will (hopefully) not become jaded as to its meaning. When it does appear, it should seem out of the ordinary, causing most reasonable people to at least give it a quick read.

Does this solve the problem completely? Of course not, but this is a fairly good solution that covers most cases, makes the majority of people more secure and doesn't keep me from using my computer the way I want to.

Re:No word?

[pudge]

If you have that low an opinion of people, then you should realize that there is almost nothing that can be done to protect them. At some point, a user has to be allowed to run programes - and new ones at that. If not, then the computer is nearly useless.

You're committing the Excluded Middle fallacy here. There are degrees. In this case, we are talking about a remote attacker doing things without user interaction, except to click on a dialog box *they don't understand*. They only have two options, and they don't know which is the right one. And no matter what the dialog says, that won't change. This is very different from a user going and clicking to open an application of their own accord.

IMO, the way this should work is to disallow an app to be executed for the first time, period, except explicitly. There should be no dialog asking them if they want to open it for the first time, it should simply be disallowed, period.

Dumb People...

[wwvuillemot]

No word in given regarding how the average user should know whether or not to approve the request.

What I do not understand is how you can completely eliminate danger from ill-formed people. The fact of the matter is that people are responsible for using computers. We can either have completely dumbed-down OS's (namely, companies such as Apple and M$ take complete responsibility for every sort of sescutiry isssue and to do so ensure they strict limit our use of their products to help mitigate their risk to such a godly -- and equally inane -- level of responsibility) or we accept the fact that the end-users have some responsibility, too. So how should the user know whether to accept or deny...read a book, google it up, or any other of a thousand ways people have spent millenia educating themselves...

Granted, the dialog that Apple has implemented could include some more information, but it is certainly in the right direction. As I am away from a Mac for a week, I am not positive how the new system works. I am not sure if you can say "Always permit this URI..." or if permission is on a per session basis. If the latter that might become annoying...and it might be nice to say "Forever Accept/Deny" in those cases where I feel confident that I can/should do that. Having said that, the one thing that I'd like to see is a list of those apps/URIs I have granted/stripped permission to/from so I have better management over the system....esp. after I FUBAR and grant permission to EvilWare!

Don't be ridiculous

[FredFnord]

You're crediting Slashdot with far, far, FAR too much organizational ability.

Trust me. If Slashdot was trying to hide something, they would post it on the front page, in foot-high green letters. Using the 'flash' tag. By accident.

Besides, I frankly think that none of those deserved to be on the main page, including this last one. Basically, they're of interest if you're a Mac user, a Mac admirer, or a Mac basher, and all three of those types already read the apple.slashdot.org section.

And likewise, if they were trying to keep these things hushed up, why would they have posted them at all? Anyone who has any interest in Apple, pro or con, already reads the Apple section, so it's not like they're being very effectively hidden. And nobody else who saw them on the main page would remember that they saw them fifteen minutes later.

There are plenty of conspiracies out there. Go pick a real one to pick on. For example, if you find out what happened to all my damn missing socks, I'll give you a medal.

-fred