Apple Addresses URI Handler Issues

das writes "Apple released Security Update 2004-06-07 via Software Update. From the brief description: 'Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. [...] Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application.'" This also fixes some related security problems with Terminal.app, Safari, and DiskImageMounter. No word in given regarding how the average user should know whether or not to approve the request.

No word?

[daveschroeder]

"No word in given regarding how the average user should know whether or not to approve the request?"

Well, first of all, this security update takes the issue completely from the realm of a an automated exploit that could execute arbitrary code simply by visiting a web page with no user interaction or warning, to what can now only be described, more or less, as a social engineering exploit. If you download a new application, like, say an RSS reader, the OS will prompt you to add, for example, the 'feed:' URI handler:

- ONLY the first time, and

- ONLY if it's invoked remotely, e.g., via a web page, URL in an email message, etc.

And since the only value of this exploit came from it being used in two HTML frames with two META REFRESH tags, via a browser, to cause some type of remote volume to mount (or a file to download) AND then have the newly registered URI remotely called, this completely and totally fixes the issue, without hurting the normal functionality of having new URIs get registered when you launch an application. Saying "No word in given regarding how the average user should know whether or not to approve the request" is tantamount to saying that no guidance is given on whether or not a user should even know to open, say, a shareware app they've downloaded for the first time.

On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue. This addresses the core of the issue, which was several OS features interacting to essentially enable an automated exploit; that capability is now completely disabled. Apple even went further and removed some suspect handlers (disk:) completely, even though this fix makes it unnecessary.

Also, detailed information on what exactly was changed is here:

http://www.info.apple.com/kbnum/n61798

...as well as a description of what exactly occurs if this situation is encountered:

http://www.info.apple.com/kbnum/n25785

You can verify that these issues are fixed by using the following test site: http://test.doit.wisc.edu/

Re:No word?

[pudge]

On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue.

You think much more highly of the average user than I do.

Re:No word?

[yotaku]

"On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue."

Yes just like a windows user knows to say no to those ActiveX dialogs. I'm sorry but this does NOT solve the problem. Research shows that when a user is exposed to such a dialog they get confused and pick a random option.

This is a fix for semi-intelligent computer users. It does not help the average user. If this really worked then no-one would still be installing Gator.

Re:No word?

[baur]

You think much more highly of the average user than I do.

If you have that low an opinion of people, then you should realize that there is almost nothing that can be done to protect them. At some point, a user has to be allowed to run programes - and new ones at that. If not, then the computer is nearly useless.

Social engineering is always possible. Heck, there are windows viruses that spread using a password protected zip file. That means that the user has to be convinced to download the file, open it, put in a password and then run the trojan. Sure, some people are dumb enough to go through all of that (the fact that its spreading at all is proof of that) - but how many hoops are reasonable to jump though to protect the user? At some point, the OS has to step back and let the user do what they want, or else they'll go use something that gives them more control.

Re:No word?

[pudge]

If you have that low an opinion of people, then you should realize that there is almost nothing that can be done to protect them. At some point, a user has to be allowed to run programes - and new ones at that. If not, then the computer is nearly useless.

You're committing the Excluded Middle fallacy here. There are degrees. In this case, we are talking about a remote attacker doing things without user interaction, except to click on a dialog box *they don't understand*. They only have two options, and they don't know which is the right one. And no matter what the dialog says, that won't change. This is very different from a user going and clicking to open an application of their own accord.

IMO, the way this should work is to disallow an app to be executed for the first time, period, except explicitly. There should be no dialog asking them if they want to open it for the first time, it should simply be disallowed, period.

Re:No word?

[jdb8167]

Unlike windows, running a new, untrusted application installed from the browser is a very unusual circumstance on the Mac. It just doesn't happen. For most users, a new application is installed in /Applications. Since you can't do that without an Admin password, any legitimate Application already has to be installed with a users consent.

Users definitely need a quick tutorial on this potential security issue, but if and when they get this dialog they will know something is up. If they are running a new plug-in that they explicitly want, they simply click OK, if not then click Cancel and report the incident as suspicious.

Nothing should ever be installed on your computer via a browser without your express consent. Knowing when to accept or not isn't as big a problem as it is made out to be.

Re:No word?

[Black+Art]

Research shows that when a user is exposed to such a dialog they get confused and pick a random option.

And here I thought that only trademark lawyers were that easily confused...

Re:No word?

[merdark]

IMO, the way this should work is to disallow an app to be executed for the first time, period, except explicitly.

This is what clicking 'Yes' in the dialog box does. Explicitly runs an app.

There should be no dialog asking them if they want to open it for the first time, it should simply be disallowed, period.

This you may as well remove the functionality completely, considering you just removed the only way to run a handler explicitly.

There is no way around this. Either a user knows that an app is safe to run, or they don't. I haven't tried it yet so I don't know if this is the case already, but the ONLY solution to the user problem is the solution taken by windows. Every time the dialog pops up, put a phrase saying "If you don't understand, click no because you could be hax0red".

Re:No word?

[pudge]

Have either of you guys actually seen the text of this message?

Yes, it is in one of the links I put in the story. :-)

Neither have I but I am sure (because it's Mac OS X) it goes a lot farther to empower and help the user understand the implications of their actions than the 'Always Trust Content from Gator Corp.' dialog you get with Internet Exploder./em?

It doesn't. It says "if you were not expecting this application to open, click Cancel." I am not arguing about this dialog specifically, but the fact of having a dialog at all, which will confuse and scare many users, and they will not understand what to do, no matter what it says. If I were arguing about this specific dialog box, my task here would be far easier, because it really stinks. :-)

Re:No word?

[pudge]

How is click cancel when you see this dialog any more complicated then "don't open unknown email attachments"?

You were talking about how the user would then go and find the application to open manually. Even if you had left it at only this point, it is more complicated because you are forced to make a choice, one you don't understand the meaning or ramifications of. With email attachments, you merely don't have to take a particular action.

But I'm at a loss to what you can do to prevent it?

As I've said many times: DO NOT register apps until they are first explicitly launched. This dialog would not come up because the action would not be possible.

There are untold numbers of things you can do to people who don't learn to distrust software delivered to them without their express cooperation.

Yet another Excluded Middle fallacy. There are levels, and I am simply saying you should not rely on an on-the-spot user choice when it comes to a potential remote attack. This should be a bottom-line rule. What if Mac OS X were to pop up a dialog, saying, "An incoming packet on port 23 is detected, but telnetd is not currently running. Shall I start telnetd to allow the connection to go through?" That's what this is basically doing.

Re:No word?

[shendart]

You forget that we're not talking about the average user, but rather the average APPLE user.

Everyone knows that we're taller, more attractive, more aromatically enticing, (prone to verbose grammer), and more intelligent than the average computer user.

Re:No word?

[Lars+T.]

What happened to the Apple HIG mantra "Press Enter and the safe option will be activated"?

Re:No word?

[baur]

Yet another Excluded Middle fallacy

You know, you keep saying that, but it sounds like you are doing the same thing. You seem to be claiming that no "typical" users are smart enough to figure out what's going on. There are not just smart and dumb users, there is a range. Designing things like this means striking a balanace between security and convience. There are no hard-and-fast rules about it.

The main reason I responded though was just to complain about your analogy. It doesn't fit. The remote exploit that this is all about is not completely automatic. It requires the user to browse the internet to a malicious site. Your example describes a more dangerous situation where a users machine is at risk randomly and needs to only be connected for it to happen.

My only reason for mentioning this is that, since the user is already activly involved in the process, its not a great leap to have some instructions on the site like: "A new volume should show up on your computer, please double click the file in there to see the cool cartoon."

I know what you're going to say, this is an "Excluded Middle Fallacy." No more than what you've proposed. What I'm trying to say (and I suspect a few others) is that you have to trust the user to do the right thing *at some point* - although I'll grant its debatable at what point that occurs. There is some anecdotal evidence that dialogs are not always read and understood, but this still turns an automated exploit into one that requires an extra step of user interaction. This is not a dialog that users will see frequently, and so it isn't one that they will become jaded by. I understand your position, but - for me - it restricts features a little too much. There are cases where you would want to say "Ok" to this dialog (like a help:// tag, for example - I would be very annoyed if I had to go an find the help app just to launch it once before it could be used). There are other situations as well.

As I've said many times: DO NOT register apps until they are first explicitly launched.

This sounds good on the surface, but think about it - do you want to have to explicity lauch every helper app before it gets used automatically? (Although its not quite true, let's assume this afects pre-installed apps as well.) Want to unstuff and app? Sorry, you need to hand launch Stuffit Expander once first. Want to use the Citrix client to connect to a remote server? Sorry, gotta launch the client once (never mind that it makes no sense to do so without a connection file).

I don't want to deal with that, because I don't like my computer getting in the way of what I'm doing - and I don't feel that its a great compromise of security to have a dialog box appear (although I do think the default should be cancel).

Re:No word?

[squiggleslash]

You don't have to put an Application in /Applications for it to be runnable.

The only reason it's slightly harder to run an OS X app from the browser is that OS X apps tend to be whole directories rather than just a single file, and older OS 1-9 files have "forks" which the standard Web download model doesn't really support. Of course, there's always AppleScript.

"Installing" an OS X app is a matter of putting it on your disk. Anywhere. (Well, anywhere except the Trash can.) You can put it on your desk top, you can put it in your Documents folder, you can put it pretty much anywhere. You can associate a file with it, run it, move it somewhere else, and still have that file open your moved program.

It's all rather funky. But, no, there's no security provided by the /Applications folder, and indeed /Applications is writable by most users by default anyway.

No word is given?

[cbiffle]

That's not entirely true. The KB article linked from the SecUpd description provides a screenshot of the approval dialog.

Basically, it notes that the app is being started for the first time, and it says that unless you expected to see that app come up in response to whatever you just did, kill it by pressing 'Cancel.'

I think this is a pretty good way of handling the situation. They could have left the hole unplugged, or simply disabled the functionality in general. The dialog box strikes me as a good compromise.

However, I do think a little more info might be nice, like how long ago the app was installed, etc. Might make it harder for a new app to masquerade under the name of an old app.

Sure there is. Well, sorta.

If you read the links apple provided, you will eventually end up here: http://docs.info.apple.com/article.html?artnum=257 85

Usability Growing Pains

[yotaku]

It sounds to me that Apple is begining to have the problems that Windows suffers from. The impossible task of making an OS user friendly enough for an average user, while maintaining security. The integration of the URI stuff is needed for usabilty reasons, but it does present a huge problem from a security angle. Usabilty research on windows has shown that in most cases these dialogs do not help the average user. The average Joe does not understand the dialog, and when they dont understand it, you know what they do? They hit a random option.

I welcome Apple to the problems of making an OS for people other than the tech savy.

Re:Usability Growing Pains

[MoneyT]

I wonder if there's any benifit to how the dialouge is worded. Many of the ones I see often say "If you trust this document to be certified click OK" or "If you're sure you want to do this, click OK" Essentialy it tells you to click OK. This dialouge asks you if you're sure you want to open an application and specificaly says that if you were not expecting this, to click cancel.

Who knows, it might be a good experiment.

Re:Usability Growing Pains

[baur]

I think they've done a decent job of avoiding knee-jerk reactions on this one. The way it's designed, the dialog will very rarely come up, so the user will (hopefully) not become jaded as to its meaning. When it does appear, it should seem out of the ordinary, causing most reasonable people to at least give it a quick read.

Does this solve the problem completely? Of course not, but this is a fairly good solution that covers most cases, makes the majority of people more secure and doesn't keep me from using my computer the way I want to.

Re:Usability Growing Pains

[lullabud]

I welcome Apple to the problems of making an OS for people other than the tech savy.

OS for people other than the tech savy? I think Apple's been doing that for a looooong time. However, making an OS that doesn't suck for the techies yet remains usable for the dummies is another story.

All in all though I think they've done a fine job. My mom got an iBook about 8 months ago and She hasn't called me with questions for the last 6 months. When she had Windows she called me frequently... for years...

Re:Usability Growing Pains

[hondo77]

I welcome Apple to the problems of making an OS for people other than the tech savy.

Um, yes...because...goodness knows...that Apple, um...hasn't been doing that for the past twenty years! What other company could you possibly be comparing them to with a statement like that?

Re:Usability Growing Pains

[mbbac]

It also doesn't say 'OK' or 'Cancel.' Like most good Mac dialogs, it uses action verbs. In this case the options are 'Open' or 'Cancel.'

How will they know?

[teamhasnoi]

With a non-descriptive name like EvilWare, how is anyone going to know if it is ok or not?

Yes, I was just about to hit SubmitStory, and yes, I'm still bitter. ;P

Re:How will they know?

[jimbolaya]

Notice that the name of the application in the image has been changed. Apple had to stop using the name "EvilWare" because that product is trademarked by Microsoft.

Change in text maybe?

[wedding]

I like the idea, but couldn't the wording of the alert be simpler?

Why not ask "The document you're opening is trying to open and run _____. If you don't want to do this, click CANCEL."

The message makes sense to a geek, but I'm with an earlier poster, many users will just click OK out of confusion.

Re:Change in text maybe?

[cheide]

The goal here is to get the user to think "Hey, I wasn't expecting this! Hmmm, if I wasn't expecting it, then I better cancel it..." People tend to become complacent and click Yes/OK to any old 'plain' dialog that comes along, though, so wording that has a bit of a warning tone to it and an attention-grabbing graphic might get them to take notice.

Of course then the danger is that they might be too cautious and cancel it when they should have let it run, and then their app or web page doesn't work, but at least that's a safer failure mode.

Re:Change in text maybe?

[PierceLabs]

True, but the ocurrence of that is currently pretty rare since most poeple never really encountered the URI exploit in the wild and almost no real application would require that functionality to be exposed to the user in that manner.

I think this fix is reasonable in that it won't be popping up all the time and when it finally does - it will look out of place and the default behavior should be to cancel (not allow) the operation to continue.

Re:Change in text maybe?

[justMichael]

The message makes sense to a geek, but I'm with an earlier poster, many users will just click OK out of confusion.

While this is true in Windows, the dialogs are worded very poorly and usually only have OK CANCEL. The dialogs in OS X are usually worded in such a way as to make sense and the buttons usually have words on them directly related to what they do.

Even in this example, Cancel Open, so you know even without reading the dialog that one button is going to open something and the other is going to cancel.

Where as OK CANCEL is completely reliant on someone reading the dialog (not normally going to happen) or click OK and see what happens.

The action you are trying to perform will destroy data and we have stopped it, do you wish to allow it to continue? OK CANCEL

The action you are trying to perform will destroy data, do you want us to stop this from happening? OK CANCEL

Doesn't break Paranoid Android

[teamhasnoi]

I've just confirmed that Paranoid Android still works, and hollers about the exploit before Apple's fix.

What that means, I don't know. I'm an Apple user. Hold me.

Doesn't work?

[MoneyT]

Well this one is odd to me. The update didn't appear to work. Trying the tests at the following link I get the following:

4 tests

The first one does not execute, but no dialouge is presented.

The second one executes.

The third does not execute, but does launch help viewer, no dialouge

The fourth does not mount or execute on the volume, but does launch a terminal trying to access the volume.

The only reason I can think of why this didn't take may be because I have PA installed but diabled, and it may be interfering with the patch.

Is anyone else having this issue?

Re:Doesn't work?

[jokell82]

My experience, having never installed PA:

• First does not execute, no dialog presented.
• Second one does not execute, but does connect to the FTP (which I would expect it to do), again no dialog.
• Third launches help viewer, but does nothing else, no dialog.
• Fourth does not mount or execute the volume, but does launch the terminal, again non dialog.
  
  It appears to be all fixed, as some of the methods to install the exploits still work, but the exploits themselves do not run. I wonder if anyone will find a way around the fixes.

Re:Doesn't work?

[FredFnord]

> test 2 - "idisk" mounts, but it brings up the new dialog.

That's the fixed part.

> test 4 - terminal launches, and attempts to connect to a remote site -
> appears that if it were a malicious site, it would have worked.

A malicious... telnet... site? Er, whee, lookit the pretty birdies.

The telnet: URL handler is *supposed* to open a telnet connection. It doesn't install any code, it doesn't download anything, it doesn't even execute any commands. It just opens a telnet connection.

The issue that is fixed here is having a disk image mount and create a new URI handler, and then a redirect on your web browser launching the application using the new handler.

This doesn't affect telnet handlers, which are already registered and don't run anything on random mounted disk images.

It doesn't affect helpviewer, which has already been patched and fixed. That is, helpviewer can no longer run arbitrary scripts, so the fact that the disk image mounted doesn't make a damn bit of difference.

Basically, don't post warnings about things you have no clue about.

-fred

Re:Doesn't work?

[dunderwo]

this exploit is not fixed.

Yes it is.

If you ran the test exploits before installing the update, then the applications that they run are already "trusted" in the sense that they were already on your computer as registered handlers for those URI types, so the dialog does not appear (if the dialog appeared for every preexisting application on your computer, then its meaning would be diluted to the point of uselessness). Since these proof-of -concept applications are harmless, there's nothing to worry about. Any new applications run by a URI will make the dialog appear as it should.

Re:Doesn't work?

[Have+Blue]

• First exploit succeeds.
• Second exploit brings up the warning dialog.
• Third exploit launches Help Viewer but fails to execute the payload.
• Fourth exploit launches terminal, fails to execute payload.

Dumb People...

[wwvuillemot]

No word in given regarding how the average user should know whether or not to approve the request.

What I do not understand is how you can completely eliminate danger from ill-formed people. The fact of the matter is that people are responsible for using computers. We can either have completely dumbed-down OS's (namely, companies such as Apple and M$ take complete responsibility for every sort of sescutiry isssue and to do so ensure they strict limit our use of their products to help mitigate their risk to such a godly -- and equally inane -- level of responsibility) or we accept the fact that the end-users have some responsibility, too. So how should the user know whether to accept or deny...read a book, google it up, or any other of a thousand ways people have spent millenia educating themselves...

Granted, the dialog that Apple has implemented could include some more information, but it is certainly in the right direction. As I am away from a Mac for a week, I am not positive how the new system works. I am not sure if you can say "Always permit this URI..." or if permission is on a per session basis. If the latter that might become annoying...and it might be nice to say "Forever Accept/Deny" in those cases where I feel confident that I can/should do that. Having said that, the one thing that I'd like to see is a list of those apps/URIs I have granted/stripped permission to/from so I have better management over the system....esp. after I FUBAR and grant permission to EvilWare!

Dang it!

[inertia187]

These stupid updates are ruining my laptop's uptime.

uniblab:~ anthony$ uptime
16:31 up 12 days, 2 hrs, 1 user, load averages: 0.80 1.32 1.47
uniblab:~ anthony$

Don't be ridiculous

[FredFnord]

You're crediting Slashdot with far, far, FAR too much organizational ability.

Trust me. If Slashdot was trying to hide something, they would post it on the front page, in foot-high green letters. Using the 'flash' tag. By accident.

Besides, I frankly think that none of those deserved to be on the main page, including this last one. Basically, they're of interest if you're a Mac user, a Mac admirer, or a Mac basher, and all three of those types already read the apple.slashdot.org section.

And likewise, if they were trying to keep these things hushed up, why would they have posted them at all? Anyone who has any interest in Apple, pro or con, already reads the Apple section, so it's not like they're being very effectively hidden. And nobody else who saw them on the main page would remember that they saw them fifteen minutes later.

There are plenty of conspiracies out there. Go pick a real one to pick on. For example, if you find out what happened to all my damn missing socks, I'll give you a medal.

-fred

ill-formed people

[exp(pi*sqrt(163))]

I know. Those hunchbacks are always cracking my system.

arg!

[prockcore]

Did anyone elses machine totally lock up while installing this security update?

Software Update now claims I'm all up to date, but now I'm not so sure.

Re:arg!

[narratorDan]

Look for the file "SecUpd2004-06-07Pan.pkg" in /Library/Receipts. If it is there then you're probably safe as this file is added after it is installed to indicate a complete install.
In the future, instead of clicking on the button, use the menu "Update > Download Only" for your updates. It will download the update and keep it so that if the machine locks up or the powergoes out you can re-install from the saved .pkg which can be found in /Library/Packages. Another benefit is that you can collect all the updates on a CD just incase you have to do a full install again but don't want to download all the patches. (That is mostly for those of us who have 56k connections)

NarratorDan

Re:Malicious telnet: how the exploit works.

But the Telnet '-n' exploit has already been fixed.

sshLogin needs to be reinstalled

[Yeechang+Lee]

For those who use the very useful SSH agent sshLogin, I found that I needed to reinstall it after the upgrade, in contrast to the many other OS security updates I've installed since February.