Apple Addresses URI Handler Issues

← Back to Stories (view on slashdot.org)

Apple Addresses URI Handler Issues

Posted by pudge on Monday June 7, 2004 @09:14AM from the hooray dept.

das writes "Apple released Security Update 2004-06-07 via Software Update. From the brief description: 'Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. [...] Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application.'" This also fixes some related security problems with Terminal.app, Safari, and DiskImageMounter. No word in given regarding how the average user should know whether or not to approve the request.

26 of 106 comments (clear)

Min score:

Reason:

Sort:

No word? by daveschroeder · 2004-06-07 09:16 · Score: 4, Insightful

"No word in given regarding how the average user should know whether or not to approve the request?"

Well, first of all, this security update takes the issue completely from the realm of a an automated exploit that could execute arbitrary code simply by visiting a web page with no user interaction or warning, to what can now only be described, more or less, as a social engineering exploit. If you download a new application, like, say an RSS reader, the OS will prompt you to add, for example, the 'feed:' URI handler:

- ONLY the first time, and

- ONLY if it's invoked remotely, e.g., via a web page, URL in an email message, etc.

And since the only value of this exploit came from it being used in two HTML frames with two META REFRESH tags, via a browser, to cause some type of remote volume to mount (or a file to download) AND then have the newly registered URI remotely called, this completely and totally fixes the issue, without hurting the normal functionality of having new URIs get registered when you launch an application. Saying "No word in given regarding how the average user should know whether or not to approve the request" is tantamount to saying that no guidance is given on whether or not a user should even know to open, say, a shareware app they've downloaded for the first time.

On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue. This addresses the core of the issue, which was several OS features interacting to essentially enable an automated exploit; that capability is now completely disabled. Apple even went further and removed some suspect handlers (disk:) completely, even though this fix makes it unnecessary.

Also, detailed information on what exactly was changed is here:

http://www.info.apple.com/kbnum/n61798

...as well as a description of what exactly occurs if this situation is encountered:

http://www.info.apple.com/kbnum/n25785

You can verify that these issues are fixed by using the following test site: http://test.doit.wisc.edu/
1. Re:No word? by pudge · 2004-06-07 09:20 · Score: 4, Funny
  
  On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue.
  
  You think much more highly of the average user than I do.
2. Re:No word? by yotaku · 2004-06-07 09:26 · Score: 5, Insightful
  
  "On the other hand, if a user is innocently visiting a web site and a dialog box all of a sudden appears prompting the user to accept that *an application* be run, I think it's pretty clear that this handles the issue."
  
  Yes just like a windows user knows to say no to those ActiveX dialogs. I'm sorry but this does NOT solve the problem. Research shows that when a user is exposed to such a dialog they get confused and pick a random option.
  
  This is a fix for semi-intelligent computer users. It does not help the average user. If this really worked then no-one would still be installing Gator.
3. Re:No word? by baur · 2004-06-07 09:31 · Score: 5, Insightful
  
  You think much more highly of the average user than I do.
  
  If you have that low an opinion of people, then you should realize that there is almost nothing that can be done to protect them. At some point, a user has to be allowed to run programes - and new ones at that. If not, then the computer is nearly useless.
  
  Social engineering is always possible. Heck, there are windows viruses that spread using a password protected zip file. That means that the user has to be convinced to download the file, open it, put in a password and then run the trojan. Sure, some people are dumb enough to go through all of that (the fact that its spreading at all is proof of that) - but how many hoops are reasonable to jump though to protect the user? At some point, the OS has to step back and let the user do what they want, or else they'll go use something that gives them more control.
4. Re:No word? by merdark · 2004-06-07 10:40 · Score: 4, Insightful
  
  IMO, the way this should work is to disallow an app to be executed for the first time, period, except explicitly.
  
  This is what clicking 'Yes' in the dialog box does. Explicitly runs an app.
  
  There should be no dialog asking them if they want to open it for the first time, it should simply be disallowed, period.
  
  This you may as well remove the functionality completely, considering you just removed the only way to run a handler explicitly.
  
  There is no way around this. Either a user knows that an app is safe to run, or they don't. I haven't tried it yet so I don't know if this is the case already, but the ONLY solution to the user problem is the solution taken by windows. Every time the dialog pops up, put a phrase saying "If you don't understand, click no because you could be hax0red".
5. Re:No word? by shendart · 2004-06-07 12:04 · Score: 5, Funny
  
  You forget that we're not talking about the average user, but rather the average APPLE user.
  
  Everyone knows that we're taller, more attractive, more aromatically enticing, (prone to verbose grammer), and more intelligent than the average computer user.
6. Re:No word? by Lars+T. · 2004-06-07 12:41 · Score: 5, Insightful
  
  What happened to the Apple HIG mantra "Press Enter and the safe option will be activated"?
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
No word is given? by cbiffle · 2004-06-07 09:16 · Score: 4, Informative

That's not entirely true. The KB article linked from the SecUpd description provides a screenshot of the approval dialog.

Basically, it notes that the app is being started for the first time, and it says that unless you expected to see that app come up in response to whatever you just did, kill it by pressing 'Cancel.'

I think this is a pretty good way of handling the situation. They could have left the hole unplugged, or simply disabled the functionality in general. The dialog box strikes me as a good compromise.

However, I do think a little more info might be nice, like how long ago the app was installed, etc. Might make it harder for a new app to masquerade under the name of an old app.
Sure there is. Well, sorta. by Anonymous Coward · 2004-06-07 09:18 · Score: 3, Informative

If you read the links apple provided, you will eventually end up here: http://docs.info.apple.com/article.html?artnum=257 85
How will they know? by teamhasnoi · 2004-06-07 09:23 · Score: 4, Funny

With a non-descriptive name like EvilWare, how is anyone going to know if it is ok or not?
Yes, I was just about to hit SubmitStory, and yes, I'm still bitter. ;P
1. Re:How will they know? by jimbolaya · 2004-06-07 14:56 · Score: 4, Funny
  
  Notice that the name of the application in the image has been changed. Apple had to stop using the name "EvilWare" because that product is trademarked by Microsoft.
  
  --
  There ain't no rules here; we're trying to accomplish something.
Change in text maybe? by wedding · 2004-06-07 09:32 · Score: 5, Insightful

I like the idea, but couldn't the wording of the alert be simpler?

Why not ask "The document you're opening is trying to open and run _____. If you don't want to do this, click CANCEL."

The message makes sense to a geek, but I'm with an earlier poster, many users will just click OK out of confusion.
1. Re:Change in text maybe? by PierceLabs · 2004-06-07 10:07 · Score: 3, Insightful
  
  True, but the ocurrence of that is currently pretty rare since most poeple never really encountered the URI exploit in the wild and almost no real application would require that functionality to be exposed to the user in that manner.
  
  I think this fix is reasonable in that it won't be popping up all the time and when it finally does - it will look out of place and the default behavior should be to cancel (not allow) the operation to continue.
2. Re:Change in text maybe? by justMichael · 2004-06-07 11:35 · Score: 5, Insightful
  
  The message makes sense to a geek, but I'm with an earlier poster, many users will just click OK out of confusion.
  While this is true in Windows, the dialogs are worded very poorly and usually only have OK CANCEL. The dialogs in OS X are usually worded in such a way as to make sense and the buttons usually have words on them directly related to what they do.
  
  Even in this example, Cancel Open, so you know even without reading the dialog that one button is going to open something and the other is going to cancel.
  
  Where as OK CANCEL is completely reliant on someone reading the dialog (not normally going to happen) or click OK and see what happens.
  
  The action you are trying to perform will destroy data and we have stopped it, do you wish to allow it to continue? OK CANCEL
  
  The action you are trying to perform will destroy data, do you want us to stop this from happening? OK CANCEL
Re:Usability Growing Pains by MoneyT · 2004-06-07 09:35 · Score: 4, Interesting

I wonder if there's any benifit to how the dialouge is worded. Many of the ones I see often say "If you trust this document to be certified click OK" or "If you're sure you want to do this, click OK" Essentialy it tells you to click OK. This dialouge asks you if you're sure you want to open an application and specificaly says that if you were not expecting this, to click cancel.

Who knows, it might be a good experiment.

--
T Money
World Domination with a plastic spoon since 1984
Doesn't break Paranoid Android by teamhasnoi · 2004-06-07 09:39 · Score: 4, Funny

I've just confirmed that Paranoid Android still works, and hollers about the exploit before Apple's fix.
What that means, I don't know. I'm an Apple user. Hold me.
Doesn't work? by MoneyT · 2004-06-07 10:06 · Score: 3, Informative

Well this one is odd to me. The update didn't appear to work. Trying the tests at the following link I get the following:

4 tests

The first one does not execute, but no dialouge is presented.

The second one executes.

The third does not execute, but does launch help viewer, no dialouge

The fourth does not mount or execute on the volume, but does launch a terminal trying to access the volume.

The only reason I can think of why this didn't take may be because I have PA installed but diabled, and it may be interfering with the patch.

Is anyone else having this issue?

--
T Money
World Domination with a plastic spoon since 1984
1. Re:Doesn't work? by jokell82 · 2004-06-07 10:21 · Score: 4, Informative
  My experience, having never installed PA:
  
  First does not execute, no dialog presented.
  
  Second one does not execute, but does connect to the FTP (which I would expect it to do), again no dialog.
  
  Third launches help viewer, but does nothing else, no dialog.
  
  Fourth does not mount or execute the volume, but does launch the terminal, again non dialog.
  
  It appears to be all fixed, as some of the methods to install the exploits still work, but the exploits themselves do not run. I wonder if anyone will find a way around the fixes.
  --
  I dunno who it is
  but it prolly is fhqwhgads.
2. Re:Doesn't work? by FredFnord · 2004-06-07 13:11 · Score: 4, Insightful
  
  > test 2 - "idisk" mounts, but it brings up the new dialog.
  
  That's the fixed part.
  
  > test 4 - terminal launches, and attempts to connect to a remote site -
  > appears that if it were a malicious site, it would have worked.
  
  A malicious... telnet... site? Er, whee, lookit the pretty birdies.
  
  The telnet: URL handler is *supposed* to open a telnet connection. It doesn't install any code, it doesn't download anything, it doesn't even execute any commands. It just opens a telnet connection.
  
  The issue that is fixed here is having a disk image mount and create a new URI handler, and then a redirect on your web browser launching the application using the new handler.
  
  This doesn't affect telnet handlers, which are already registered and don't run anything on random mounted disk images.
  
  It doesn't affect helpviewer, which has already been patched and fixed. That is, helpviewer can no longer run arbitrary scripts, so the fact that the disk image mounted doesn't make a damn bit of difference.
  
  Basically, don't post warnings about things you have no clue about.
  
  -fred
  
  --
  Sign #11 of Slashdot overdose: You see the phrase 'moderate Republican' and you wonder if that would be a +1 or a -1.
3. Re:Doesn't work? by dunderwo · 2004-06-07 13:44 · Score: 3, Informative
  
  this exploit is not fixed.
  
  Yes it is.
  
  If you ran the test exploits before installing the update, then the applications that they run are already "trusted" in the sense that they were already on your computer as registered handlers for those URI types, so the dialog does not appear (if the dialog appeared for every preexisting application on your computer, then its meaning would be diluted to the point of uselessness). Since these proof-of -concept applications are harmless, there's nothing to worry about. Any new applications run by a URI will make the dialog appear as it should.
4. Re:Doesn't work? by Have+Blue · 2004-06-07 19:11 · Score: 3, Informative
  First exploit succeeds.
  
  Second exploit brings up the warning dialog.
  
  Third exploit launches Help Viewer but fails to execute the payload.
  
  Fourth exploit launches terminal, fails to execute payload.
Dumb People... by wwvuillemot · 2004-06-07 10:10 · Score: 5, Interesting

No word in given regarding how the average user should know whether or not to approve the request.

What I do not understand is how you can completely eliminate danger from ill-formed people. The fact of the matter is that people are responsible for using computers. We can either have completely dumbed-down OS's (namely, companies such as Apple and M$ take complete responsibility for every sort of sescutiry isssue and to do so ensure they strict limit our use of their products to help mitigate their risk to such a godly -- and equally inane -- level of responsibility) or we accept the fact that the end-users have some responsibility, too. So how should the user know whether to accept or deny...read a book, google it up, or any other of a thousand ways people have spent millenia educating themselves...

Granted, the dialog that Apple has implemented could include some more information, but it is certainly in the right direction. As I am away from a Mac for a week, I am not positive how the new system works. I am not sure if you can say "Always permit this URI..." or if permission is on a per session basis. If the latter that might become annoying...and it might be nice to say "Forever Accept/Deny" in those cases where I feel confident that I can/should do that. Having said that, the one thing that I'd like to see is a list of those apps/URIs I have granted/stripped permission to/from so I have better management over the system....esp. after I FUBAR and grant permission to EvilWare!
Dang it! by inertia187 · 2004-06-07 11:32 · Score: 4, Funny

These stupid updates are ruining my laptop's uptime.
uniblab:~ anthony$ uptime 16:31 up 12 days, 2 hrs, 1 user, load averages: 0.80 1.32 1.47 uniblab:~ anthony$

--
A programmer is a machine for converting coffee into code.
ill-formed people by exp(pi*sqrt(163)) · 2004-06-07 14:01 · Score: 3, Funny

I know. Those hunchbacks are always cracking my system.

--
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Re:arg! by narratorDan · 2004-06-07 15:57 · Score: 4, Informative

Look for the file "SecUpd2004-06-07Pan.pkg" in /Library/Receipts. If it is there then you're probably safe as this file is added after it is installed to indicate a complete install.
In the future, instead of clicking on the button, use the menu "Update > Download Only" for your updates. It will download the update and keep it so that if the machine locks up or the powergoes out you can re-install from the saved .pkg which can be found in /Library/Packages. Another benefit is that you can collect all the updates on a CD just incase you have to do a full install again but don't want to download all the patches. (That is mostly for those of us who have 56k connections)

NarratorDan

--
"If you're not confused by quantum mechanics, you really don't understand it." - Niels Bohr
Re:Usability Growing Pains by mbbac · 2004-06-08 05:45 · Score: 4, Insightful

It also doesn't say 'OK' or 'Cancel.' Like most good Mac dialogs, it uses action verbs. In this case the options are 'Open' or 'Cancel.'

--
mbbac