[[APi]TheMan]

Heh, I just clicked that disk://fundisom.com/owned/owned.dmg and Little Snitch asked me if "diskimages-helper" could have permission to access the network. No thanks! Deny forever!

For those who don't know, Little Snitch is a utility for Mac OS X that monitors internet traffic leaving your computer. Before each transaction occurs Little Snitch asks you if you want to allow the listed application to carryout with the traffic. If yes, you can specify whether you want to allow access to only that server, that server & port, or any connection (and whether it is a one-time setting or a "forever"). You also have the option to deny applications from ever reaching the outside world. It's really a nifty application. You'd be surprised how many applications "call home" when they're run.

http://www.obdev.at/products/littlesnitch/

[turtle777]

Originally posted by sniffer:
At least no execution of "scripts" outside the browser .. [ ]

Uhm, well, yeah, that's what I meant.

-t

[sniffer]

Heh, I just clicked that disk://fundisom.com/owned/owned.dmg and Little Snitch asked me if "diskimages-helper" could have permission to access the network. No thanks! Deny forever!

The disk helper internet protocol thing is not the problem here. It's the "help" internet protocol ability to run scripts through "Help Viewer" that is the true security issue here.

[sniffer]

Originally posted by turtle777:
Uhm, well, yeah, that's what I meant.

-t

I know. That's why "[ ]".

[OwlBoy]

Oh my.

-Owl

[itai195]

Originally posted by Mr Scruff:
Here's another demo that doesn't involve mounting a .dmg

WARNING: Clicking the below link will cause a non malicious command to be run on your system.

http://bronosky.com/pub/AppleScript.htm

Not good...

Wow, one of the first times I can click on a link that executes a [non]malicious exploit with no worries, because I'm using Win2K/IE... what a crazy world

I'm a little late to the game here, but what the hey... Things like this are why us Mac users in general need to learn not to brag about how secure our OS is -- the fact of the matter is that there are probably plenty of issues out there that people just haven't tried because Mac users aren't a very interesting target. This particular issue is just... it should have been obvious. I wonder how many of the other default protocol handlers on OS X have similar vulnerabilities.

Above all, I can't believe Apple has known about this issue for two months and hasn't done a thing about it.

[[APi]TheMan]

Originally posted by sniffer:
The disk helper internet protocol thing is not the problem here. It's the "help" internet protocol ability to run scripts through "Help Viewer" that is the true security issue here.

Correction, it's not the most pressing issue here, but it still poses a threat. When used in conjunction with the help: exploit it could be super sweet and be used for fully constructive and helpful purposes...

I just think it's nice to know what's goin' on behind the scenes.

[GENERAL_SMILEY]

I just DL'ed this little APP - RCDefaultApp 1.1

Disabled the help URL thing - seems to have defeated the various exploits. Hope I'm right.

linker

[IDM808]

Ok, so the best thing to do is (in no particular order):
1. Change the help protocol to something else (ie. Chess) using either Misfox or More Internet.

2. Do the same thing inside Internet Explorer preference pane.

3. Only go to trusted websites and click on only trusted links.

4. Turn off auto mount downloaded files or open safe files inside Safari and Internet Explorer.

5. Dont bother modifying or deleting the OpnApp.scpt file, since these don't fix all situations.

Does number two fix the problem for all browsers as mentioned in this forum? If yes, number one doesn't need to be done correct?

Does turning off "Java" and "JavaScript" inside Safari and IE fix this? I know this renders a lot of websites useless, but it should work correct?

Does using a web browser in classic work around this exploit? I'm assuming no since it would still invoke the same scripts, correct?

[Groovy]

Originally posted by theolein:
RTFT

RTFA


it is not the exact same thing as this thread has been talking about.
I did paste it here BECAUSE it is related and BECAUSE of the topic you dumb a$$

no disk image needed
no known code on disk needed
no refresh needed


ALL done via javascript. Please show me were this offshoot way was talked about
on the first page of this thread? Unless someone went back and edited their
post it wasn't.


i guess if i paste the link to the "Quicktime:" exploit you will whine about too
as being a RTFT because it is sorta related to the help: exploit lol

[IDM808]

I just changed the help protocol inside Internet Explorer to open Chess. Once I did this, I launched one at a time, Safari, Camino, Firefox, Mozilla, and Netscape. I went to the proof of concept test at insecure.ws to test out all web browsers listed above. I clicked the link and all browsers above opened up Chess. For my experience, changing the preference in Internet Explorer was system wide. I didn't have to download and install any third party apps. So why oh why do I have Internet Explorer? I keep it around just in case a web site refuses to work in any other browser. I think it's wrong that IE can temporary fix an exloit in OS X. Oh well, that's life. So why don't I just install a third party app and not deal with IE? Well our IT dept doesn't like us installing third party software unless it's absolutely needed. Anyone else have these results?

[itai195]

Originally posted by Groovy:
RTFA


it is not the exact same thing as this thread has been talking about.
I did paste it here BECAUSE it is related and BECAUSE of the topic you dumb a$$

no disk image needed
no known code on disk needed
no refresh needed


ALL done via javascript. Please show me were this offshoot way was talked about
on the first page of this thread? Unless someone went back and edited their
post it wasn't.

The link was already posted and already discussed within this thread.

[CharlesS]

Well folks, the score is no longer tied.

http://www.cnn.com/2004/TECH/interne...eut/index.html

"A flaw in Microsoft's almost universally used Windows operating system could allow hackers to take control of a PC by luring users to a malicious Web site and coaxing them into clicking on a link, the company warned on Tuesday."

Apple: 1
Microsoft: 2

Not that this isn't still a very serious flaw in OS X.

[turtle777]

Originally posted by IDM808:
I I think it's wrong that IE can temporary fix an exloit in OS X. Oh well, that's life.

If you read the threat carefully, you would have noticed that there are other apps available that do the same thing.
IE is not SOO special !

-t

[sniffer]

Originally posted by IDM808:
I just changed the help protocol inside Internet Explorer to open Chess. Once I did this, I launched one at a time, Safari, Camino, Firefox, Mozilla, and Netscape. I went to the proof of concept test at insecure.ws to test out all web browsers listed above. I clicked the link and all browsers above opened up Chess. For my experience, changing the preference in Internet Explorer was system wide. I didn't have to download and install any third party apps. So why oh why do I have Internet Explorer? I keep it around just in case a web site refuses to work in any other browser. I think it's wrong that IE can temporary fix an exloit in OS X. Oh well, that's life. So why don't I just install a third party app and not deal with IE? Well our IT dept doesn't like us installing third party software unless it's absolutely needed. Anyone else have these results?

You're a genius! LOLROFLMAO!
Why didn't anyone think about that for until now? Anyway, good thinking.

[IDM808]

Hey turtle777, I'm not trying to start a flame fest, but I did read the thread and I do mention the third party apps that others have mentioned in my first post. The reason I mentioned that it is wrong that IE fixed an Apple issue is because the test I did on my machine fixed it system wide. I am assuming this will work for others. I know there are third party apps available that do the same thing. If you read my posts carefully, you should have read that I am not allowed to install third party apps per the IT department. Again, I am not trying to start an argument. I don't use IE unless it's a last resort. I know IE isn't anything special.

I did not come up with this fix, I believe someone else mentioned it in this thread. I just didn't know if it was system wide, until I tried it out. I can not take credit for this fix.
Have a nice day everyone. The sun is out where I am. I'm outta here!!! peace

[kampl]

Originally posted by theolein:
There are quite a lot of sites, mainly spammers' sites, sites of the type that used to download diallers onto your PC via IE, sites that downloaded spyware onto your PC via IE and porn sites that would love something as easy to implement as this. The site that wants to delete your data is rare, the site that wants to use you for their profit isn't.

Which part of phishing style attacks are you not understanding?

[kampl]

On a side note, how many of you people really use "Help Viewer.app"? I pose the question out of my own curiosity of course. This vulnerability was easily thwarted by a simple shell command, that is if one does not really need Help Viewer like myself.

sudo cp -R /System/Library/CoreServices/Help\ Viewer.app /System/Library/Help\ Viewer.app.bak

Done. Problem mitigated until such a time that a fix is available. There are plenty of resources to use in the mean time that Help Viewer was useless for, for me anyway.

Forgot the second command, doh.

sudo rm -Rf /System/Library/CoreServices/Help\ Viewer.app

[sniffer]

Originally posted by StacyK:
I'm glad too.

If for some reason you don't want to use MoreInternet, this fix can also be accomplished using the preferences pane in IE 5.2, that is if you are not such an Apple zealot that you deleted that ages ago. Once you set it there the change is good for Safari too.

Yep, credit to the right person for bringing up the idea about using IE instead of third party applications.

[CharlesS]

Originally posted by kampl:
On a side note, how many of you people really use "Help Viewer.app"? I pose the question out of my own curiosity of course. This vulnerability was easily thwarted by a simple shell command, that is if one does not really need Help Viewer like myself.

sudo cp -R /System/Library/CoreServices/Help\ Viewer.app /System/Library/Help\ Viewer.app.bak

Done. Problem mitigated until such a time that a fix is available. There are plenty of resources to use in the mean time that Help Viewer was useless for, for me anyway.

Forgot the second command, doh.

sudo rm -Rf /System/Library/CoreServices/Help\ Viewer.app

That won't do any good if LaunchServices figures out about the backup of Help Viewer that you make. The help: protocol is bound to Help Viewer's creator code, so it'll find it no matter where it is.

Now, if you compressed it into a .zip archive and deleted the original, then that would work. It still seems silly to me when all you really need to do is remap the 'help:' protocol.

[kampl]

Originally posted by theolein:
This is not the case at all. A malicious site can do all this, with any OSX browser, without you doing ANYTHING at all. You just have to load the page and it's got you. This is in no way similar to the other recent hoaxes or trojans that require the user to do something.

Exactly, thank you. One has to lure a person into clicking a link that is potentially malicious. I.e. phishing attacks, similar to spam sent out all over the place to get MS Windows IE users to click links and divulge sensitive info.

This goes a bit further similar to what Nimda did to infect browsing hosts. Nothing new, just different in so far as the platform.

[sniffer]

For those interested, this hole also exists in 10.2.8 as well. It's confirmed. Running the command:

Code:
help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt

in the address field opens help viewer and runs the date & time script.

[kampl]

Originally posted by CharlesS:
That won't do any good if LaunchServices figures out about the backup of Help Viewer that you make. The help: protocol is bound to Help Viewer's creator code, so it'll find it no matter where it is.

Now, if you compressed it into a .zip archive and deleted the original, then that would work. It still seems silly to me when all you really need to do is remap the 'help:' protocol.

Have you tried it? I have yet to see an example posted that will allow the "malicious" scripts to run at all. I get errors in Safari in so far as unreachable this and that.

[kampl]

CharlesS

How does one remap the help:// protocol BTW. I'm not familiar. I went for a *nix style solution as that is what I have a better background in.

[sniffer]

Originally posted by kampl:
CharlesS

How does one remap the help:// protocol BTW. I'm not familiar. I went for a *nix style solution as that is what I have a better background in.

You can simply boot up IE , open preferences, and change the protocol helpers there. Test if you got it right by simply run "help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt" in the address field in your browser. If Help Viewer starts and you get "Date & Time" pop-up, the flaw is still open. If it instead simply starts your chosen helper application, you should be safe.

[CharlesS]

Originally posted by sniffer:
You can simply boot up IE , open preferences, and change the protocol helpers there. Test if you got it right by simply run "help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt" in the address field in your browser. If Help Viewer starts and you get "Date & Time" pop-up, the flaw is still open. If it instead simply starts your chosen helper application, you should be safe.

Or, you can use More Internet, which is a nice preference pane for doing this, written by a member of these boards. It's available in his .mac Public Folder, username DiggoryLaycock. That way you don't have to use IE.

[kampl]

Originally posted by sniffer:
You can simply boot up IE , open preferences, and change the protocol helpers there. Test if you got it right by simply run "help:runscript=../../Scripts/Info Scripts/Current Date & Time.scpt" in the address field in your browser. If Help Viewer starts and you get "Date & Time" pop-up, the flaw is still open. If it instead simply starts your chosen helper application, you should be safe.

I srm'ed IE long ago, as it is useless compared to Safari or Foxfire. Is there another way that eludes me?

With that in mind, is IE the controller of sorts that one has to use to bind/unbind protocols and whatnot from a browser despite the dominant browser on the platform?

[CharlesS]

Originally posted by kampl:
I srm'ed IE long ago, as it is useless compared to Safari or Foxfire. Is there another way that eludes me?

With that in mind, is IE the controller of sorts that one has to use to bind/unbind protocols and whatnot from a browser despite the dominant browser on the platform?

Go -> iDisk -> Other User's Public Folder. Username DiggoryLaycock. MoreInternet1.1.1.dmg.

[kampl]

Originally posted by CharlesS:
Go -> iDisk -> Other User's Public Folder. Username DiggoryLaycock. MoreInternet1.1.1.dmg.

CharlesS

This does what for me? I don't want some 3rd party entity issuing security patches or what have you. I'm not a debugger so I do not trust someone else to the security of my system other than Apple, save for oother sources I trust. Particularly a dmg with some app somebody put together. Code please?

[sniffer]

Originally posted by CharlesS:
Or, you can use More Internet, which is a nice preference pane for doing this, written by a member of these boards. It's available in his .mac Public Folder, username DiggoryLaycock. That way you don't have to use IE.

Seen that. Personally I just used the one from the iCab developer. Worked as well.

[CharlesS]

Originally posted by kampl:
CharlesS

This does what for me? I don't want some 3rd party entity issuing security patches or what have you. I'm not a debugger so I do not trust someone else to the security of my system other than Apple, save for oother sources I trust. Particularly a dmg with some app somebody put together. Code please?

Seriously, there are posts about how to use this all over this thread.

More Internet is an app that has been out for ages. It allows you to remap protocols. You can use it to change help: so it points to something other than Help Viewer, like Chess. Then help: protocols are no longer able to use Help Viewer to execute scripts. It's not a patch, and it wasn't designed to combat this problem, but it is very useful in disabling the help: protocol, which will make you safe until the eventual security patch comes out.

[kampl]

Originally posted by CharlesS:
Seriously, there are posts about how to use this all over this thread.

More Internet is an app that has been out for ages. It allows you to remap protocols. You can use it to change help: so it points to something other than Help Viewer, like Chess. Then help: protocols are no longer able to use Help Viewer to execute scripts.

This is not a question about how to use it. I could care less. Why for instance would I want to, when I can rename the Help\ Viewer.app for now until such time that Apple addresses the problem? Is it that critical an application for anyone (still waiting on anyone to chime in on that one)?

I can mitigate the problem myself easily and without any wondering, or I can rely on a 3rd party to reconfigure my device for me whose application does god knows what. Taking a route other than "some dude" seems like a good idea at this point. Wouldn't you say?

[CharlesS]

Originally posted by kampl:
This is not a question about how to use it. I could care less. Why for instance would I want to, when I can rename the Help\ Viewer.app for now until such time that Apple addresses the problem? Is it that critical an application for anyone (still waiting on anyone to chime in on that one)?

Because:

1. The help: protocol is bound to Help Viewer's creator code, 'hbwr'. LaunchServices will launch the app with that creator code, no matter where it is in the file system. If it's not launching it now, it hasn't discovered the app there yet, but if you ever browse through there, it may get added to the LaunchServices database so that it will.

2. Changing the protocol is much simpler to do, and doesn't require you to change things inside /System.

3. It is nice to be able to read the help for certain apps sometimes, no?

I can mitigate the problem myself easily and without any wondering, or I can rely on a 3rd party to reconfigure my device for me whose application does god knows what. Taking a route other than "some dude" seems like a good idea at this point. Wouldn't you say?

For Christ's sake. The app will not reconfigure your device for you. All it does is to provide a very simple interface to the protocol helper settings, allowing you to reconfigure it yourself. This is not some script to automatically close the hole and existed long before the hole did. The app is good, it works, and the author is Diggory Laycock, who is a respected member on these boards.

Are you telling me you never use any third party software, as a rule?! Because if you have to do everything by hand, then you should go modify the LaunchServices preferences file by hand with TextEdit. Because changing the protocol mappings will fix the problem, and your solution won't.

[sniffer]

Originally posted by kampl:
Taking a route other than "some dude" seems like a good idea at this point. Wouldn't you say?

You do just as you please. This thread is not a help desk, and none of us are responsible for what happens to your machine. Wait for the Apple patch if you don't feel comfortable with our suggestions for workarounds. This is pretty much a spanking new security flaw for 99.98% of the posters in here. We find the alternative paths as we go. No one have a manuscript here. If you don't know what is going on, please take the time to start reading the thread from post #1.

So much for the appreciation ..

[CharlesS]

Oh, by the way, here's another reason not to do it your way.

As we know, LaunchServices will open any copy of Help Viewer it finds on your system. So, even if you compress it into a .zip archive or similarly disguise it so LaunchServices won't find it and launch it, anyone could easily bundle a copy on the disk image containing the exploit script. LaunchServices will pick up the app's creator code when the disk image is launched, and then happily open that copy of Help Viewer when I send you the help: URL.

So, in summary, if you want to fix this hole, you should do it properly, and remap the protocol. Then the protocol will always point to Chess unless you delete it.

Crap, now that I think about it, what would stop any hacker from using this to open an app bound by default to any helper app not present in a normal install?

[kampl]

Originally posted by CharlesS:
Because:

1. The help: protocol is bound to Help Viewer's creator code, 'hbwr'. LaunchServices will launch the app with that creator code, no matter where it is in the file system. If it's not launching it now, it hasn't discovered the app there yet, but if you ever browse through there, it may get added to the LaunchServices database so that it will.

2. Changing the protocol is much simpler to do, and doesn't require you to change things inside /System.

3. It is nice to be able to read the help for certain apps sometimes, no?


For Christ's sake. The app will not reconfigure your device for you. All it does is to provide a very simple interface to the protocol helper settings, allowing you to reconfigure it yourself. This is not some script to automatically close the hole and existed long before the hole did. The app is good, it works, and the author is Diggory Laycock, who is a respected member on these boards.

Are you telling me you never use any third party software, as a rule?! Because if you have to do everything by hand, then you should go modify the LaunchServices preferences file by hand with TextEdit. Because changing the protocol mappings will fix the problem, and your solution won't.

This is not about 3rd party software now is it? It is in regards to a "security patch" from an untrusted source, not Apple. If I can "remove" the problem in my way, would that not be a better solution than "click here" *snicker*? I deem it as a worthy solution. I have not had this "mystical magical LaunchServices" discover anything that circumvents my precautions in so far as browsing and malicious code execution.

I'm sure the person in question (developer) is respectable, but that is not in question either. The question lies in the fact that "you" are trusting a source to fix your problems as oppossed to the the maker of the product. Does this make sense? There are 3rd party patch makers for Windows too, would you trust them? None of this appears to be open source, so for an "open" developer to tout this as a fix is a little ridiculous to trust.

I say "open" in the event that perhaps the code is viewable, but unneeded in my case.

Of course I use 3rd party software, but I do not let it cause damage to my system that I know of. A security vuln? That is a story that all the low life losers know about very quickly. So, do I trust anonymous dude, or do I trust ridding the system of the vulnerable service? Seems like a no brainer, but apparently it is not from what I hear.......

[CharlesS]

Originally posted by kampl:
This is not about 3rd party software now is it? It is in regards to a "security patch" from an untrusted source, not Apple. If I can "remove" the problem in my way, would that not be a better solution than "click here" *snicker*? I deem it as a worthy solution. I have not had this "mystical magical LaunchServices" discover anything that circumvents my precautions in so far as browsing and malicious code execution.

I'm sure the person in question (developer) is respectable, but that is not in question either. The question lies in the fact that "you" are trusting a source to fix your problems as oppossed to the the maker of the product. Does this make sense? There are 3rd party patch makers for Windows too, would you trust them? None of this appears to be open source, so for an "open" developer to tout this as a fix is a little ridiculous to trust.

I say "open" in the event that perhaps the code is viewable, but unneeded in my case.

Of course I use 3rd party software, but I do not let it cause damage to my system that I know of. A security vuln? That is a story that all the low life losers know about very quickly. So, do I trust anonymous dude, or do I trust ridding the system of the vulnerable service? Seems like a no brainer, but apparently it is not from what I hear.......

Repeat after me: The application in question is NOT a security patch. It is a normal, respected maintenance utility that has been around for ages. You are not trusting it to do anything, since you do it all yourself. The app only provides a very simple interface to change the settings. All the actual setting changes are done by you.

The developer is not anonymous, and he was not the one to start touting his app as a solution to the problem. The very page that made the exploit public mentioned More Internet as a way to fix the problem before anyone else, including the developer of More Internet, even knew about the exploit.

[kampl]

Originally posted by CharlesS:
Repeat after me: The application in question is NOT a security patch. It is a normal, respected maintenance utility that has been around for ages. You are not trusting it to do anything, since you do it all yourself. The app only provides a very simple interface to change the settings. All the actual setting changes are done by you.

The developer is not anonymous, and he was not the one to start touting his app as a solution to the problem. The very page that made the exploit public mentioned More Internet as a way to fix the problem before anyone else, including the developer of More Internet, even knew about the exploit.

So you know the person, my bad....... Seriously, would you rely on any tom dick and harry that had been "around the forum for awhile"? Whether or not this app mitigates the current problem is retarded, in that this is product of a party unaffiliated with Apple. Of course this will be widespread and embraced........

In any event, I can run some random "forum approved app" or I can take care of the issue myself and divulge the information at that point, much like you, or wait for Apple to take care of business.

It appears we can go back and forth all night, not needed. I appreciate your input but I do not approve of your methods in so far as trusting some random thingy to take care of it.

This is fine, however I am a bit more reserved in so far as what I will run here and elsewhere. Thanks for a stimulating discussion.

[Developer]

Originally posted by CharlesS:
****, now that I think about it, what would stop any hacker from using this to open an app bound by default to any helper app not present in a normal install?

From observation LaunchServices appears to register a program only when it's in one of the Applications folders at log-in or when it is has been launched by double-clicking at least once. So this currently wouldn't work because LaunchServices doesn't know about any apps on the freshly mounted image.

(didn't test it though; maybe LaunchServices got smarter meanwhile and this works now, but I don't think so)

[CharlesS]

Originally posted by kampl:
So you know the person, my bad....... Seriously, would you rely on any tom dick and harry that had been "around the forum for awhile"? Whether or not this app mitigates the current problem is retarded, in that this is product of a party unaffiliated with Apple. Of course this will be widespread and embraced........

In any event, I can run some random "forum approved app" or I can take care of the issue myself and divulge the information at that point, much like you, or wait for Apple to take care of business.

Well, in addition to the forum, there's VersionTracker (5 star rating):

http://www.versiontracker.com/dyn/moreinfo/macosx/16066

Or MacUpdate (4.5 star rating):

http://www.macupdate.com/info.php/id/12849

Or MacWorld (4.5 mouse rating, twice):

http://www.macworld.com/2004/03/reviews/macgems/
http://www.macworld.com/2003/11/reviews/macgens/

Look, this is a good app, and it's made by an established Mac developer, not some Tom, Dick, or Harry. It is not a patch and was not designed solely to fix this bug. You seem to have trouble comprehending this, but maybe the Macworld review from November 2003 will help you figure out that this has been around for a while and is well known.

Sheesh, people will trust a third party app to repair their whole hard drive, but refuse to use an app designed to allow you to change some protocol helper settings.