[ctj]

Just like the title says, Apple's posted a new security enhancement that suggests they've got this crazy URL thing licked. It's a 1.3MB download in Software Update, and the blurb says:

Security Update 2004-06-07 (Mac OS X 10.3.4 and 10.2.8)

Description - Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. The purpose of this update is to increase security by alerting you when opening an application for the first time via document mappings or a web address (URL).

Here's their infobase link: http://docs.info.apple.com/article.html?artnum=25785

Here's hoping this one's the real deal.

[gorickey]

[jessejlt]

Hmf, seems to be pretty good solution. I wonder if it's possible to spoof the OS into thinking that an app has been opened > 0 times though and thereby circumventing this patch. On the other hand, if this information is held in some sort of data file I would assume the only way for the malware to spoof it's launch count would be to do so upon invocation, which would still require parsing that file... Okay, I've convinced myself, good solution.
jesse ;-)

[das]

This is the "real deal"; all of the previously discussed URI issues are fixed. (To those who think Apple dropped the ball the first time: they didn't - this issue only came to light AFTER the Help Viewer issue was being handled, and they responded to it in true form, just like they have for every other security issue.)

-----

Security Update 2004-06-07 (Mac OS X 10.3.4 and 10.2.8)

Description - Security Update 2004-06-07 delivers a number of security enhancements and is recommended for all Macintosh users. The purpose of this update is to increase security by alerting you when opening an application for the first time via document mappings or a web address (URL). Please see this article for more details, including a description of the new alert dialog box.

Versions: Security Update 2004-06-07 is available for the following system versions:
- Mac OS X v10.3.4 "Panther"
- Mac OS X Server v10.3.4 "Panther"
- Mac OS X v10.2.8 "Jaguar"
- Mac OS X Server v10.2.8 "Jaguar"

Component: LaunchServices
CVE-ID: CAN-2004-0538
Impact: LaunchServices automatically registers applications, which could be used to cause the system to run unexpected applications.
Discussion: LaunchServices is a system component that discovers and opens applications. This system component has been modified to only open applications that have previously been explicitly run on the system. Attempts to run an application that has not previously been explicitly run will result in a user alert. Further information is available in this article.

Component: DiskImageMounter
CVE-ID: No CVE ID has been reserved as this is only an additional preventative measure.
Impact: The disk:// URI type mounts an anonymous remote file system using the http protocol.
Discussion: The registration of the disk:// URI type is removed from the system as a preventative measure against attempts to automatically mount remote disk image file systems.

Component: Safari
CVE-ID: CAN-2004-0539
Impact: The "Show in Finder" button would open certain downloaded files, in some cases executing downloaded applications.
Discussion: The "Show in Finder" button will now reveal files in a Finder window and will no longer attempt to open them. This modification is only available for Mac OS X v10.3.4 "Panther" and Mac OS X Server v10.3.4 "Panther" systems as the issue does not apply to Mac OS X v10.2.8 "Jaguar" or Mac OS X Server v10.2.8 "Jaguar".

Component: Terminal
CVE-ID: Not applicable
Impact: Attempts to use a telnet:// URI with an alternate port number fail.
Discussion: A modification has been made to allow the specification of an alternate port number in a telnet:// URI. This restores functionality that was removed with the recent fix for CAN-2004-0485.

------------

About Security Update 2004-06-07

Security Update 2004-06-07 increases security when automatically opening an application for the first time.

An application may be automatically opened two ways: either by opening a document that is associated with the application or by clicking a link (URL) in a web page or document.

Opening an application manually or automatically

You can manually open an application, such as by clicking its icon in the Dock; or the application may open automatically, such as when you click a link or open a document that is associated with the application.

For example: You open Safari manually if you double-click its icon in the Applications folder or single-click its icon in the Dock. But Safari will open automatically if you open a document such as "mypage.html", or click an "http://" link that's in a document.

How does Mac OS X know which application to open automatically?

This is done by association (or "mapping"). Mac OS X associates each major type of document (such as text, pictures, movies, and web pages) and each major type of link (such as "http://") with a particular application. When you open a document or click a link, it automatically opens in the associated application. If you encounter a document or link type that is not associated with an application that you have, then Mac OS X will ask you to choose which application to open it with. In the example, web pages (.html) and web links ("http://") are both associated with Safari by default.

Tip: You can change the application associated with a type of document in the Info window. In some cases you can use application preferences, such as the Default Web Browser preference in Safari.

A warning for new applications

When you open an application manually, you are making an explicit choice to do so. But when you open a document, it may not be clear which application will be used. If you click an untrustworthy link, it may try to automatically open a downloaded application designed to cause harm to the system. The feature provided by Security Update 2004-06-07 will alert you if an application that is being automatically opened has not previously been opened, either manually or by consent to this warning dialog:



You can either open the application or cancel the attempt, which is appropriate if you don't recognize or trust the application.

Once an application has been opened, this message will not appear again for that particular application.

Applications included with your computer are considered "trusted" and will not trigger the warning panel.

[mitchell_pgh]

Looks to address most issues, but many users will still click OK. The only 100% safe way is to disable the feature all together.

[gorickey]

Originally posted by mitchell_pgh:
Looks to address most issues, but many users will still click OK. The only 100% safe way is to disable the feature all together.

That's fine, at least it would be the USERS fault and they can't blame Apple...

[VValdo]

Applications included with your computer are considered "trusted" and will not trigger the warning panel.

I wonder how it knows what applications are included with your computer and whether or not they can be spoofed by being (1) overwritten or modified (is there any way to do this when the app is mounted into /Volumes?) or (2) superceded via a "newer" version as described in the badapp's Info.plist file?

Is there a checksum done of the application, I wonder.. hmm. If so, where is that stored?

Just thinking of ways to get around this...

W

[Developer]

Originally posted by VValdo:
I wonder how it knows what applications are included with your computer?

It could be that that's simply applications that are installed in the Applications and System folder.

[Chuckit]

Originally posted by VValdo:
I wonder how it knows what applications are included with your computer

Well, the company that makes your computer is the same one that makes the OS, so I imagine they'd know.

Originally posted by VValdo:
and whether or not they can be spoofed by being (1) overwritten or modified (is there any way to do this when the app is mounted into /Volumes?) or (2) superceded via a "newer" version as described in the badapp's Info.plist file?

1. Assuming you mean "when a disk image is mounted in /Volumes" � there's nothing it could realistically do that would replace or modify something in your /Applications folder. If there were such a way, that would be an entirely different security risk altogether.
2. The OS doesn't poke around all through the hard drive in order to find the newest version of your apps. It keeps opening the same old version until you replace it. Or at least that's how it's always worked for me � is yours behaving differently?

[OSX Abuser]

Has this update 'hosed' any systems?

[gorickey]

Originally posted by OSX Abuser:
Has this update 'hosed' any systems?

Nope.

Not a single Mac in this world has had any problem with this update...

[nredman]

Originally posted by OSX Abuser:
Has this update 'hosed' any systems?

hosed, hos�ing, hos�es
To water, drench, or wash with a hose: hosed down the deck; hosed off the dog.

no, i dont think so.

[hudson1]

Does anyone know if there's any way to "reset" the trusted list in Launch Services? Or, in other words, to clean out the trusted list so formerly trusted apps would cause a new warning box to appear (with reregistration of apps declared by the user as trusted).

[das]

Yes. A couple methods are outlined at http://test.doit.wisc.edu/

[milhouse]

Originally posted by OSX Abuser:
Has this update 'hosed' any systems?

I can no longer connect to my router for, administration, via the browser interface since the update. There's a blurb on it over at xlr8yourmac.com.

[hudson1]

Originally posted by milhouse:
I can no longer connect to my router for, administration, via the browser interface since the update. There's a blurb on it over at xlr8yourmac.com.

No problems here accessing my D-Link 614+ with Safari and Camino.

[boomer0127]

Originally posted by OSX Abuser:
Has this update 'hosed' any systems?

Most of my users had no problems with this security update. I psuedo-support (I don't get paid to support) about 30 users in a virology lab. Three users came to me on the 8th with their laptops frozen at "Waiting for Apple File Service", the last thing before the login window appears. After further review, these folks had not repaired their permissions prior to the update. They have no idea what a permission is. All attempts to restore the OS (repair permissions, fsck, diskwarrior, PRAM, NVRAM, etc.) failed. All three had to be archived, installed and brought to 10.3.4 with all the updates.

I really wish Apple would suggest permissions repairs prior to any system or security updates that come through the software update panel. At least the non-saavy might ask someone more saavy before proceeding. I lost 3 hours of my day to these folks. I am considering turning off the auto-check for software updates on all of their machines. But then there will be many folks that are "exploitable" because they will fall through the cracks and not ever get updated.

Aaaargh.

[ryju]

Oh no, I'm not losing my 14 day uptime for this! I'm gonna wait it out and go down with the ship.

[CharlesS]

Originally posted by boomer0127:
Most of my users had no problems with this security update. I psuedo-support (I don't get paid to support) about 30 users in a virology lab. Three users came to me on the 8th with their laptops frozen at "Waiting for Apple File Service", the last thing before the login window appears. After further review, these folks had not repaired their permissions prior to the update. They have no idea what a permission is. All attempts to restore the OS (repair permissions, fsck, diskwarrior, PRAM, NVRAM, etc.) failed. All three had to be archived, installed and brought to 10.3.4 with all the updates.

I really wish Apple would suggest permissions repairs prior to any system or security updates that come through the software update panel. At least the non-saavy might ask someone more saavy before proceeding. I lost 3 hours of my day to these folks. I am considering turning off the auto-check for software updates on all of their machines. But then there will be many folks that are "exploitable" because they will fall through the cracks and not ever get updated.

Aaaargh.

Why do you assume permissions were the problem? Software Update authenticates to install this update, so it's running as root and as such does not care what the existing permissions are on the disk. If the permissions were wrong after installing the update, yes, that could theoretically cause problems, but they would go away after repairing permissions on the drive, which you have already said did not work. So really, I doubt that permissions had anything to do with this.

My guess would be that something probably went wrong and interrupted the software update, causing either incomplete system files to be on the disk, or prebinding information to get messed up. For the latter, all you have to do is boot into single-user mode and type these commands:

fsck
mount -uw /
update_prebinding -root / -force
reboot

If there are incomplete system files on the disk, just re-running the security update package on the hard drive usually fixes that (sometimes this nails the prebinding problem if that's an issue, as well).

All in all, I would not disable automatic software update on people's machines! You are doing them a disservice if you do so by leaving their machines vulnerable. Imagine if Windows admins felt this way, the chaos that would result (well, the chaos already does happen, but mostly due to people not checking Windows Update out of ignorance rather than by design).