Posted on 05/19/2004 7:44:01 AM PDT by HAL9000
A Secunia advisory on the Mac OS X Help vulnerability rates the problem "extremely critical"Two vulnerabilities have been reported in Mac OS X, allowing malicious web sites to compromise a vulnerable system.Various variants of the URI handler vulnerabilities are currently being discussed.
- The problem is that the "help" URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using "help:runscript".
- It is reportedly also possible to silently place arbitrary files in a known location, including script files, on a user's system using the "disk" URI handler.
This has been confirmed on Macintosh OS X using Safari 1.2.1 (v125.1) and Internet Explorer 5.2. Other browsers may also be used as attack vectors.
NOTE: The rating has been upgraded to "Extremely Critical" because the issues are very easy to exploit and a large number of working exploits are available.
Solution: There is no efficient solution. Mitigating actions include:
- Do not visit untrusted web sites.
- Rename all URI handlers which are not required.
- Do not surf the Internet as a privileged user.
Nick Fisher pointed out a patch for one exploit that has been posted:
A non-Apple patch for the Safari flaw can be found at http://isophonic.net/ (but I think I'll wait for the official patch from Apple).
Other readers offered workarounds for the problem:
[Michele Fuortes] There seems to be a very easy (albeit temporary) fix to the help:runscript vulnerability. By using the MoreInternet control panel (freeware) you can change the handler for the 'help' protocol to an application different from the Help Viewer. I changed it to the Finder and after a logout the exploit does not work anymore, it just switches you to the Finder. It seems a very simple solution.
[Tracy Valleau] Here's a quick, and harmless (read; reversible) fix for the help autolaunch vulnerability:
- First, make a Backup copy of /Library/Documentation/Help/MacHelp.help.
- Next do a show contents on the original, and
find:Contents/Resources/English.lproj/shrd/OpnApp.scpt
- Make the change as shown below (adding the two dashes in front of "open file completeParam of the startup disk" (This comments out that line of code, so it won't run.)
on «event helphdhp» (completeParam)
-- localizable text
set cancelBtn to "Cancel"
set errorText to "The item cannot be opened. It may be disabled or not installed."
--end localizable text
try
tell application "Finder"
-- open file completeParam of the startup disk
end tell
on error errMsg number errNum
display dialog errorText buttons {cancelBtn} default button 1 with icon 0
return
end try
end «event helphdhp»After doing this, the help file will still run, but will not be able to "open xyz for me"
- save the file.
- Remove all your foreign language versions of the same help file (at the Resources level)
Later on, you can replace your patched copy with the backup copy of MacHelp.help you made in step one, and apply Apple's (forthcoming) fix to it. Meanwhile, you'll be safe from that exploit.
Be cautious about downloading ".dmg" disk image files until then.
Wow, they only need 11 more "critical patches" to catch up to Windows this year.
I thought Mac's were immune from these sorts of things.
lol.
Apple really did a braindead move on this one.
A_R
On Windows, this sort of vulnerability could easily wipe out everything.
More importantly, there aren't any worms or self-propagating viruses for Mac OS X yet.
Having said that, I use Linux often and wish I had a Mac. Both are great but I'm not going to be lulled into a false sense of security that they're somehow immune to viruses and other nasties.
I use both Windows and Mac machines and the time, money and worry spent on security for the Mac is several order of magnitudes less than the Mac.
Every 'puter needs care, but if I were recommending one for internet use for my mother, g'ma or kids, anyone not techinically inclined, it'd be an easy choice: Mac.
Repeat after me: "My Mac is impervious to security attacks. Only Windows users have those kinds of problems. I'm too busy enjoying my Mac lifestyle to worry about such things. Don't you think my Mac coordinates nicely with my plastic furniture and goatee?"
What goatee? I only have an occasional five-o'clock shadow.
There might be some plastic in my Herman-Miller Aeron chair.
Very true. I get the feeling somebody in Cupertino will be looking for a new job shortly. This should have gotten caught in even the most basic security audit.
Not quite. It could do some damage but such sweeping commands would require root access. This cannot activate root. It could damage or erase only files in the users home folder.
I have a separate administrator account I only log in for maintenance and software installation so that, applications, and system files would be ok. But I still wouldn't want to lose all my user files. And I've been a bad boy about not backing up even though I have a DVD-RAM drive and all.<--my fault
Sorry, I didn't read your whole post. You already mentioned that.
But if my user directory is zapped who's going to replace my 4.5 min video of a friend on the night that he discovered
although it sometimes (when your drunk) seems like it would be a good idea to try to "mud-ski" by lassoing up to a large pig and yelling "GO PIG!!!!!" the truth is much, much more entertaining
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.