virividox said:
This is 2004. If someone wants you to download something, all you have to do is navigate to the appropriate page, and the download can start without you explicitly clicking on it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac OS X Security Issue: Local Scripts
- Thread starter MacRumors
- Start date
- Sort by reaction score
This is 2004. If someone wants you to download something, all you have to do is navigate to the appropriate page, and the download can start without you explicitly clicking on it.
You can also use this to do the same thing as MisFox. It just does the Helper protocols.
http://www.monkeyfood.com/software/MoreInternet/
It's in the form of a preference pane, which I find more convenient.
http://www.monkeyfood.com/software/MoreInternet/
It's in the form of a preference pane, which I find more convenient.
Skiniftz said:
Uh, no? Last time I did a fresh install (panther, back when it first came out), it asked me for an administrative password, and if I tried to make it blank it told me that wasn't a wise idea (but it would let me do it anyway after making sure I was sure that was what I wanted to do)
Sailfish said:
LS didn't alert me of anything when I used Address Book. Maybe you were using a feature that needed to make a connection somewhere.
Welcome to the waters, avoid the kool-aid.....
That's not really trolling IMHO. Though for a bit of advice avoid anything by Symantec, Norton's hosed my system methodically and periodically every time I tried to to use that line of products (and I've read those novels they call manuals). I back up my system and my fiancee's regularly (every other month), I run Virex before each back up, read my Logs on a biweekly basis, and have not suffered a problem since 10.1 (other than Norton experiments). Enjoy your new Mac, and let me know about the G5's (all I hear are problems people want fixed cause it's what I like to do as a hobby).
ERayFree said:
That's not really trolling IMHO. Though for a bit of advice avoid anything by Symantec, Norton's hosed my system methodically and periodically every time I tried to to use that line of products (and I've read those novels they call manuals). I back up my system and my fiancee's regularly (every other month), I run Virex before each back up, read my Logs on a biweekly basis, and have not suffered a problem since 10.1 (other than Norton experiments). Enjoy your new Mac, and let me know about the G5's (all I hear are problems people want fixed cause it's what I like to do as a hobby).
well said JFreak. stupid things do happen to stupid people. which means i've got nothing to worry about. but i wonder what happens to over-confident or complacent people?
which means i've got nothing to worry about. but i wonder what happens to over-confident or complacent people? Just to put this in perspective...
Mac OSX may have a few "vulnerabilities", but none of these are true viruses or worms. I've used the Mac platform for well over 10 years, and I've never been infected.
OTOH, viruses and worms have been a real nightmare on the PCs I administer at work. In fact, we've had so many problems with viruses and anti-virus software in general that I'm slowly upgrading our machines to Macs.
Really, I don't understand why any MIS/IT person wouldn't seriously consider Macs these days. I guess job security is one possibility, but I've got better things to do than reboot crashed machines and reinstall operating systems trashed by Norton...
Mac OSX may have a few "vulnerabilities", but none of these are true viruses or worms. I've used the Mac platform for well over 10 years, and I've never been infected.
OTOH, viruses and worms have been a real nightmare on the PCs I administer at work. In fact, we've had so many problems with viruses and anti-virus software in general that I'm slowly upgrading our machines to Macs.
Really, I don't understand why any MIS/IT person wouldn't seriously consider Macs these days. I guess job security is one possibility, but I've got better things to do than reboot crashed machines and reinstall operating systems trashed by Norton...
MorganX said:
Excellent points.
Just remember, the clock started 23/02/04, so it is ALREADY slow.
Skiniftz said:
No more then you being able to put an icon on a batch file and delete your my documents folder on windows.
That is not a vulnerability, it's an idiot trap. Anyone that downloads a program off the internet from a questionable source such as limewire and runs it and looses their home directory is a dingbat and deserves it.
You can do the exact same thing in Windows. You just have it del %allusersprofile%\*.* /FSQ and it'll nuke your entire start menu. Or you could do the same thing to %windir% and it'll start nuking the OS until it hits an open file or two, but the damage is done.
Zardoz said:
Actually, either are ok. / would do more damage in all likelihood. ~ is your home directory. / is root and on my computer I have a directory named "Volumes" in which my other volumes are located. So with / even they are not safe. -r is recursive, -f is force (e.g. just do it).
Apple Hobo said:LS didn't alert me of anything when I used Address Book. Maybe you were using a feature that needed to make a connection somewhere.
I can tell you exactly what is going on here. If you add any contacts to your Address Book that have an @mac.com email address or instant message handle, and you do not set a default picture for them, Address Book will connect to homepage.mac.com via HTTP and attempt to fetch their profile picture for you.
There is no giant conspiracy going on here. There is no big brother. Address Book is simply being intelligent about Mac.com entries, and it knows that if someone has an @mac.com email handle, they have a Mac.com account. Missing information about them can be automatically fetched from homepage.mac.com, provided it is available.
PolarbearTed said:
Just three points and a suggestion: ;-)
1. Apple was notified (according to the original description) on 23/02/04, so it isn't "quite recent." It is *just* quite recent that it was publicized. If they'd just found out about it, I'd agree with the point.
2. "Open Safe files" isn't enough! That won't stop many of the methods of using the exploit.
3. The reason why this isn't just "user stupidity" is that with URL spoofing you can trick someone into going to an incorrect URL and downloading the wrong file. Suppose VersionTracker was hacked, sending you the wrong URL.
Likewise, who is trusted? Only Apple? Microsoft too? Adobe? Someone here posted this link: http://www.monkeyfood.com/software/MoreInternet/ I've never heard of it before. Is it a trusted source? Not to me because I don't know who they are. Probably it is, but there is no way to verify it without clicking the download dmg button. Who wants to download the DMG and find out? And if you did it, do I trust you that you actually did it?
A solution (and what I think is perhaps a good one) is to run Help Viewer (or any of the applications that are vulnerable) at a different set of permissions. e.g. It would run them as a different user with no permissions to write (and consequently delete) in any directory, and only read in, say, a particular directory (to avoid looking for personal information to email). This would be a change Apple would need to make, but it would be one solution that would hardly alter the user's experience.
nagromme said:
Quicker?? Apple was notified of this in February. We've had two security updates since then and neither have addressed it. I dont' think they've addressed the problem with AFP either.
dontmatter said:I thought I didn't buy windows....
oh please. Of all the things that have happened to windows over the last six months compared to two non-propigating trojans (one which is even debatable if it's a 'trojan' or not) this is chump change.
Mac OS X doesn't get hacked & crashed the instant you plug it into a network connection with more than 20 people on it.
Mac OS X doesn't propagate a trojan to everyone in god just by reading an email.
Both of these trojans require user interaction to get started, and neither of them propagate.
And even if they did, that's the first virus in what, 5 years? 10 years?
FWIW, this is how this thing works:
A user is directed to a page that does two things: (1) Downloads a disk image to the user's computer which will hopefully be automounted, and (2) redirects the page to the URL "help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt" with the argument "string='Volumes:0x04_script:0x04_script.term'"
What this does is instructs the Help Viewer application to send the «event helphdhp» AppleEvent to a script file located at a path relative to /Library/Documentation/Help/. If the script file does not respond to this Apple Event, nothing will happen. You cannot use this method to directly execute non-compiled applescript, binary executables, or applescript which is inline with the URL. You have to find a script which responds to «event helphdhp». I imagine that there are not a whole lot of these scripts save for the two bundled with the Help Viewer application itself: OpnApp.scpt and opnbndsig.scpt. It is an unfortunate thing that both of these scripts accept a single argument, and then instruct the Finder to open that argument.
This basically means that you can get the Finder to open any file if you have the path to it. If you want to execute your own code, you have to have it downloaded to a known path first. This is where the disk images come in. When a disk image mounts, it is placed at a known path: /Volumes/[imagename].
- You cannot execute any script on the system with this. Only scripts which respond to the «event helphdhp» AppleEvent can be run.
- You cannot execute inline or non-compiled AppleScript with this. Scripts must be compiled, and must already exist on the victim's machine.
- You cannot execute shell commands with arguments unless you package it all into a .command file and have it downloaded to the victim's computer first.
A user is directed to a page that does two things: (1) Downloads a disk image to the user's computer which will hopefully be automounted, and (2) redirects the page to the URL "help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt" with the argument "string='Volumes:0x04_script:0x04_script.term'"
What this does is instructs the Help Viewer application to send the «event helphdhp» AppleEvent to a script file located at a path relative to /Library/Documentation/Help/. If the script file does not respond to this Apple Event, nothing will happen. You cannot use this method to directly execute non-compiled applescript, binary executables, or applescript which is inline with the URL. You have to find a script which responds to «event helphdhp». I imagine that there are not a whole lot of these scripts save for the two bundled with the Help Viewer application itself: OpnApp.scpt and opnbndsig.scpt. It is an unfortunate thing that both of these scripts accept a single argument, and then instruct the Finder to open that argument.
This basically means that you can get the Finder to open any file if you have the path to it. If you want to execute your own code, you have to have it downloaded to a known path first. This is where the disk images come in. When a disk image mounts, it is placed at a known path: /Volumes/[imagename].
- You cannot execute any script on the system with this. Only scripts which respond to the «event helphdhp» AppleEvent can be run.
- You cannot execute inline or non-compiled AppleScript with this. Scripts must be compiled, and must already exist on the victim's machine.
- You cannot execute shell commands with arguments unless you package it all into a .command file and have it downloaded to the victim's computer first.
Trekkie said:
The problem is that this could easily be made into a propagating problem combine *with* some of the other vulnerabilities out there.
Here is a question: You get a small DMG from a friend who is in your address book. You presumably trust them. The email says, "I found this great utility to control your internet preferences, to avoid a trojan that hijacks your help viewer. This was just announced today, see <inforword article or whatever>." What do you do? 90% of the people will click it.
What happens to you? It is the trojan itself. Instead of the email, it is the trojan mailing itself out to everyone in your address book - something can EASILY do that. Then it can easily do an rm -rf /.
Or it tries to start up the remote desktop self-start (from the command line there is a command for it).
Or it uses the command line to open up a small additional application on the disk image which can do more.
Or it uses wget (or similar) to download and start something at the command line.
Additional possibilities depending on what it does above and what is on your system:
Or it can open up ports on your firewall or just turn it off.
Or it can install a key stroke recorder and periodically send out "interesting" keystrokes (e.g. anything typed will connected using an SSL connection).
Or it can say "Disk Utility needs your admin password to mount this signed image"? Most people would type it in because OS X has us (I might do it) conditioned to do so. Then it could email (or send via TCP without using your mail program) the admin plus your IP somewhere.
Or it can install a background application to listen on a particular port while re-configuring your firewall to allow that port to be open.
Or it can email documents in your "Documents" folder somewhere. (e.g. just email files < 5K in size. What kind of info is in those files?)
Just because the demo is non-malicious and doesn't exploit all the possibilities doesn't mean they are not there. There are a tons more things it could do from the really subtle so you would never know it to the really damaging and everything in between.
There are enough vulnerabilities out there that it could be done. Worms are easy to write. Viruses are too. Trojans are too. Someone with a good knowledge of Unix could write one to take advantage of 8 to 10 of the most common open vulnerabilities and it would be a huge problem.
Someone who wrote one that exploited 8-10 Unix problems (including Mac and Linux) *and* 8-10 Windows problems would cause complete havoc because there wouldn't be only one method of propagation to stop, there would be multiple routes to infection for just about all of the machines on the net. And if Unix machines are infected, Windows are, and Macs are (and perhaps Cisco router vulnerabilities), how the heck will people get updates to fix them? CD? It could be done and it will be done, it is just a question of when. Up until now you've had amateurs doing it, script kiddies etc.
Hopefully it will remain that way, but I believe at some point there will be someone who decides to exploit many (not just 1 or 2) problems at once, who doesn't make stupid programming errors (e.g. like the Morris Worm or many others), who is based where they don't care (e.g. North Korea or some small, but big-time criminal organization or terrorists) and has a specific malignant purpose. Then many billions of hours of work will be lost or stolen.
ElectricSheep said:
Good description, thanks!
What about if the .command file is on the disk image you just downloaded and auto-mounted? To me it seems like that would be enough because you'd know the path, as you said.
There is a clear difference between a remote exploit and protecting users from their own stupidity. How do you propose to go about protecting people from their own misinformed behavior?
Don't run code that didn't ask to have sent to you via email attachment. Don't leave your luggage unattended for any length of time at the airport. Don't use plugged in electronic devices when in the bathtub.
Computers have gotten to be some pretty complicated machines. Given the connectivity that intra/internetworking provides these days, the consequences of your own stupid actions aren't limited to yourself anymore. Other people on the same network have to suffer with you.
Instead of bending over backwards to protect people from themselves, the University I attend has shifted the responsibility to the user. If you want to the join the campus network, then you must complete a competency test. You must demonstrate that you have at least some idea of what you are doing before being connected to everyone else on campus. It makes perfect sense, and we do the same thing to people who want to go out and drive a car on public roads.
Don't run code that didn't ask to have sent to you via email attachment. Don't leave your luggage unattended for any length of time at the airport. Don't use plugged in electronic devices when in the bathtub.
Computers have gotten to be some pretty complicated machines. Given the connectivity that intra/internetworking provides these days, the consequences of your own stupid actions aren't limited to yourself anymore. Other people on the same network have to suffer with you.
Instead of bending over backwards to protect people from themselves, the University I attend has shifted the responsibility to the user. If you want to the join the campus network, then you must complete a competency test. You must demonstrate that you have at least some idea of what you are doing before being connected to everyone else on campus. It makes perfect sense, and we do the same thing to people who want to go out and drive a car on public roads.
ElectricSheep said:
Well, now add to that list:
"Never browse a webpage without having read it's source code."
Because that's all it takes to fall victim to a potential exploit of this vulnerability. No "click to download" step is necessary.
(Of course, I don't know many browsers that will allow you to view a page's source without first viewing the page itself.. so...)
nekr0sis said:
Thanks for the link, but I am afraid to use it as the only way to get it is by downloading a .dmg file.
Seems like a good temporary fix.
For those people who say that only stupid people would open .dmg files from emails, blah blah blah, I have one question for you: What does being stupid or smart have anything to do with it? Personally, I believe that if you believe the above to be true, you are an idiot in every sense of the word. My stepfather is probably smarter than 95% of you, but he really doesn't know much about computers. Email, some gardening websites, Word, Internet Explorer ( ), and he's happy about everything. Mp3...what's that? He really doesn't care about "trying out the latest thing."
My mom doesn't know how to turn a computer on, but she's not stupid either. According to her, "I can't find the button on the computer that says "ON/OFF", so I didn't touch anything in case I pressed something that I shouldn't have." Sounds stupid to you, but wait a second....she's right!! There is NO button that says "On/Off". Instead, my PB has a button has markings of a circle with a vertical line that extends from the centre. My brother's desktop has an even more obscure Power button....
Here's the thing: If you post here, YOU ARE AN INTERNET NERD. Instead of saying that only an idiot would open a .exe or .dmg file attachment, why not just accept the fact that you're a nerd and other people aren't "stupid" just because they take no interest in what you find interesting. Being ignorant about computers isn't stupid. Ignorance and stupidity are different. Other than writing email and Word documents, computers are something that many people don't care about, so they won't read pages liket this to find the newest security threats. Gasp!! Can this be true? Oh yes it is, just like you're not good at doing things outside of the internet world, like socializing and understanding differences in experience and knowledge amongst different people, since you don't go out often enough....you sweet nerd, you.
*continues playing Tetris*
), and he's happy about everything. Mp3...what's that? He really doesn't care about "trying out the latest thing." My mom doesn't know how to turn a computer on, but she's not stupid either. According to her, "I can't find the button on the computer that says "ON/OFF", so I didn't touch anything in case I pressed something that I shouldn't have." Sounds stupid to you, but wait a second....she's right!! There is NO button that says "On/Off". Instead, my PB has a button has markings of a circle with a vertical line that extends from the centre. My brother's desktop has an even more obscure Power button....
Here's the thing: If you post here, YOU ARE AN INTERNET NERD. Instead of saying that only an idiot would open a .exe or .dmg file attachment, why not just accept the fact that you're a nerd and other people aren't "stupid" just because they take no interest in what you find interesting.
Being ignorant about computers isn't stupid. Ignorance and stupidity are different. Other than writing email and Word documents, computers are something that many people don't care about, so they won't read pages liket this to find the newest security threats. Gasp!! Can this be true? Oh yes it is, just like you're not good at doing things outside of the internet world, like socializing and understanding differences in experience and knowledge amongst different people, since you don't go out often enough....you sweet nerd, you.*continues playing Tetris*
whooleytoo said:
Now I never equated this vulnerability to one side or that other. You are making an assumption.
I'm responding to people crying out for measures to protect the users that open every attachment, run everything than can get their hands on, and enter their password at every time its prompted. Users who click willy nilly everywhere they can without really knowing what is going on. Before the mass connectivity of the internet, nobody really cared if you couldn't operate a computer or not. Things have changed. Remember what I said about my Uni. Nobody gets on the network unless they can demonstrate some basic understanding of how to operate a computer, and an understanding of the risks that come with being connected to internet. If you can't do it, you pose a serious risk to not just yourself, but everyone else on the network.
Whose responsibility is it when it comes to these kinds of problems?
Should the companies turn computing into a completely passive experience like watching TV to 'secure' its users, or should more attention be paid into getting users to become familiar with the equipment they just purchased?
You would think some PC Nerd/Anti-Mac Punk would love to make us squirm with a worm.aethier said:
Speaking as a multi-vendor admin I must confess I'm enjoying this exploit; it's nice to see the sneering obnoxious holier-than-thou Mac zealots having their noses rubbed in it for a changeJGowan said:
What is absolutely HILARIOUS is them all trying to talk it down!
If this were a Microsoft exploit the sky would be falling and those same people would be zealoting (I just made that word up) about how much better the Mac is.
I'm not arguing in the slightest that BSD is inherently more secure than Windows, but there are a lot of drama queens out there.