Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Mac OS X Security Issue: Local Scripts

ElectricSheep said:
Now I never equated this vulnerability to one side or that other. You are making an assumption.
Click to expand...

Well, this thread is about this vulnerability.. so 'twas a fair assumption.. ;)

ElectricSheep said:
I'm responding to people crying out for measures to protect the users that open every attachment, run everything than can get their hands on, and enter their password at every time its prompted. Users who click willy nilly everywhere they can without really knowing what is going on. Before the mass connectivity of the internet, nobody really cared if you couldn't operate a computer or not. Things have changed. Remember what I said about my Uni. Nobody gets on the network unless they can demonstrate some basic understanding of how to operate a computer, and an understanding of the risks that come with being connected to internet. If you can't do it, you pose a serious risk to not just yourself, but everyone else on the network.
Click to expand...

Perfectly fair, sensible and reasonable steps. But even those won't protect against more subtle exploits.

ElectricSheep said:
Whose responsibility is it when it comes to these kinds of problems?

Should the companies turn computing into a completely passive experience like watching TV to 'secure' its users, or should more attention be paid into getting users to become familiar with the equipment they just purchased?
Click to expand...

It's hard to make a generalisation. This specific vulerability is a bug, allowing a remote site to download and run executables on a remote machine is far, far too easy a route to allow. Exploits of this could catch even experienced users.

Educating users is certainly part of the solution. But if users have to spend a significent portion of the day evaluating the risk in every page they visit, every download the make, every email they open, and downloading security patches and virus definitions, then technology has started to be more of a burden than an enabler. More sophisticated exploits will fool even wary users, technology has to improve as well. Technologies such as the NSA's SE Linux might be a indicator of future trends in this regard.
 
Skiniftz said:
Speaking as a multi-vendor admin I must confess I'm enjoying this exploit; it's nice to see the sneering obnoxious holier-than-thou Mac zealots having their noses rubbed in it for a change :D

What is absolutely HILARIOUS is them all trying to talk it down!

If this were a Microsoft exploit the sky would be falling and those same people would be zealoting (I just made that word up) about how much better the Mac is.
Click to expand...

My nose isn't being rubbed in anything. This sort of "vulnerability" is present in any other OS. I could write a script in Windows that starts silently deleting everything on your hard drive in about five minutes and easily convince a computer-illiterate person to click on it. This isn't a virus. It barely fits the description of a trojan. It's not spreadable but by people's ignorance. Apple will close the Help Viewer hole that allows the script to be run and be done with it.

When you work in Linux, it gives you the power to do what you want. I can see where scripting shell commands might be a very useful thing to do. I'm starting to question how useful making scripts auto-executable from the GUI (which have potentially destructive shell commands in them) is, but that's another issue entirely.

--Cless
 
Skiniftz said:
Speaking as a multi-vendor admin I must confess I'm enjoying this exploit; it's nice to see the sneering obnoxious holier-than-thou Mac zealots having their noses rubbed in it for a change :D

What is absolutely HILARIOUS is them all trying to talk it down!

If this were a Microsoft exploit the sky would be falling and those same people would be zealoting (I just made that word up) about how much better the Mac is.

I'm not arguing in the slightest that BSD is inherently more secure than Windows, but there are a lot of drama queens out there.
Click to expand...

Speaking as a multi-vendor admin I say anything that has the potential to make my job harder and degrade the productivity of the users I support is a bad thing - regardless of platform.
 
iostream.h said:
We at Isophonic fixed it:

Isophonic
Click to expand...

And why might this not be a hoax? I'm kidding you, but just because some of your other software does the job it says it does, can we believe that the link is even to your site? Oh, the paranoia. I just ran Virex for the first time in weeks too.

Oh yes, and a similar thread was deleted by moderators at the apple discussion boards. :confused: Why would that be? There was no conjecture or double guessing about Apple's next greatest invention going on.
 
billyboy said:
And why might this not be a hoax? I'm kidding you, but just because some of your other software does the job it says it does, can we believe that the link is even to your site? Oh, the paranoia. I just ran Virex for the first time in weeks too.
Click to expand...

This bring up a good point. I too want to download the "fixes" for this problem, but I am paranoid about doing it now. Until something comes through my Software Update, I am not really sure what to do. How do we know who we can trust anymore.
 
If you are as paranoid as I am instead of downloading and running an application you don't trust you can always edit the Launch Services preferences plist yourself.

In Jaguar (10.2.8) I added the following to my

~/Library/Preferences/com.apple.LaunchServices.plist


<key>U:help</key>
<array>
<dict>
<key>LSBundleIdentifier</key>
<string>com.adobe.acrobat.reader</string>
<key>LSBundleLocator</key>
<data>
AAAAAADqAAMAAAAAt0av6gAASCsAAAAAAAdaJQAHWhkA
ALmsu7AAAAAAASD//kFQUExDQVJP/////wABABAAB1ol
AAdaIwABTTQAAASwAA4AJgASAEEAYwByAG8AYgBhAHQA
IABSAGUAYQBkAGUAcgAgADUALgAwAA8AGgAMAE0AYQBj
AGkAbgB0AG8AcwBoACAASABEABIARUFwcGxpY2F0aW9u
cy9BY3JvYmF0IFJlYWRlciA1LjAuYXBwL0NvbnRlbnRz
L01hY09TL0Fjcm9iYXQgUmVhZGVyIDUuMAAAEwABLwD/
/wAA
</data>
<key>LSBundleRoleMask</key>
<integer>-1</integer>
<key>LSBundleSignature</key>
<string>CARO</string>
<key>LSBundleVersion</key>
<integer>329215</integer>
</dict>
</array>


so now it will run Adobe Acrobat Reader instead of the Help.app
when the help: protocol its invoked

You probably need to log off and log on again in order to rebuild
the
~/Library/Caches/com.apple.LaunchServices.UserCache.csstore


Have fun
 
I can vouch for the patch. I only downloaded it because it can be found at Macupdate. Since most of you will be paranoid about clicking on any link I post here, go to Macupdate and check it out yourself. The software is called Don't go there GURLfriend and can be found in the "weekly popular" section of Mac OS X. I installed it and then tried running the exploit that was mentioned at the beginning of this thread. The help viewer app opened, but nothing else happened. No messages of my system being compromised were displayed (as the script is meant to do).
 
Rower_CPU said:
Speaking as a multi-vendor admin I say anything that has the potential to make my job harder and degrade the productivity of the users I support is a bad thing - regardless of platform.
Click to expand...
On a professional level, I agree with you wholeheartedly.

On a personal level it's nice to be able to demonstrate to the blind zealots who INSIST that the Mac is invulnerable, that yes, it can, and does, have it's flaws, and those can be exploited just like any other system.
 
I have a "better" fix than the one isotonic did.

http://users.adelphia.net/~lively/fixbug.dmg

inside of it is an applescript which installs it in all needed files in the help folder (i didn't find any outside of it)

it for the most part preserves the functionality of the help viewer (It can open files but only with your say so and not from ejectable devices.)

The script is readable, and the installer is readable.
 
Cless said:
<snip>
I could write a script in Windows that starts silently deleting everything on your hard drive in about five minutes and easily convince a computer-illiterate person to click on it. <snip>
Click to expand...
Really? A shell script that could be executed silently by a user simply clicking a weblink? On a Windows system that is patched? I don't think so.

No, this Help exploit isn't a virus, however it would make a very good launch mechanism for one.

For example, what if someone were to write a script to plunder a user's address book and send email to all of the people in it, the email naturally containing the script or perhaps simply a web link? (Cant hurt to click a link can it? I mean I have a Mac which means I can't get viruses right?).

Time and again it's proven that users on the whole really are too trusting, especially when they get an email from a friend. This is precisely how NetSky et al spread. Nothing happens automatically, the user is emailed an encrypted ZIP file that contains the virus. (It's encrypted to defeat attachment scanning programs). The user is sent the password to extract the virus, and told that if they click it they will see a naked picture or some other such lie. This has recently been proven to be one of the most successful virus spreading techniques ever. Later versions are getting more sophisticated and are starting to combine techiques to spread more effectively.

Don't buy into the myth that OSX is 100% secure. ALL modern OS's have their problems and require patching if they are going to be exposed to potentially hostile networks and code. If (when?) the Mac ha{d/s} the market share that Windows does, there are one hell of a lot of attackers out there who will attempt to exploit anything they can.
 
MongoTheGeek said:
I have a "better" fix than the one isotonic did.

http://users.adelphia.net/~lively/fixbug.dmg

inside of it is an applescript which installs it in all needed files in the help folder (i didn't find any outside of it)
<snip>
Click to expand...

... considering you are using a DMG to distribute it, you should have written it to use the exploit to install automatically - it would have been poetically ironic. :D
 
Skiniftz said:
Really? A shell script that could be executed silently by a user simply clicking a weblink? On a Windows system that is patched? I don't think so.

No, this Help exploit isn't a virus, however it would make a very good launch mechanism for one.

For example, what if someone were to write a script to plunder a user's address book and send email to all of the people in it, the email naturally containing the script or perhaps simply a web link? (Cant hurt to click a link can it? I mean I have a Mac which means I can't get viruses right?).

Time and again it's proven that users on the whole really are too trusting, especially when they get an email from a friend. This is precisely how NetSky et al spread. Nothing happens automatically, the user is emailed an encrypted ZIP file that contains the virus. (It's encrypted to defeat attachment scanning programs). The user is sent the password to extract the virus, and told that if they click it they will see a naked picture or some other such lie. This has recently been proven to be one of the most successful virus spreading techniques ever. Later versions are getting more sophisticated and are starting to combine techiques to spread more effectively.

Don't buy into the myth that OSX is 100% secure. ALL modern OS's have their problems and require patching if they are going to be exposed to potentially hostile networks and code. If (when?) the Mac ha{d/s} the market share that Windows does, there are one hell of a lot of attackers out there who will attempt to exploit anything they can.
Click to expand...


If a Virus/Trojan has to be spread through Mail, using the Adress Book It wouldn't hit a big population of Mac Users, just for me would be unusuable, from my adress book I only have one "Mac Friend" the rest are Windows'ers and an applescript file would have no sense, worst a *.dmg file, I think that this whole thread of Mac Trojan/Virus comes from any Antivirus/Firewall Company or maybe from some Pro-MS-Place to create a bad atmosphere before WWDC, nevertheless, it's really neccesary tpo address this kind of issues within our OS, it's has been never a Virus/Trojan, it doesn't come to us, we have to go to it before it can operate, double-clicking or opening a homepage, but spread through an E-mail app would give less than 5% the infection efficiency expected from the writer...
 
Whattt?

greg75 said:
PS: The exploit was reported to Apple TWO MONTHS AGO.
Click to expand...

Have you a confirmed source of this? I would like to know why they haven't pathced this if it's true... Hard to get it... :( .. bad for mac-users if they knew about this... I'd like to doubt it...
 
Skiniftz said:
On a professional level, I agree with you wholeheartedly.

On a personal level it's nice to be able to demonstrate to the blind zealots who INSIST that the Mac is invulnerable, that yes, it can, and does, have it's flaws, and those can be exploited just like any other system.
Click to expand...

I'd classify this as a "cheap thrill." Maybe I'm just jealous because my thrills tend to be very expensive.
 
For the good of the order, somebody with an appropriate level of knowledge should sort through the various competing claims for disabling this vulnerability made in this thread and elsewhere. Until we've got a proper if not more permanent fix from Apple, we need to know what works and what doesn't. Myself, I took the advice of renaming Library/Documentation/Help to something else, because it was the simplest and fastest solution, and didn't require a download, but at this point I don't know what to recommend to other Mac users (and as the informal Mac support guy for miles around, I know I'm going to be asked).
 
Is it really a vulnerability if the OS is just doing what it was designed and intended to do??? No. This is merely someone exploiting the way the operating system works. The real vulnerability with this is STUPID USERS. :rolleyes:
 
guerro said:
Is it really a vulnerability if the OS is just doing what it was designed and intended to do??? No. This is merely someone exploiting the way the operating system works. The real vulnerability with this is STUPID USERS. :rolleyes:
Click to expand...

You know, I get seriously torked off when the "blame the victim" explanations are trotted out by the Windows benie-brains every time a gaping OS hole appears on that platform, and I like it even less when it happens on the Mac.

Let's be serious here: Apple goofed. Apple needs to fix the goof.
 
Ummm no.

IJ Reilly said:
You know, I get seriously torked off when the "blame the victim" explanations are trotted out by the Windows benie-brains every time a gaping OS hole appears on that platform, and I like it even less when it happens on the Mac.

Let's be serious here: Apple goofed. Apple needs to fix the goof.
Click to expand...


I disagree. If you aren't aware of proper surfing practices, don't surf.
There are holes everywhere...it is up to the user to be aware, through newsgroups, listservs, websites, magazines etc. Yes, Apple needs to fix the hole, but surfers need to be informed. It's a big net out there, and only the educated will survive. Oh, and my benie-brain sees gaping wounds in your bloated OSX that Apple ignores. Just remember, all OS's SUCK! :cool:
 
greg75 said:
Lots of clueless apologists here.

THIS EXPLOIT DOES NOT REQUIRE USERS TO DOWNLOAD AND START SOMETHING MANUALLY.

The exploit is triggered automatically just by visiting a web page. Do you check links before you click them?

Question for the apologists here: Do you download every web page and analyze it before you open the page with a web browser?

PS: The exploit was reported to Apple TWO MONTHS AGO.
Click to expand...

Personally, I read the relevant information, analyze it, and make an informed decision on what to do. I downloaded the fix with the funny name and nifty icon and patched my system. Now when I click on your link my help viewer opens and that's that. At this point I know that the link is bad and can safely ignore future requests to click on it...
Even if my friends (allegedly) send me an e-mail telling me I should.

"No, really... it WAS an exploit but now it's Barbara Bush nekkid, you'll love it, go ahead and click."
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back