Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
another new fix

Unsanity released a free fix (Paranoid Android) for this vulnerability as well as another which has been reported to Apple but is not yet public.

From their website (http://www.unsanity.com/haxies/pa/):

"Paranoid Android can protect you from this potential vulnerability until Apple makes an official fix available. It does this by watching the URL schemes that are requested and delaying them until you've had a chance to say whether you'd like to proceed or not. If you know that the url that's being loaded is legit, go ahead, but if it looks suspicious, Paranoid Android gives you an opportunity to cancel it."

Includes an uninstaller with the installer.
 
Came across a fix on this site that seems quite good.

Other readers offered workarounds for the problem:
...
[Tracy Valleau] Here's a quick, and harmless (read; reversible) fix for the help autolaunch vulnerability:

First, make a Backup copy of /Library/Documentation/Help/MacHelp.help.
Next do a show contents on the original, and
find:Contents/Resources/English.lproj/shrd/OpnApp.scpt
Make the change as shown below (adding the two dashes in front of "open file completeParam of the startup disk" (This comments out that line of code, so it won't run.)


on «event helphdhp» (completeParam)
-- localizable text
set cancelBtn to "Cancel"
set errorText to "The item cannot be opened. It may be disabled or not installed."
--end localizable text
try
tell application "Finder"
-- open file completeParam of the startup disk
end tell
on error errMsg number errNum
display dialog errorText buttons {cancelBtn} default button 1 with icon 0
return
end try
end «event helphdhp»


save the file.
Remove all your foreign language versions of the same help file (at the Resources level)
After doing this, the help file will still run, but will not be able to "open xyz for me"
* Later on, you can replace your patched copy with the backup copy of MacHelp.help you made in step one, and apply Apple's (forthcoming) fix to it. Meanwhile, you'll be safe from that exploit.

It was quite handy, as I deleted all the other languages that help has available, thus reducing the file to about 1/8 of the original size... :)
 
Hugin777 said:
It's not enough. Try this link to test how secure you is(n't)...

Hmm... not good...

Edit: Well I'm protected now, but at the cost that Help Viewer cannot longer execute...

As root in terminal (su):
root# chmod 400 /System/Library/CoreServices/Help\ Viewer.app
This command makes Help Viewer read-only (cannot be changed or executed).

Edit2: Ok, I give up... Paranoid Andriod installed... :rolleyes:
 
The mis-fox solution works ok for this particular script, but am I right in thinking that help is not the only app that can be told to run a script?
 
Right, well I haven't read the thread or done a search but I'm a little bit tired of reading about this. Instead I shall point you all to a MacNN Forums post covering the full extent of this security hole and tell you that Paranoid Android is currently the only way to be completely safe.

Someone mentioned earlier that the flaw isn't public, well I think being posted on a BB is pretty public. I think we should be telling as many people as possible rather than trying to keep a lid on it, that way Apple might get a fix out. Oh yeah, and e-mailing Apple repeatedly is probably a good idea.

Sorry if my tone is a little short....

biscuit
 
Rumor From MacSlash

Some semi good news. Acourding to MacSlash the latest build of 10.3.4 beta is immune to at-least one of the exploits out there. :) the question I have is do you need to upgrade to 10.3.4 from 10.3.3 to fix or will Apple update all 10.3.x. systems? I know their will be a security fix for 10.2.x because Apple will not upgrade every on to 10.3 to fix the problem. But will they force an upgrade on all 10.3 users to 10.3.4?
the link to the MacSlash story MacSlash
 
Bernd said:
the question I have is do you need to upgrade to 10.3.4 from 10.3.3 to fix or will Apple update all 10.3.x. systems?

usually there are two different upgrade packages: one for updating the previous latest system (10.3.3) and a "combo update" for updating any 10.3.x system. naturally the combo install package is larger in file size.
 
Born Free, Now $129.00, Part 1...

No disrespect intended, but I just read this thread and, quite honestly, as a long-time Mac user, the whole discussion of this problem and OSX/Safari security & exploits is both unfortunate and sadly comical. Whether you view OSX as a 5% marketshare OS, or in its larger context among other *nix derivatives, it's really time that OSX users woke up to the fact that claims about OSX security are a bunch of hooey.

OSX and its applications are no better or worse than any other piece of software as far as security goes, including Windows and other *nix flavors, and the "post hoc Apple propter hoc" logic just doesn't work. Just because there haven't been many serious breaches doesn't mean you're safe. In comparison, Windows variants have obviously had their problems, but also run 90+% of the world's personal computers and are constant targets. From that standpoint, you could possibly argue that Windows is actually safer.

Oh look! Someone left a note:
Dear Mac Users All Over The World,

You're all safe all the time if you use OSX and Safari, since they are absolutely secure and bullet-proof, unlike Windows, which the whole world knows is an unsafe, buggy piece of crap. Oh, and because the majority of the world doesn't care about or look for OSX security problems due to our tiny marketshare, you're even safer! In fact, that's why we chose endangered, inbred cats that mostly live in game preserves and zoos to advertise our software. Meow.

Love, Steve

ps. I left some Apple-shaped cookies and milk near your mouse for when you get home from Computer Kindergarten and I even took a bite out of each one, just the way you like it. Oh, and there are some Little Friskies for kitty.

If anybody needs to re-order any of the following, there's still time before inventory runs out:
- Apple SpinFlakes - mmmm - great for breakfast
- Rose-Colored Apple Sunglasses
- Brainwashing Sleep Tapes
- A Freshly-Pressed Sheep Suit

There is no such thing as a secure OS, which is the fundamental rationale for things like external firewalls. OS security, and that of contained software such as Safari, is a relative concept, and I am eagerly awaiting the next campaign from the Apple Spin Machine once the world realizes that OSX is not really as safe as Apple claims.

I guess as long as this thread is partially about comedy...
-----------------------------------------------------
Recent Apple Spin Doctor Brain-Storming Session On Software Security:
"Uh oh...the Safari script kiddies got us...now what do we say about Safari & OSX, since the world obviously knows that they're not as safe as we say???"
"Well, it's just some scripts. Cut and run! No wait! We can just change the OS & browser codenames to make it look like we're doing something. We'll lose the cats and start using ultra-tough, military names!"
"We could also include a bunch of little plastic army men in the box to give the impression of high security! We'll tell everyone they're safe from Viruses of Mass Destruction."
"Yeah - and we can even write our own virus as proof of VMDs!"
"Will Steve be head of MacLand Security? AUGHH! He's going to fire us!"
"Shut up, you idiot!"
"Hmmm...Viruses of Mass Destruction...maybe we could finally appeal to conservative Republicans and dupe the Europeans to increase sales."
"That is so dumb. Plastic is bad for the environment!"
"But it's good for Republicans."
"And Europeans!"
"OSXI: Screaming Eagle!"
"...featuring 'Talon,', the 8th generation web browser!"
"What was the 7th generation?"
"Who cares?"
"Can we make the screen bleed with cool 3D effects?"
"This is better: 'In 1984, Apple invented the Macintosh. In 2004, they've reinvented the pixel.' Ha ha."
"That's never going to work! First the benchmark fiascos, and now this! AUGGHH! We're doomed! Steve's going to fire us!!"
[everyone else in unison] "SHUT UP, you idiot!!"
"OK...well...how about this? 'OSX - it's safe-ER."
"It's the SAFIEST! Errr..Safeway!! Sorry - I'm hungry - pass the Krispy Kremes..."
"No wait! We're on to something! 'As a cutting-edge, visionary OS developer, sometimes you have to break the security mold and trade safety for more features.'"
"That totally works for the press release!"
"Yeah! That's it! We give you more features!"
"And plastic army men!"
"And pixels!"
"Are more features better or worse for the environment than plastic?"
"OK - wait - I've got it. 'Less safe, More features!'"
"No...'less' is no good - too negative - we need a more spinny word that implies no culpability on our part for the obvious, gaping OS and software security holes that we don't want anyone to know about! Well...unless someone leaks them so that we have to acknowledge they exist."
"Hang on! I'VE GOT IT!! 'Tastes safe. More features!'"
"Taste is good. People like to eat...well maybe not crow. HEY! why didn't that @%@$#@!! admin get more Krispy Kremes? I sent the memo last week!!"
"Ugh! Contractors! Let's redesign their badge color and make them wear funny hats."
"C'mon - get back on task. We can torture the part-time peons later!"
"Taste has great spin! Can we trademark it??"
"Wait - how about this: 'Think Disk Doctor!'"
"Hey! That's good for a Norton co-marketing campaign - awesome - we'll stick it to them with a buy-in deal and also charge users for security upgrades! heh heh!"
"Sweet!"
"Tastes safe...but is it? Ha ha!"
"We can include a little army medic guy and field ambulance with a real siren in special ultra-secure theme bundles!"
"Cool! We can even resurrect the old tank ad!"
"Yeah - let's overlay a camouflage-colored iPod on the General!"
"Hey yeah! And he needs a red LED like the Terminator! 'I vill protect you, MacOS. I am de Mac-inator.' Ha ha!"
"Can he dance hip hop and grimace threateningly at the same time?"
"Sure. By the time we're done with him, he'll be running for office!"
"These are all good ideas, but we need more user subjugation."
"How about a privacy-invading, mail-in insert in every box for a free leather mousepad and a verbally abusive screen saver module?"
"We could make users say 'baaaa-a-a-aaa' while clicking our new limited liability 'super secure OS' user agreement!"
"Get legal on the phone."
[...brief conversation with Legal while more Krispy Kremes vanish from the box...]
"Sorry - they say we can't use a sheep sound because Apple Records will sue us again due to the obvious, musical nature of animal noises, and especially sheep."
"Even if we call it 'soshearmi?'"
"OK...forget the sheep noise...how about 'Who's Your Daddy?!'"
"Yeah! We could use the voice recognition software to make sure they said it while clicking the 'I agree' button!"
"What if they mess up?"
"They have to keep saying it until they get it right."
"PERFECT!"
"I like it! It really feeds the dysfunctional sense of attachment and self-destructive, myopic fanaticism of our core users!"
"Wait! I've got it - TALKING miniature army men with FIREWIRE PORTS! [deep army voice] 'Stand back, cyber-citizens, this is a secure, area.' Ha ha!"
"We could have a TV show about anthropomorphic software modules defending the country against Internet invaders and call it 'Cat Patrol!'"
"What are the firewire ports for?"
"DUH! Higher chip volumes to drive down the cost of CPU hardware! How else are we going to make money? How long have you been working here, anyway?"
"We're going to need more Krispy Kremes..."
"Someone get Mattel on the phone..."
 
Born Free, Now $129.00, Part 2...

Among all the posts in this thread, one of the most interesting is the one by MorganX showing the basic disparity between reality and the Apple Spin Machine. Security holes have obviously been an ongoing issue. And, for those of you who said "I shouldn't have said anything! Now the virus hackers are going to find us. Ahhh!! flag-waving, mutant script kiddies from Mars! blah, blah, blah..." you're kidding, RIGHT? :rolleyes:

Besides the myth that OSX is secure, what Apple has also done a good job of spinning is the notion that, somehow, after the Apple Pope of Software Integration has blessed the code with the Holy Sheen of Aqua User Interface, APIs, and Hardware Abstraction Layers, OSX is just one piece of software.

That's a very good trick, considering it contains a myriad of software components/libraries/applications that are part of the core unix distribution (+ many add-ons) that have little to do with Apple and have all of the same security vulnerabilities shared by every other unix distribution using similar code. Apple didn't write it and can only assess the vulnerabilities of the huge codebase based on relatively limited in-house testing, the squealing of a world full of guinea pig testers desperately relying on the integrity of the OS, and the *nix community of developers and users which constantly finds new security issues in the distribution code. But, because it's Apple, flaws which exist in the same distribution everywhere else in the world magically don't exist in OSX and MacLand, right? La, la, laaaa... *fingers in ears.*

The sobering thing about the current Safari security issue is that it seems to be in code that Apple actually wrote. So, if they can't find serious flaws like this in their own code with in-house engineering and testing, what happens with code they didn't write? You could argue that it doesn't make a difference, but theoretically, if you're writing and testing the code yourself, you should be able to have an optimal result. And...where's the quick fix or the official security bulletin?

The Talking Moose desk accessory just leapt out of the graveyard and asked Apple "Hey - Why aren't you doing anything?" Part of the comedy is that the user community has actually fixed the problem before Apple has even admitted to it.

OS foundations aside, the Mac OS in all its incarnations has ALWAYS been susceptible to viruses (nVIR, for example). But, for the current OS, even if there are BSD vulnerabilities, you're still safe from the Windows script kiddies, because they're too dumb to figure out the esoterica of a new OS to create a plague of annoyances, right? Wrong. The *nix userbase is huge, and to make matters worse, the *nix users are actually the smart, usually academic ones, who can certainly figure out how to cause much more trouble than the average script kiddie. Luckily, it's the academic and open source communities, among others, that actually help Apple by constantly increasing the robustness of the underlying distribution code.

So, the question is not *if* there will be a serious Mac security issue, but *when* the next of many will occur. OSX is not a bastion against hacking, and the best thing Apple could do is set standard, realistic OS security expectations for its users and respond to real problems quickly, rather than spin a web of supposed imperviousness, superiority, concealment, and inaction. Beyond that, as others have repeatedly pointed out, it's up to users of any OS to be responsible in the use of the Internet and any other resources external (or introduced) to a particular host computer.

There are dumb things you can do on every OS. But, hang tough, the talking, plastic, firewire port army men are coming to protect you, and they will keep you safe from VMD's. ;)

If only they could save users and large computer manufacturers from themselves...but for that, there's "CAT PATROL!" Tune in next week for an exciting new episode where Panther gets a flea dip! :)
 
Software Update

There is a helpviewer update in Software update.
I just downloaded it and it works like Unsanity's fix by asking you if you want to accept a scheme. Personal, I liked Unsanity's better because if gave you a description of what it was blocking.
So I guess, Apple does read these boards.
 
pjkelnhofer said:
There is a helpviewer update in Software update.
I just downloaded it and it works like Unsanity's fix by asking you if you want to accept a scheme. Personal, I liked Unsanity's better because if gave you a description of what it was blocking.
So I guess, Apple does read these boards.

On my machine it just seems to ignore help:runscript. It starts HelpViewer, but the "runscript=" part is seemingly ignored.

Which URL did you use to test with ?

Edit: the developer says:
that's Paranoid Android presenting its dialog, but since you'd disabled it, it can't find the localized versions of its strings and icon. Once it's loaded into a running process (Safari), it stays loaded. You have to quit and relaunch Safari to unload Paranoid Android.
 
Yes - it's great that they posted the patch...and also about time.

I'm hoping to turn the marketing meeting script above into a major independent film.

And it actually was a pretty fun rant. :p

Does panther need a flea dip? Definitely.
 
Hey Rower -

Look! They fixed the problem!

*whistling noises*

Quite honestly, it's hard not to laugh (or cry) at Apple's ludicrous software security claims. Maybe you'd like to reconsider your previous sarcasm. ;)

...or maybe you'd like to...

Think Disk Doctor!

:D
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.