Forwarding Address: OS X

Tuesday, May 18, 2004

Well, this is historic, if bothersome -- looks like OS X finally has a real live "extremely critical" browser-based exploit. You can read about it via the original notice or in this more detailed advisory from Secunia.com. The gist is that an evil cr/\kz0r could place a malicious AppleScript file on your computer via the "disk:" URI handler, then execute it via a hook in the "help:" URI handler. It reportedly has been tested on Safari 1.2.1 and IE 5.2 and is suspected to work on other browsers. Preventive advice boils down to: "Rename all URI handlers which are not required. Do not surf the Internet as a privileged user." Update: Never mind that; you just want to fix it? Use MoreInternet or MisFox to make the "help:" protocol launch something other than Help.app. I used Chess! (I've been advised to alter the "disk:" protocol as well, but that wasn't listed on my machine.) More info and alternate fix methods to be found at Macintouch's Notes and Tips section.

Don't believe me? Try this exploit demo yourself. (Disclaimer: This was a harmless demo when I tried it, but I cannot be held responsible if it emails the contents of ~/Pictures/Me/Nude/*.* to your entire address book...)

It will be interesting to see how this plays out.

5 Comments:

  • With regard to:

    > Preventive advice boils down to: "Rename all URI
    > handlers which are not required. Do not surf the
    > Internet as a privileged user."

    It would be nice to 'boil it down' to clear steps. What do you mean? Do you mean to do something like this (from http://macintouch.com/):

    > [Michele Fuortes] There seems to be a very easy
    > (albeit temporary) fix to the help:runscript vulnerability.
    > By using the MoreInternet control panel (freeware:
    > http://www.monkeyfood.com/software/MoreInternet/)
    > you can change the handler for the 'help' protocol to an
    > application different from the Help Viewer. I changed
    > it to the Finder and after a logout the exploit does not
    > work anymore, it just switches you to the Finder. It
    > seems a very simple solution.

    BTW, I already use a non-admin user for my daily work (e-mail, browsing, etc.). However, I also do my programming, web dev, design, etc. using the same account. Hence, an exploit which hoses my non-admin user's account (which I'd thought was 'safe' but is also my primary account) would be bad indeed...

    By Anonymous, at 3:18 PM  

  • Yes, I suppose I could have been clearer that the quotation is from Secunia, and that for a fix, I used the advice that's given on the fundisom.com and macintouch.com pages I linked to. ¶ I used MisFox instead of MoreInternet, for no particular reason. I also set the "help:" application to Chess, to make it obvious if/when something I click on tries to use this exploit. ¶ If Apple doesn't come out with a fix in the next few days I'll probably disable the script-launching part of Help.app per the Macintouch instructions. ¶ And yes, as I think you are implying, the "do not surf the internet as a privileged user" advice isn't really worth much. Whatever privileges are there, this exploit can use. If your user account can create documents, this exploit can destroy them.

    By pbx, at 7:45 PM  

  • You said: "(I've been advised to alter the "disk:" protocol as well,
    but that wasn't listed on my machine.)"

    If it's not listed, "disk:" URLs will default to opening Disk Utility,
    which means you *are* vulnerable to that part of the exploit. You can
    verify this by typing "disk:anything" as URL in Safari. (Or select the
    URL text and choose "Open URL" in the Services menu.)

    You should *add* a "disk:" protocol handler, and set it to open Chess,
    or whatever app you've picked.

    (Andrew Plotkin)

    By Anonymous, at 12:09 PM  

  • Thanks, Andrew.

    By pbx, at 1:10 PM  

  • I just installed Apple's 'Security Update 2004-05-24' (sic) and tried several of the example intended to show the exploit. Looks like Apple has closed the door on this one.

    By Will, at 7:01 PM  

Post a Comment

<< Home