toggle

AAPL Stock: 502.21 ( + 4.54 )

MacNN News

Details on Mac OS X/Safari security vulnerability

updated 05:45 pm EDT, Tue May 18, 2004

Mac OS X/Safari security

eWEEK has a .

by MacNN Staff

print

email

(23)

TAGS :

troubleshooting

Share the Article

Facebook Twitter Delious Slash Dot Digg

Comments

PookJP
Mac Enthusiast

Joined: Jan 2001

0

05/18, 06:28pm | report spam | close Reply |
...

Who the h*** comes up with these things?

dcrosby
Fresh-Faced Recruit

Joined: Sep 2002

0

05/18, 07:30pm | report spam | close Reply |
who

Satan himself. And Bill Gates.

atomicon
Fresh-Faced Recruit

Joined: Apr 2004

0

05/18, 07:33pm | report spam | close Reply |
SCARY

Wow, that's scary. I clicked on the link to the example page (thinking that the warning about clicking it referred to a link on that page) and, lo and behold, my Terminal opened up and started processing a Unix command. As they said, it's harmless, but if it hadn't been, it was definitely too late to do anything about it... YIKES.

jimothy
Fresh-Faced Recruit

Joined: Sep 2000

0

05/18, 08:01pm | report spam | close Reply |
My fix

I modified the script at /Library/Documentation/Help/MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt (as pointed out in the 2nd-to-last link above) so it prompts you whether you want to allow or deny the script to run. If you click "Deny", it will not run:

on �event helphdhp� (completeParam)
-- localizable text
set cancelBtn to "Cancel"
set errorText to "The item cannot be opened. It may be disabled or not installed."
--end localizable text

try
display dialog "Something is trying to run: " & completeParam buttons {"Allow", "Deny"} default button 2 with icon 0

set buttonPressed to (button returned of result)

if (buttonPressed is "Allow") then

tell application "Finder"
open file completeParam of the startup disk
end tell
end if
on error errMsg number errNum
display dialog errorText buttons {cancelBtn} default button 1 with icon 0
return
end try
end �event helphdhp�

klinux
Senior User

Joined: Jul 2002

0

05/18, 09:23pm | report spam | close Reply |
Seriously

What's to prevent a script kiddie to post a link (Kournikova!) in Macnn Lounge or in Appleinsider, Macrumors, Macslash, etc that lures unsuspecting people to executive destructive commands!

Sure, one could say the axiom of don't download/open/click/visit whatever from unsuspecting people but we know that do not work in real life.

The next step is would be for someone to write a mail.app script that sends out e-mail to everyone on ones Address Book, spoofs the return address and includes a link and then executes that command on the user's own machine. Voila! The first OS X virus!

(Shudders)

ibmjones
Fresh-Faced Recruit

Joined: May 2004

0

05/18, 10:03pm | report spam | close Reply |
Not that serious

It looks bad, but because of Mac OS X's Unix's security model, the worse it could do is to blow away the user's home directory. I imagine that even being logged into the machine as the admin user, it wouldn't do that much damage.

Now if the vulnerability allows the script to elevate itself as the superuser (root), that would be a different story. But as it stands now, I don't think that it will happen any time soon.

bauhaus
Fresh-Faced Recruit

Joined: Sep 2003

0

05/19, 12:36am | report spam | close Reply |
UNIX

The thing is, real UNIX is far better in security than Apple's bastardation. Apple is trying to make a user-friendly UNIX by compromising the basics of UNIX. It's part of the reason why OS X wouldn't be able to obtain UNIX certification from the Open Group. (FYI, early versions (pre-beta) of OS X qualified for UNIX certification-- the modifications after modifications by the time of deployment removed the OS from certification)

Simon
Posting Junkie

Joined: Nov 2000

0

05/19, 02:17am | report spam | close Reply |
Re: UNIX

> Apple is trying to make a user-friendly UNIX by compromising the basics of UNIX.

Example? Proof?

Nope. Just FUD.

klinux
Senior User

Joined: Jul 2002

0

05/19, 03:11am | report spam | close Reply |
Oh yeah

the worse it could do is to blow away the user's home directory

Here, ibmjones, click on this link over here....

Just because you don't think it is serious does not mean it is not serious.

klinux
Senior User

Joined: Jul 2002

0

05/19, 03:21am | report spam | close Reply |
Easy there

Hey Simon, don't use FUD if you do not know what it means.

Apple did modify the basics of UNIX - I would call case insensitivity and unexpected naming of system directories basic enough. Whether I would call it "compromised" is another question, however.

Frogmella
Fresh-Faced Recruit

Joined: Sep 2001

0

05/19, 03:57am | report spam | close Reply |
Re: My fix

jmothy, that worked perfectly - thanks! I'd encourage everyone to patch that script - all you need to do is navigate to the the file in the Finder (using 'Show Package Contents' when appropriate) and then open it into Script Editor. Works like a charm.

Simon
Posting Junkie

Joined: Nov 2000

0

05/19, 05:05am | report spam | close Reply |
Re: Easy there

Klinux, that's exactly why I asked for some proof or examples.

They indeed modified lots of things, but to claim they "compromised" the underlying architecture is completely baseless, unless we are shown proof of some "new" and unknown evidence.

Therefore I claim it's fear, uncertainty and doubt (thanks, I know what FUD is). Fear of being hacked, uncertainty because he doesn't know what he's talking about and I doubt he should have voiced his uneducated allegations.

There you go wise guy. Think, then post.

klinux
Senior User

Joined: Jul 2002

0

05/19, 05:22am | report spam | close Reply |
Well

Look up the definition of FUD - it describes an unethical marketing technique. You may fear shiny objects, be uncertain of your next paycheck, and have doubt about your future prospects but that does not make it FUD.

This threat is real - whether you are a zealot or not.

klinux
Senior User

Joined: Jul 2002

0

05/19, 05:28am | report spam | close Reply |
In addition

This problems allows the Help Viewer to execute any UNIX command via clicking a link.

As far as I know, this problem does not occur with any other *nix. Would love to see evidence showing otherwise.

Simon
Posting Junkie

Joined: Nov 2000

0

05/19, 05:37am | report spam | close Reply |
it still holds...

You can babble all you want, but it has nothing to do with my initial criticism which still stands.

This statement is not true: Apple is trying to make a user-friendly UNIX by compromising the basics of UNIX.

Until I see an example which proves this statement (and not some other story I never mentioned), I'll take it for the bull it is.

the Rebel
Fresh-Faced Recruit

Joined: Jul 2000

0

05/19, 06:11am | report spam | close Reply |
not quite all browsers

"The flaw works with any browser,"

It does not appear to work with Mozilla on my Macs.

wings_rfs
Fresh-Faced Recruit

Joined: Dec 2002

0

05/19, 07:37am | report spam | close Reply |
B.S. From Secunia

The article (New Security Hole Found in OS X) in eWeek: http://www.eweek.com/article2/0,1759,1594660,00.asp

quotes Thomas Kristensen, chief technology officer of security company Secunia, of Copenhagen, Denmark, who said:
"All operating systems and software have flaws, and it's dangerous to categorize one OS as more secure than another."
What I'd like to know is WHY is it dangerous to do this if it is the TRUTH. Seems to me this kind of information would be very helpful to someone wishing to find an OS that has a good security track record, and/or to avoid the ones that don't.

And then he says: "Unless a system is built from the ground up with its focus on security, you're going to have plenty of holes. Apple's focus with OS X is ease of use first and foremost."
What is his basis for this statement? Does he have inside info from Apple that tells him that they put security down on their list? Since OSX does NOT have "plenty of holes" then this fact alone should prove that Apple DOES have a sharp focus on security. This guy is spouting B.S.

My opinion of these so-called "securty experts" is getting worse every day.

LouZer
Fresh-Faced Recruit

Joined: Nov 2000

0

05/19, 08:35am | report spam | close Reply |
Re: In addition

This problems allows the Help Viewer to execute any UNIX command via clicking a link.

As far as I know, this problem does not occur with any other *nix. Would love to see evidence showing otherwise.

It could happen with any program, it just may be no one has found one yet (h***, it took someone, what at least 6 months to find this problem). Some would argue its not an OS problem at all, since the GUI isn't part of the OS (so Apple's 'bastardization' isn't at fault), and this is more of a GUI/OS X problem then an underlying Aqua problem.

Oh, and most people would find apple's use of a case insensitive file system an EXTREMELY GOOD THING! One huge problem most *nixes have is the stupid world of 8 files called Readme, all cased differently. Or just having to remember to type in the correct case to get a file to open. Its just plain stupid-a**, but its the way its always been, and the unix geeks like it that way (keeps the mentally challenged PC users off their systems so they can feel they're part of their own club).

abrody
Junior Member

Joined: Mar 1999

0

05/19, 08:41am | report spam | close Reply |
Flaw is FUD

There isn't much you can do from the terminal unless you grant administrative or root access. That requires the user enter their password for administrative access, and root access have the knowhow to enable root. So even if it was a serious flaw, it isn't as bad as Windows which grants root access even to the most unsuspecting user.

testudo
Fresh-Faced Recruit

Joined: Aug 2001

0

05/19, 12:17pm | report spam | close Reply |
Not FUD

Boy, you people like to spew, don't you. This problem IS serious, as it allows a user to click a hyperlink and have something executed. To say "Its no big deal because you don't have admin rights" is just silly. First, you can still have everything you have permissions on to be deleted. Second, it could be used to install trojans, sniffers, or other programs for later execution.

To claim its FUD is baseless.

As for this quote:
And then he says: "Unless a system is built from the ground up with its focus on security, you're going to have plenty of holes. Apple's focus with OS X is ease of use first and foremost."

Its completely wrong. It doesn't matter if your focus is on security or not. You can still have holes. You'd need ultra-high-end code review, re-review, plus a group of people doing the ol' "thinking outside the box" to look for security holes in their software. And even with all that, it still can contain flaws. OpenSSH (from OpenBSD, which is supposed to follow this whole 'security from the ground up concept') has had vulnerabilities found. The Linux and open-source crowd, who crow about how holes can be found by the hundred idiots at the bazaar, still let out software with security holes in it.

There's only ONE way to keep your computer and OS secure. Don't turn on the computer.

klinux
Senior User

Joined: Jul 2002

0

05/19, 01:01pm | report spam | close Reply |
You are joking right?

"It could happen with any program, it just may be no one has found one yet "

Arguing the negative? So I can say Apple is thw most insecure OS EVER but it may just be it has not been proven yet so it is true?

And had Apple gone with being case sensitive and UNIX case insensitive, watch all the zealots here proclaim how great case sensitivity is just because Apple supports it!

Also, Simon, messing with case insensitivity and directory structure is compromising one of the basics of UNIX. I do not know how much more basic do you want to get.

Simon
Posting Junkie

Joined: Nov 2000

0

05/19, 01:53pm | report spam | close Reply |
Re: klinux

> Also, Simon, messing with case insensitivity and directory structure is compromising one of the basics of UNIX. I do not know how much more basic do you want to get.

klinux, would you please read what I actually wrote and think before you post. I never said they didn't fiddle with case sensitivity or directory structure.

But the stuff they did has nothing to with this exploit and it has even less to do with security. Bauhaus' original post was bullshit and nothing you have posted changed anything about that.

This is a board to discuss. That means reading what other people say and arguing those issues. If you want to just listen to yourself babble and miss other people's point you should perhaps try a tape recorder instead.

jormundgand23
Fresh-Faced Recruit

Joined: Mar 2004

0

05/20, 08:56am | report spam | close Reply |
Easy Fix

If you know what you're doing this is the easiest fix: Change Help Viewer's Info.plist. Change the NSAppleScriptEnabled property from true to false. Took me two seconds and none of the proof of concept pages I've visited (I've visited all the ones I could find) don't work. Help launches but nothing happens after that.

Show More Comments

Login Here

OR

toggle

Network Headlines

02/16	Google, others said bypassing Safari...
02/16	Google now known to be patenting own...
02/16	SumOfUs criticizes FLA head, plans...
02/16	Safari 5.2, Xcode 4.4 seeds reach developers...
02/16	Mountain Lion updates to be funneled...

02/16	Google, others said bypassing Safari...
02/16	Google now known to be patenting own...
02/16	Cook sees merging of notebooks, tablets...
02/16	Apple claims backing for rights to...
02/16	Intel may push Ivy Bridge back to June...

02/16	Cook sees merging of notebooks, tablets...
02/15	Apple upgrades iBookstore with screenshots...
02/15	Congress asks Apple to answer questions...
02/14	Apple attempting to disrupt Siri hacks...
02/14	Readability iOS app delayed, Android...

02/16	Garmin nuvi 4.3-inch Portable GPS Navigator...
02/15	Monster iCarPlay Wireless FM Transmitter...
02/14	Refurb. 16GB iPhone 4, now only $259...
02/13	Refurb. Flip UltraHD Pocket Digital...
02/10	$380 off refurbished 2.8GHz Mac Pro...

Most Popular

Recent Reviews

Powerbag Business Class Bag

Many companies currently offer battery packs and various accessories to keep smartphones and other gadgets charged when away from an o ...

Logitech Cube

The world of mice could often be described charitably as stagnant: it's an endless sea of ergonomic shapes that assume you're sitting ...

NewerTech and Targus USB Hubs For Gifts

A useful holiday present to resolve an ongoing frustration is a multi-port hub. Whether as a stocking stuffer, Chanukah present, or an ...

Most Commented

10 Most Discussed

Popular News

MacNN Marketplace