Details on Mac OS X/Safari security vulnerability

Who the hell comes up with these things?

Satan himself. And Bill Gates.

Wow, that's scary. I clicked on the link to the example page (thinking that the warning about clicking it referred to a link on that page) and, lo and behold, my Terminal opened up and started processing a Unix command. As they said, it's harmless, but if it hadn't been, it was definitely too late to do anything about it... YIKES.

I modified the script at /Library/Documentation/Help/MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt (as pointed out in the 2nd-to-last link above) so it prompts you whether you want to allow or deny the script to run. If you click "Deny", it will not run:

on «event helphdhp» (completeParam)
-- localizable text
set cancelBtn to "Cancel"
set errorText to "The item cannot be opened. It may be disabled or not installed."
--end localizable text


try
display dialog "Something is trying to run: " & completeParam buttons {"Allow", "Deny"} default button 2 with icon 0

set buttonPressed to (button returned of result)

if (buttonPressed is "Allow") then

tell application "Finder"
open file completeParam of the startup disk
end tell
end if
on error errMsg number errNum
display dialog errorText buttons {cancelBtn} default button 1 with icon 0
return
end try
end «event helphdhp»

What's to prevent a script kiddie to post a link (Kournikova!) in Macnn Lounge or in Appleinsider, Macrumors, Macslash, etc that lures unsuspecting people to executive destructive commands!

Sure, one could say the axiom of don't download/open/click/visit whatever from unsuspecting people but we know that do not work in real life.

The next step is would be for someone to write a mail.app script that sends out e-mail to everyone on ones Address Book, spoofs the return address and includes a link and then executes that command on the user's own machine. Voila! The first OS X virus!

(Shudders)

It looks bad, but because of Mac OS X's Unix's security model, the worse it could do is to blow away the user's home directory. I imagine that even being logged into the machine as the admin user, it wouldn't do that much damage.

Now if the vulnerability allows the script to elevate itself as the superuser (root), that would be a different story. But as it stands now, I don't think that it will happen any time soon.

The thing is, real UNIX is far better in security than Apple's bastardation. Apple is trying to make a user-friendly UNIX by compromising the basics of UNIX. It's part of the reason why OS X wouldn't be able to obtain UNIX certification from the Open Group. (FYI, early versions (pre-beta) of OS X qualified for UNIX certification-- the modifications after modifications by the time of deployment removed the OS from certification)

> Apple is trying to make a user-friendly UNIX by compromising the basics of UNIX.

Example? Proof?

Nope. Just FUD.

the worse it could do is to blow away the user's home directory

Here, ibmjones, click on this link over here....

Just because you don't think it is serious does not mean it is not serious.

Hey Simon, don't use FUD if you do not know what it means.

Apple did modify the basics of UNIX - I would call case insensitivity and unexpected naming of system directories basic enough. Whether I would call it "compromised" is another question, however.