If you've visited here before you may want to jump straight to the latest additions:
What was originally described here has turned out to be just an overly complex variation on something even much simpler and therefore much bigger. Please reread the explanation, the suggested action as well as the notes! Forget about what I described earlier. (Original story is still available.)
If you find this too hard to understand but still want to protect yourself, then you may find these simple installation instructions useful.
For those of you who feel that security through obscurity is a good idea: I disagree. One reason I disagree is that at the moment of this writing there is a huge buzz about this security hole, but it is totally unclear how users can protect themselves against it. Much of the advise given (and even some proof of concepts) is just plain wrong and will only give those who follow it a false sense of security - much worse than no security but knowing it. Even worse, scared people can easily be lured into downloading an actual trojan advertising itself as a protective solution! Most of the main Mac press sites seem to just copy each other's crap without checking facts. (I suggest that, once you've read this page and understand the issue, you go back to those sources and see what they reported right and what they reported wrong. It doesn't hurt to know how much trust to put into which source the next time something is up...)
I could say "do this to protect yourself", but by leaving out an explanation I'd just be adding to the FUD. By explaining how this security exploit works people can understand how something would in fact protect them.
In any case, all that's here I found on the Net. All I did was separate the FUD from the good info. Sources I used, both the good and the bad:
One reason I bothered was the recent FUD about first Intego's "first Mac OS X trojan" (an executable disguised as a MP3 - whether it was a trojan or only a proof of concept is not clear), and right after that the FUD about MacWorld UK's "first/second Mac OS X trojan" (an AppleScript applet with an M$Office icon slapped on it, posing as M$Office installer... duh).
Then a week or so later this one turned up. I felt it was time to publish some actual information. I had seen too much FUD.
Being a professional AppleScripter I was also quite annoyed by all the totally unfounded fear of AppleScript that these zero-quality reports generated.
Sometime around the afternoon of Tuesday, May 18, 2004, I started coming across several reports about a supposed security hole in Mac OS X 10.3, or in Safari, or in Help Viewer, or in Mac OS X's disk:// URL scheme... Vagueness ruled. All of them screamed that a huge security hole was found, none of them explained the issue, all of them gave extremely vague instructions on how to protect yourself against this exploit. Including posting a script that couldn't possibly work as advertised.
"The Finder automatically registers all applications as it becomes aware of them, such as [...] when the user navigates to a folder containing them."
Part of that registration involves LaunchServices (an under-the-hood thing, somewhat similar/related to InternetConfig) to check if a thusly found application advertises itself as being capable of handling a specific URL scheme. If the executable can do http for example, it will contain that information in such a way that Finder can access it (and pass the info on to LaunchServices).
Now if you've ever mounted a remote volume you will have noticed that when you do, Finder opens a new Finder Window showing the contents of the root of that volume. Sounds much like the situation in the quote above of "the user navigates to a folder", doesn't it?
Thus, when a volume containing an application on its root is mounted, the OS immediately knows what URL schemes it (claims) it can handle.
That's really nice. It means the user doesn't need to understand how to let the OS know that it just downloaded a new application and what it can do. The OS already knows 'automagically'. Now that I know this, I finally understand why Apple reportedly encourages developers to distribute applications on disk images: it enhances the user experience.
All of this is great. Nothing wrong with it as far as I can see. However, there is more enhanced user experience:
Since Mac OS X 10.2.x, some URL schemes are capable of mounting a remote disk image on the local machine. I'm not sure why I wasn't aware of this earlier. I sure as hell would have been as uncomfortable about it as I am with "Internet enabled disk images". (I had never run into such a URL before and am not aware of Apple having advertised it. So far I haven't been able to find documentation on it.)
I assume the idea is that it is too complicated for (some) users to have to understand how to download a file, decompress it (and/or mount if it's an image) and place the resulting files he wants in the place he wants. I always thought the reason Apple encourages developers to distribute software through disk images was simply because of the analogy with shoving a disk in a 'puter: a somewhat easier concept to grasp than things like compression (.sit, .sea, .zip, etc.) or even encoding (.bin, .hqx, etc.). But clearly it was much more subtle than that.
So Apple made things even easier, by allowing several schemes to mount a remote disk image locally. The user initiates that (by clicking a link, or a button, whatever) and magically the file the user wanted appears (inside a newly opened Finder window showing the root of the mounted image). Now all he needs to do to 'install' is drag it to wherever he wants it. (The mounted volume can be ejected, or else will disappear on logout.)
Unfortunately, these 2 great features (yes they're great you Linux bozos, because they allow even grandma to finally be able to install something) lead to a serious vulnerability, waiting to be exploited:
Thus it is possible for an attacker to
META HTTP-EQUIV "Refresh" (optionally hidden inside a <FRAME>), he can then tell the browser to follow a URL that uses that schemeMake sure you understand this: it means 1 single 'click' on a URL, in any application, not just a Web browser, can set this chain of events in motion. And there's a hell of a good chance you will not even notice it. Because after that initial 'click' no further user action is needed and the only thing you might notice (assuming you can actually see your entire Desktop) is a Finder window opening showing the contents of the remote disk image. Even if you do notice that, by then you may have only a split second left to respond. You won't - according to research, it takes drivers several seconds before they respond (hit breaks, steer away) when something pops up in front of them unexpectedly. And a driver is (one might hope) in a much higher state of alertness than a computer user.
So it boils down to 1 wrong 'click' and you've been had :(
If you're lucky, the attacker lacks imagination and only deletes your home directory (that's assuming you're not logged in as an admin - else much more could be deleted and the entire OS could be rendered useless by this).
Yes, I say "if you're lucky", because in that case all you need to do is reinstall from back-up and you're fine again. You do make decent up to date back-ups of what matters to you, don't you?
If you're not so lucky, the attacker is more sophisticated.
Both of these demonstrated I was still vulnerable in spite of having applied Security Update 2004-05-24 :(
I haven't managed yet to set up this exploit myself. I must have dropped a bit under my desk or something. So an attempt to explain how it works in detail would be no more than theory. Besides, all I want is inform people how to protect themselves, not help malicious programmers. So even when I do find that bit, I don't plan on explaining those details (and I urge others to keep equally quiet about it). Maybe after Apple has completely fixed this.
The only solution I feel comfortable to advise is to install Paranoid Android. Here's my rationale:
I can think of only 1 reason to not take the Paranoid Android approach: some people claim that APE, that which ParanoidAndroid is based on, causes instability for them. If that's the case for you, and/or you truly know what you're doing, one or a combination of the following approaches might offer protection:
META HTTP-EQUIV "Refresh". I don't know of any that does (possibly lynx, or its cousin, links) and be aware that if someone manages to lure you into following a URL that uses a malicious scheme you'll still be fucked. No amount of technique can protect you from social engineering. Use your brain muscles.For example, John Gruber explains why he prefers using RCDefaultApp for prevention, and what he dislikes about Paranoid Android. Fine. I'll let you in on a little secret: that's exactly what I did on my Macs.
So why do I so strongly advice people use Paranoid Android? Because I am not my target audience. I'm not publishing this site to inform me.
I'm all for people expressing their opinions and sharing views and discussing that (you can find me on Usenet). But that makes sense only in bi-directional communication. The Web is not bi-directional (braindead concepts like Web forums exempted). The Web is like TV: there is a lot to be consumed and zero interaction. I am publishing my story here. You cannot respond, at least not on the same stage (this site).
So when I choose to publish something on the Web, I don't do that just to inform others of what is my personal solution to a general problem. I do it because I have a target audience in mind. In the case of this page, the target audience is largely those of you who are not programmers, but just regular Mac users who don't know much about how that pretty box actually works on the inside. I saw how hard a time some developers, me included, were having to grasp the URL scheme/LaunchServices security hole. And I saw that for you 'regular' users it was even much harder. You are my target audience. So the advice here is my advice to you. (In fact, as you may have noticed, I have by now added another target audience. If only to help you help your friends/family.)
If I would advice you to get RCDefaultApp, install it (how?), configure it (how?), I would be confusing half of you, which would result in half of you not protecting yourself well. LittleSnitch requieres even more understanding. (Remember, when I set up this page there was no source whatsoever explaining the issue at hand (except for 2 german Web sites that I found later - If you want to prepare for future events, I would advice you to learn german ;)). The info was out there, but it would have taken take you a lot of time to find, and then you still needed to have enough background information about the system in general in order to recognize what exactly you had just found.) In practice, many of you would never have found the essential information.
Well, there you have it. This is why I strongly advice you all to use Paranoid Android and only sideways suggest LittleSnitch and/or RCDefaultApp (or MisFox, or MoreInternet, and there's even more).
Lesson learned: when you read something, consider who the author is targeting. It may not be you.
Btw, I do disagree with John and others' complaint about Paranoid Android on one point: if what APE does really is that bad (it may be, I don't know - I've never had a problem with it and I've used it for 1 or 2 years) then they should complain to Apple for it being even possible in the first place.
runscript capability have been superceded by Apple's Security Update 2004-05-24.telnet:// URLs will simply hand it off to the system, which in turn will pass it on to whatever happens to be the default telnet client on your Mac. If that telnet client (which might be Opera, if you have it configured as your default telnet client) happens to be vulnerable, the attack succeeds, even if you were using another Web browser to begin with. Paranoid Android protects against this one too.This was one of the very first comments on Slashdot:
I've got to hand it to Apple...
"help:runscript=..."
No double-decode, unicode obfuscation, or CMD.EXE parms. Even the exploits are user-friendly!
:)