Macs are just as vulnerable as PCs just too small a target for hackers to care about. Notice that Apple's security problems are coming fast and furious, another sign of continuing Apple quality decline.

Apple's ridiculous denial of Mac security problems is now getting some press:

http://news.com.com/2100-7355_3-5205912.html

This is a very big deal that shouldn't be taken lightly. I almost crapped myself when I clicked on a link to tell me more information about the security hole. Terminal opened up and started running a command that I didn't "tell" it to do. There is a fix to this flaw from macupdate called "Don't go there GURLfriend"

http://www.macupdate.com/info.php/id/14992

Also, if you would like to read up on this and try out the flaw:
http://bronosky.com/pub/AppleScript.htm

I hope Apple fixes this soon.

I actually took time out of my day to post here, because I think enough is enough. Brian is obviously still high off his "victory" over Enderle, and is brushing off a real live "take 'em down Mac OS X" remote exploit as "you have to be gullable to click a link..nothing to see here" is a GROSS OVERSIMPLIFICATION OF WHAT IS GOING ON.

here is a non-destructive, but more graphic example: http://bronosky.com/pub/AppleScript.htm

This is mindless boosterism at its best:

"Even then, however, spreading anything that takes advantage of this exploit is the kind of situation where Security Through Obscurity actually does come into play. Fewer Mac recipients means that any potential exploit would spread far more slowly than Windows viruses and worms spread. Many anti-Mac partisans have suggested in the past that there weren't any Mac viruses because no one cares enough to write them. Whether or not that is true, it will definitely be harder for any virus creator to spread them on our platform."

NO no kids, this is APPLE INCOMPETENCE, plain and simple. There is NO WAY IN HELL someone should be able to run *anything* on a computer by calling a url! This is classic MSFT hole action here people.

Easy spyware installs, simple trojaning, or even a well crafted url and wipe wipe wipe.

I can't believe a site that wants to be important and responsible could be as cavalier about this as TMO has.

"With Apple's default security settings, Mac OS X's default software update settings, and the fact that there haven't been any exploits found that allow the bad guys to hijack your e-mail address book on the Mac, even if someone does decide to try and exploit this hole, they likely and hopefully won't get far."

Not a programmer, huh? I submit that every other programer and IT person i know recognized this as what it is: The beginning.

I think you should *investigate* next time before applying the spin.

People: fix your own machine! Rename the folder /Library/Documentation/Help to something else.

Don't even bother downloading a 3rd party fix....its too easy to trojan. Either fix it yourself or wait for apple to.

As you say, it's not likely this will turn into a real problem, but this is the first time since OS X beta that I feel a bit like a Windows user - having to think twice before clicking/downloading/installing.

As such, this is the most effective "possible" yet.

What I don't understand is WHY IS THIS PUBLISHED ?!?!?

Did they contact Apple, was Apple not cooperating/communicating, and after a long enough time of neglect from Apple, did they only then decide to publish the exploit?????

If not, they are flaming, bleeding assholes.

BTW: congrats on the forum.

Lixlpixel claims 2 mos. ago was when Apple was told about this. And the reason its published is *so you can protect yourself*...that is what security advisories are for.

The suggestion of otherwise is *exactly* how MSFT got into the sitch they are in...trying to squelch, then downplay the holes.

With "Apple's default settings" this exploit can be triggered via email, or sig links...META-Refresh...the mind reels at the possiblities in the hands of the competent and motivated.

-K

Apparently Apple was notified (23/02/04).

I am not trying to say this isn't a HUGE security flaw but I think its funny that we hear about these Mac security issues as proof of concepts that are harmless. When on PC the proof of concept seems to cripple half the PC's in the world.

Isn't this how SpyWare gets installed on WinTel machines?

Don't all platforms have this issue?

"There is NO WAY IN HELL someone should be able to run *anything* on a computer by calling a url! "

But then that would mean no Flash (an executable script with action script), no Java, no JavaScript and lots of other good things.

While I personally believe that OSX is more secure than the "leading brand" no OS is 100% secure. As more and more people switch to the Macintosh its vulnerabilities will come to light. Hopefully Apple will have a fix for this real soon.

That is a very, very complex subject. In most cases spyware is installed via a "bundle" in some other app you actually thought you wanted. Most of these are IE "toolbars".

I'm not going to go into the myriad ways the disk:// and help: can be combined to do all sorts of neat things, like install a keylogger.

Like I said in an earlier post, those that know OS X know how easily this could get out of hand...and i'm talking addressbook mass remailing out of hand.

Quote

MrKai wrote:
People: fix your own machine! Rename the folder /Library/Documentation/Help to something else.

Help will work in apps... But the main MacOS Help will not.

There are fixes that change the applescript, but in this instance, before a fix comes from apple, I think that is the best approach, because it fixes this particular problem on a systemwide level that is easy to undo before applying an apple supplied patch...as I am sure there are a couple more of these things inside other apple apps somewhere.

9:30AM on the west coast...not a peep yet from Apple Corporate. Wonder how long its going to take.

Apple should really be up front about this one; if not i doubt from here on out they'll get the courtesy of being informed up front in the future.

by writing files to your drive demonstrates how *not harmless* this gaping hole is

-K

Quote

MrKai wrote:


here is a non-destructive, but more graphic example: http://bronosky.com/pub/AppleScript.htm

...

People: fix your own machine! Rename the folder /Library/Documentation/Help to something else..

I renamed my help directory, but as "UserNameUser" pointed out I see that Safari created a new help directory named "Help. However, this directory was empty.

Rename /Library/Documentation/Help to Help(Rename) or similar then open terminal app and type the following....

ln -s /dev/null /Library/Documentation/Help

This stops all the scripts from running for me so far... Help still launches but is blank and no terminal.... Downfall is none of you help files will work until apple fixes this... To reverse just delete the "Help" link and Rename Help(Rename) back to Help.

This security hole will give government and business buyers ample reason to not buy Macs.

Now that the insecurity of Mac OS X has been exposed, notice how the Mac fanatics are running around like bugs when the lights are turned on.

RC, after all these years, the words 'windows' and 'security' are still used in the same sentence, only when discussing how to actually MAKE windows secure. apparently, it's the holy grail of our time; i certainly haven't heard anyone boasting that windows is 100%, 80%, or even 50% solid, in terms of holes, leaks, viruses, worms, trojans, and basic structural integrity.

if by your statement above you are implying that windows IS ready for prime time, then i suggest you take the word 'prime' and change it to 'primitive'. that would be more appropriate.

Can anyone explain the mechanism?

I thought that a script would be downloadaed and then run. But I did not find one when I tried the "proof of concept" provided by MrKai.

TURN OFF the "Open 'safe' files after downloading" option in Safari (or whatever equivalent browser). Do it NOW.

This hack exploits two different problems: First, that a web site can put a script on your hard disk at a specific location. It does this by downloading a dmg and having it auto-mount (if Safari's auto-open feature is on). Then it uses the help system to run that script. The script, at that point, can do ANYTHING IT WANTS. Now, if you set Safari not to auto-mount dmg files, then the hole is almost completely plugged.

I say "almost" because I suppose the same thing could be accomplished by downloading the script directly rather than embedding it in a DMG. However, this wouldn't be as reliable for the hacker as the DMG approach, because it would download the script to the user's default download directory, which the web site couldn't know, and the site would need to know the exact location of the script for the hack to work. Still, someone could simply assume the script would be downloaded to the desktop, and that would probably nail a good many users.

So if you can't get MrKai's fix to work, I recommend 1) Turning off that stupid option in Safari, and 2) Setting your default download directory to something not obvious, like Desktop/Really_Obscure_Folder_Name_That_Noone_Could_Guess_asdjkvnwfhuif/. I'm pretty sure that would be enough to get the job done. Please, please, PLEASE correct me if I'm wrong!

Oh, and Apple: Shame on you.

I read about this, and various article comments, on another site earlier. I clicked a test link and saw it in action: one click, and a chain starts that ends up running a command in Terminal. Renaming the Help folder stops it from going too far, but the problem is really in Help Viewer itself, not in the browsers, which ALL seem to work with the exploit.

Funny how Microsoft just had a similar exploit related to their Help system:

http://www.microsoft.com/technet/security/bulletin/ms04-015.mspx

Are these guys swapping code, or what?

Also... this script apparently isn't confined to just a browser... there was a comment on macupdate's site that there's more than one script like this, AND, apps like the finder can also be called by it.

Not. Good. At. All.

Another serious security flaw???? What was the first "serious" security flaw? From what I read, one guy had his files deleted while trolling for illegal software--is that the sum of damage--one fools' computer?

There are days when I can feel the web slowing down from the preponderance of infected Windows machines. This is a lot of negative coverage for "flaws" that have never been exploited. I'm suggesting that "this" is the first "serious" security flaw (an Word-demo Applescript is no more a security flaw than my 3-year old dragging all my files into the trash).

This is definitely a Microsoft-esque blunder - Apple needs to be more careful or we'll end up like Windows users.

Though I do note that this isn't a remote root exploit, and we don't yet have a system registry or a bunch of open ports waiting to be attacked.

probably visit 10-12 websites regularly per day, usually while they're working, definitely not business related, and on company time. That said, the "hole" would have to be on one of these few sites and thus the site's responsibility in fact. You can't maliciously post code to somebody else's site...it's just that simple. Unless you've stolen their password to their server. Thus, if you get this AppleScript exploit, you can pretty much figure out where it came from. If you surf these same sites daily, BLAME THEM if you get this bug.

As a rule, I am very careful of where I surf. I don't go willy nilly into the unknown. Who has the time. I NEVER CLICK ON AN AD ON ANY SITE. Web advertising is a total waste of time if people ever considered it. They lead to popups, places you don't want to go, and just distract you from your purpose of information gathering. I hope Google changes their mind and doesn't go with banner ads.

But then again, I don't read ads in magazines, the newspaper, and I certainly don't buy products advertised on TV. I am the marketing and advertising nemesis.

Want to know the irony in this? I have degrees in broadcasting and mass communications. I know better than to fall for the traps that are laid for consumers.

In the melodic, immortal words, "Free your mind, and the rest will follow."

As aonther market leading move, Google could look for the signs and disregard or eliminate them.

On the other hand, unlike e-mail, web sites are more permanent and if this was used with malicious intent the perpertrator would be pretty easily and found. As someone above pointed out, others cannot add this to someone else's web site.

Even if used in conjunction with a mass e-mail, sending attractive links to a web page with this code resident, it could be shut down and prosecuted very quickly.

I'd just like to point out that even in the Classic OSes, AppleScripts can be used to wreck havok on the system. There have been ways to "auto-initiate" scripts for some time, and as the fake Office beta software showed us, scripts can be disguised so that unsuspecting users could open them up.

Yes it's true with the unix underpinnings and the way Safari and self-mounting disks work, this is a greater security risk now. But anyone who knows AppleScript could tell you there are a number of ways for a Mac to run malignat programs. Place the program in the Startup Items folder, AppleScript over IP, the help software has embeded scripts since Mac OS 8.5, and there have been modules made that mimick these AppleScript links for web browsers as well.

I'm not blameing AppleScript, because any automation or run-time software is capable of being miss used. And Apple can't simply strip the functionality to remove the security risks, because you'd be removing a lot of what regular, decent scripts use as well. I see the issue being setting the default options Safari and Disk Images have to more secure settings, and notifying the user when activity is occuring outside the downloads folder, or requiring passwords before these actions are allowed to continue.

One reason many of these malware programs haven't spread like Windows viruses tend to is because of Microsoft's monopoly. Because the majority of people using Windows use the default e-mail client, virus writers can target this specific program. There are 4 major Mac e-mail clients I can think of: Eudora, Mail, Entourage, and Outlook Express. Each mail client handles scripting differently, and therefore a malware writer would have to write 4 different versions of the AppleScript to take into consideration each e-mail client. Now that Mail comes standard on every Mac, they could simply write the script for Mail, but there's no garauntee that the person uses Mail (and therefore might not have addresses stored in Address Book).

Looking at the e-mail client situation, I see the importance being the uniqueness of how the computer is set up (I have found, Mac users take great pride in how their system is set up, and what the hard drive is named ). In Classic OSes for example, you could store your applications in the "Fun Stuff" folder if you wanted to. I think the key to security issues is to bring back to computing the uniqueness to each individual computer (whether that be to impliment a unique key that is used to run applications, or devising a system structure that is unique to each computer--as people have commented, changing the folder names have been able to stop the malware--or simply giving more freedom/flexability to the user on how their computer works). Of course this would create problems for regular programs. The key is to throw off the malware. There are certain things it must assume, and if we can make those items varried, updating, or changing, then we can stop the malware. Again, one reason why malware is such an issue with Windows is because of how rigid the system structure is. And this is why Unix is presenting a bigger problem in malware than the Classic MacOS.

Inside the Help.app package, there is a file named Info.plist. This is an XML property list document. In it is a field that controls Help's ability to run Applescripts.

Find the field named "NSAppleScriptEnabled" and change the boolean value to "No". This will prevent the script from running. I have tested this, and so have other people, and it works. Safari will download the image, mount it if allowed, Help will launch, and that's it. No need to disable Help at all, although not auto-opening files is still a very good idea.

See more at MacCentral.

[Edited to turn the LONG URL into a short link. - Bryan]

What's really annoying about this one is that features that were meant for good purposes, such as using a standards-based method of handling help requests (help://) and using the power of a scripting language to make help more effective, can be used for nastiness, as we've seen with this exploit.

This is a classic example of balancing usability and security. As with other environments that use the power of a scripting language (Word macros, VBScript) do you really want the OS to prompt you every time a potentially harmful action could be executed? Well, maybe you would if you are ultra-paranoid, but it would make using your machine a pain.

Hopefully, Apple's solution to this problem will help balance security and usability. Just as Mac OS X will prompt a user for a password before installing an application, hopefully their solution to this problem will flag really dangerous stuff. For example, I can't think of a good reason to allow "rm -fr" since there are other, more straightforward ways to remove files from one's drive.

One way to deal with a part of this exploit is to change the handler for a help:// URL. This little program called MisFox can accomplish this, and also let you muck around with some other interesting settings:

http://www.clauss-net.de/misfox/misfox.html

Quote

Guest - (before he registered!!) wrote:
Inside the Help.app package, there is a file named Info.plist. This is an XML property list document. In it is a field that controls Help's ability to run Applescripts.

Find the field named "NSAppleScriptEnabled" and change the boolean value to "No". This will prevent the script from running. I have tested this, and so have other people, and it works. Safari will download the image, mount it if allowed, Help will launch, and that's it. No need to disable Help at all, although not auto-opening files is still a very good idea.

See more at MacCentral.

[Edited to turn the LONG URL into a short link. - Bryan]

"... I think the key to security issues is to bring back to computing the uniqueness to each individual computer...Of course this would create problems for regular programs...one reason why malware is such an issue with Windows is because of how rigid the system structure is. And this is why Unix is presenting a bigger problem in malware than the Classic MacOS."

Very good point. A few years ago, I had a senior manager ask me what would have countered the Melissa Virus, and he didn't like my answer: be willing to pay the extra IS support dollars to run a HETEROGENIOUS OS environment. The simple action of having half your office on PC's and half on Mac, and for each of these to each be 50/50 split between two email programs means that 99% of the malware viruses will probably mean that 75% of your office will be unaffected.

Security ALWAYS costs more, and homogenious populations ALWAYS get wiped out...doesn't matter if we're talking PC's or Smallpox. Yet nevertheless, the approach in most businesses is to standardize on Windows because they think standardization is cheaper.

FWIW, a simple and interesting idea that might help to muck up Malware would be a simple script that runs when a new Mac is first turned on. All it does is help the User create a unique HD name to break up the homogeneity. You could also store the seed/key and make all of the OS directories quasi-unique names too (help_12345); anything wanting to "learn" the unique path structure would need the key, and you can make that a permission item so as to limit & control malware access.

-hh