Before you Mac idolators start bowing before the greatness of Apple for fixing this massive security hole, notice that Apple did nothing for weeks until the media spotlight finally embarrassed Apple into action.

It's likely that Apple didn't know about the flaw. The person that discovered it didn't appear to go through appropriate channel to inform them. His notice to Apple is probably heaped in with thousands of other emails that nobody's looked through yet. I wouldn't rush to fault Apple without knowing all the facts. Its not in their best interest to allow such a security risk to remain, even if it isn't public knowledge. That would be bad buiness and wouldn't make sense, given security is a major reason to buy a Mac

Oh my god! Apple didn't get an update out to a security bug that NO BODY HAS EVER BEEN ADVERSELY AFFECTED BY until it became public and then it took them 3 days to patch it! This is obviously proof that Mac users are at major security risk!

Apple is BAD and Microsoft is GOOD. PC users are smart and Mac users are stupid. Windows is Secure and OS X is riddled with holes.

Lets look at the score card:

1 user report of lost data from a trojan horse (distributed by P2P software which ensures it will never be wide spread because as soon as it is executed it is removed from the P2P network, brilliant!). The loss was limited to user files and the core OS was not compromised.
Multiple proof of concept (non-damaging) exploits to a single help URI bug that was patched within 3 days of being made public.

As for windows. I can't even keep up but I know that I have received HUNDREDS of virus infected emails from windows users over the past month and personally made the mistake of connecting my work PC directly to the internet (not through my firewall) and within an hour I was hit by 2 RPC exploit viruses (without ever surfing the web or opening a single email).

So if it makes you feel better to try to attack the Mac platform and Apple, enjoy. But keep those firewalls up and virus scanners up to date and I'll spend my time getting things done.

OK just installed the update, checked some of the proof-of-concept sites, and didn't experience any scary behavior that was exhibited before the patch. At worst, Help Viewer is launched, but that's it. And for those that installed Paranoid Android, it still identifies, and allows you to cancel, the help:// URL access attempt.

Since this exploit didn't do any actual damage, the seems the net effect is some bad (and sometimes over-hyped) PR in some sectors, the creation or advertising of some nifty new tools, and a hopeful raising of awareness of how malware works. Good thing we don't (yet?) have to worry about those nasty network-based viruses that tend to cripple the Internet and institutional networks.

We now return you to your regularly scheduled Mac experience...

John F. Braun: Of course you are wrong. You could make the computer to run any applicatiom, if the provided script had the correct path. So, with the correct path, it is possible to run rm -r on your computer.

And exactly how many hundreds of computers did this effect? Oh wait, we're talking about Macs. All this virus talk and all, I was naturally just thinking about Microsoft.

Quote

Guest wrote:
John F. Braun: Of course you are wrong. You could make the computer to run any applicatiom, if the provided script had the correct path. So, with the correct path, it is possible to run rm -r on your computer.

Um, I don't quite understand what you're trying to say. I installed the patch, and the following exploits no longer function:

http://bronosky.com/pub/AppleScript.htm
http://www.insecure.ws/safari/0x04_test.html

If you're aware of something new, please share it with us. If you're saying that it is possible for a user to run a script that can erase one's files, the I would have to agree with you.

I had a long - winded comment to make, but I guess I drank too much Scotch.
Tell RC to shut his mouth or I'll come over there and shut it for him. Just kidding :-O. Actually I value his diametrically opposed opinions. It makes us sit up and think. I'm an avid Mac user and I think Apple should be bucking up not just on security but on the quality of their OS X software. I've used Macs since 1985 and while I love OS X there are still lots of bugs to fix (not to mention the aforementioned security problems).

I'm sure Apple will fix what needs to be fixed. But once again, tell RC to give informed and unbiased opinions.

P.S. Quite happy to answer e-mails on this

Malc

http://securityresponse.symantec.com/avcenter/security/Content/10321.html

I suppose hackers that see this vulnerability on one platform will try to exploit it on others as well.

What I'm having trouble understanding is the date of the update. It's dated two days from now ("now" being the 22nd of May, 2004).

Could May the 24th be the intended release date for 10.3.4?

Just a stirrin' up the speculation!



won

It appears that only OS X 10.3.3 and 10.2.8 users are getting a fix from Apple. Some of us can't run the latest versions, due to bugs (undocumented features!).

I'm running 10.3.1, since I don't want my Palm synching to break. As I recall, there was also a reason I didn't go beyond 10.2.6 on another partition. If I had, something else would have broken.

Why won't Apple at least furnish Security fixes for older versions? And how should I protect myself?

"I'm running 10.3.1, since I don't want my Palm synching to break."

I'm syncing my Palm just fine under 10.3.3.

I type on behalf of those who won't or can't perform Apple's latest update.

I just noticed that RCDefaultApp's settings only apply to the current user when set, even if that user account is admin.

If more than one person is logged in but the admin user has only disabled the troublesome handlers from the admin account and one of the users has been to a compromised webpage that autoloads (inhale), I presume that user's account gets hoz0red.

In the background.

Unbeknownst to everybody until that user tries to login.

I suppose I'd recommend making sure you protect each account individually. In other words, log into each account on your machine and set the settings separately.

What settings? Why, these settings:

http://daringfireball.net/2004/05/unsafe_uri_handlers

and

http://daringfireball.net/2004/05/telnet_protocol


My theory may be flawed but I don't know where...



won

Read the whitepaper on unsanity's website for more info:

<http://www.unsanity.com/haxies/pa/whitepaper>

Try the still existing vulnerability here:

<http://www.geekspiff.com/unlinkedCrap/innocousPage.html>

Download Paranoid Android here:
<http://www.unsanity.com/haxies/pa/>

No surprise here. Apple pushed out some lame half-baked solution that doesn't fix the problem. Everyone assigned to the new Apple Mac Division must be too busy updating their resumes to properly fix software.

As pointed out by "Guest", loading this address http://www.geekspiff.com/unlinkedCrap/innocousPage.html still allows the owned.txt to be created in your home directory. I applied Apple's patch and this still happens. Also, this is not limited to Safari, as it also worked in Firefox 0.8 and IE 5.2.3. Firefox and IE mounted the disk image, but initially stated they were unable to resolve the protocol for "malware:unused" nor was the app on the image launched (no "owned.txt" created). However, on reload, the exploit worked, just as the text in the page stated. A simple meta refresh in an offending page would have made it work.

The patch appears to have only updated the Help Viewer application. Note that Help Viewer is never launched nor does the disk image download appear in the download manager for any of the browsers used. The disk image is mounted directly from the http:/209.152.175.64/unlinkedCrap/osxMalware.dmg address, (using the OS' ability to mount images directly from an http address) thus removing the "Open 'safe' files after downloading" option in Safari does nothing to stop this.

Quote

RealityCheck wrote:
Before you Mac idolators start bowing before the greatness of Apple for fixing this massive security hole, notice that Apple did nothing for weeks until the media spotlight finally embarrassed Apple into action.

And just how many successful exploits do you know of as a result?

Quote

reznorb5 wrote:
As pointed out by "Guest", loading this address http://www.geekspiff.com/unlinkedCrap/innocousPage.html still allows the owned.txt to be created in your home directory.

ermm..no, can't say it does actually. Exploit worked before I applied the patch and now it doesn't. I'm happy with that. (Using 10.2.8)

I always had a problem with this being a 'dangerous' exploit anyway, The help viewer or disc image mounter appears unexpectedly giving a BIG clue that something isn't quite right and despite all the 'well it could be done' there wasn' t any suggestion of how harm could be done reliably what with varying download locations and spaces not working with the command.

I would guess Apple had seen that yes this was an embarrasing flaw but not one that could do any reliable harm to a significant number of users. I'll remain a smug mac user with no OS X viruses (I'm ignoring that daft trojan recently given media coverage).

works fine for me under 10.3.3. Try re-installing Palm Desktop.

Quote

DrD wrote:

Quote

reznorb5 wrote:
As pointed out by "Guest", loading this address http://www.geekspiff.com/unlinkedCrap/innocousPage.html still allows the owned.txt to be created in your home directory.

ermm..no, can't say it does actually. Exploit worked before I applied the patch and now it doesn't. I'm happy with that. (Using 10.2.8)
.

Hit reload in the page once or twice. It will.

Actually, they don't. On my system, running 10.2.8, their 'benign sample exploit' does nothing, no matter how many times I refresh. It doesn't after patching, and it didn't before patching, because I disabled Help's ability to run Applescripts. Their 'benign sample exploit 2, however, demonstrates some interesting behaviour: it launches my default FTP protocol helper, Fetch (because the Finder *SUCKS BALLS* at FTP), and displays the contents of the OSXMalware.app package.

RC is just upset cause people aren't paying this much attention to Linux. I can't understand why. I mean sure you can't do as much with Linux and it's not as cool, but why is that important? Poor RC.

I don't pay much attention to these things (cause I don't own a Windows box - I don't have to!), but I've never, ever noticed a fix for an exploit come out so quickly after it was identified.

Kudos, Apple. I'm glad to see they take so much pride in OSX's reputation.

I see that the first 64 bit virus has been created, and of course, it affects Microsoft Windows!