RCDefaultApp 1.1 (Freeware)
Rubicode

Paranoid Android 1.1 (Freeware)
Unsanity

This has certainly been an exciting week in the Mac security arena. There was the report of a serious security flaw in Mac OS X, as well as an update which addresses some of the initial exploits. Since the update, some new exploits have been identified. These exploits touch different parts of Mac OS X, including URL and "safe" file handling, and the execution of a hostile AppleScript.

Unlike some other type of viruses, which are spread over a network and are very difficult to track, most of the recent exploits require visiting a Web page that contains the malware. This means that it would be relatively easy to identify the site providing the hostile content, but that doesn't mean some script kiddie won't try (a complete writeup about these exploits can be found at Unsanity). Fortunately, the Mac community has responded quickly, and there are tools you can use to not only protect against malware, but customize how Mac OS X deals with URLs.

Safari and other programs use a URL to help decide what program to use to process a request. The http:// type is the most common, but there are also others that you may not be aware of, such as disk:// which can act on a disk image that you've previously downloaded. The ability to examine and change these values have varied with each version of Mac OS; the most recent version hides these values pretty well, but the folks at Rubicode have come up with RCDefaultApp, a spiffy preference pane that will let you examine and change URL and other low-level Mac OS X settings.

Examine and Configure Your URL Handlers
(click for a larger picture)

RCDefaultApp presents all of this information using a clean, sensible layout. As shown above, clicking on the "URLs" portion of the pane shows each registered URL type, and displays the application, as well as the directory path to the application.

In addition to helping you learn more about how Mac OS X operates, you can also use this feature to help improve your system's security by redirecting or disabling requests for certain URL types. For example, although the disk:// handler is convenient, mounting a disk image after it has been downloaded, some of the reported exploits take advantage of this mechanism. Therefore, you may want to disable handling of disk://, just to be safe.

Concerning the issue of disk mounting, you may also want to configure Safari not to automatically open "safe" files after downloading. Inconvenient? Sure, but this is the dance between usability and security that every operating system has to deal with; Mac users just didn't need to deal with this balance until recently.

RCDefaultApp also allows you to examine and change some other settings. The "Extensions" portion will let you see what application is configured to handle each file extension, which is the value that is after the period, such as ".jpg" for a JPEG graphic image. The "File Types" setting is another file attribute that is used to determine which application should handle a file. Sure, you can access these settings on a per-file basis by using "Get Info," but RCDefaultApp is much more convenient. Finally, there's a way to configure the handler for each major Internet application (Web, E-mail, News and FTP) and which application should be used for a file with a specific MIME type.

Another application that we found helpful in detecting existing and new security exploits is a "haxie" called Paranoid Android (any Hitchhiker's fans out there?) from the folks at Unsanity. Paranoid Android will watch URL access attempts, and display a dialog when a request for an unusual or risky type of URL is made.

Paranoid Android Detected a Risky URL

For all of the identified exploits, Paranoid Android can intercept and disable requests so that they pose no risk. You can of course allow the request, just make sure that it is being made from a server that you know. The other type of exploit that Paranoid Android will protect against is the launching of a handler for an unknown URL type. Normally, a handler for an unknown URL type can be downloaded and executed without user intervention. In some cases, this could also be exploited by malware to do nasty things to your system. If you observe a request for an unusual URL type, you should probably deny it unless you know why the request is being made.

So make sure you not only understand more about how your Mac operates, but protect against security exploits, and get RCDefaultApp and Paranoid Android now!

Have any other Gadgets that help secure your Mac. Send an e-mail to John and he'll check it out.