by , 3:30 PM EDT, May 24th, 2004

While we all breathed a heavy sigh of relief on Friday when Apple's latest security update was released, it is important to note that it does NOT stop all of the various types of "URI" attacks that have been reported as of late. Specifically, it only applies to the "help:"-based attack, and does nothing to prevent against the "disk(s):" or "telnet:"-based threats.

All of these referenced vulnerabilities relate to the convenience that has been built into today's web browsers. Not every function can be performed by a web browser (nor would you want it to be), so the browser intelligently interprets the URI and, if appropriate, launches the proper helper application to complete the requested task. For example, when you click on a "help" link, it can launch Apple's Help Viewer, and when you click on a disk image, it launches the disk image mounting application, so as to facilitate the task at hand and, frankly, to make your life easier. This comes at a cost, though -- for if you click on a link of whose origin you're not entirely certain, you run the risk of passing off a potentially problematic script to any one of these helper applications. These apps, in turn, do as they are told, and that can open up some significant holes.

In the case of the "disk:"-based problem, any URI with "disk:" or "disks:" will cause the contents to be opened by the disk mounter application which, in turn, will run any scripts contained in the image. The problem is quite similar with the "telnet:"-based attack, which launches the terminal and, essentially, will execute any command it is given. Those scripts or commands have free reign to any files which you can write (including everything in your home directory), and can quickly and easily change or delete important files, like documents or settings. It's also technically possible that these scripts could be used to send sensitive data BACK to their originator, causing even more problems.

As of right now, we haven't heard of anyone actually using these vulnerabilities for malicious purposes, but we're certain something exists out there somewhere: it's the nature of the world. The best thing you can do is protect yourself, and the best thing we've found thus far is Unsanity's Paranoid Android. Mentioned in today's MacGadget column, Paranoid Android is a little program that watches which URI's are being used and, if something is potentially a problem, lets you decide how to handle it. This, of course, requires some knowledge on your part of what you're doing and why, but at this point it's the best solution we have. At least you'll know what's going on, and be afforded the option of stopping it if you so choose. "Safer than sorrier" is the thought process here, and is one we support fully.

Something to note is that this problem is something that simply can't be fixed by the operating system or application vendor. There are many instances where the above-referenced exploits are actually used for very helpful purposes, which is exactly why these sorts of exploits are commonplace on Windows-systems: the more operating system automation you have, the greater the chance that some feature can be exploited by misguided folks. It's up to us, the users, to be sure that we're using programs and websites that we trust, and to be wary when we venture outside of our normal daily online routines.

More information on these threats are available at John Gruber's Daring Fireball blog as well as at Unsanity's web site.