Final Update: The most comprehensive overview of both the problem and the solutions can be found on Daring Fireball I strongly suggest that you go there, rather than slogging through the comments below.
--
If you're an OS X user, it's extremely important for you to be aware of a security vulnerability that's been identified by users but not acknowledged or corrected by Apple.
(Update: The problem appears to be specific to Panther--OS X 10.3--so if you're running an earlier version of OS X you should be okay.)
(Update: Apparently the problem is not Panther-specific; most, if not all, OS X systems are vulnerable. See this comment on Jay Allen's site for details.)
You can read about it on Jay Allen's site (which is where I heard about it). Essentially, Mac browsers (including Safari, Mozilla, and Firefox) are all designed to launch the Help Viewer program when the help: protocol is invoked in a web link. Unfortunately, the Help Viewer program, in turn, is able to run scripts. What this means is that a malicious user can set up a page with an automatic redirect that runs a dangerous script. More details for the tech-minded can be found on this MacNN thread. And if you want a terrifying (but harmless) example of this, go to http://bronosky.com/pub/AppleScript.htm. It will launch Terminal and run a harmless du command--but it's scary as hell to see that Terminal window launch and files start scrolling. (There's also an advisory on the Secunia site, but it offers no helpful suggestions; just verifies the seriousness of the problem.)
If, like me, you just want to know how to fix this fast (since Apple has apparently known about this since February and hasn't fixed it, it wouldn't be wise to wait for their patch), here's the approach to use.
- Download the freeware tool MoreInternet.
- From the disk image, run "install prefpane," which will put the MoreInternet preference panel into your System Preferences panel.
- Open the MoreInternet panel, and select the help: protocol.
- Change the application it launches from the Help Viewer (which has the script-running vulnerability) to something benign.
(I used TextEdit.)I used Chess, which, unlike TextEdit, gives me a clear visual cue that a page tried to invoke the help: protocol. - Make sure it worked by going to the scary but harmless example.
Update: In my comments, Jay Allen points out that you should repeat steps 3 and 4 for the disk: protocol, as well.
Hey Liz, Kevin Shay left a comment in my comments pointing out that the disk: protocol should ALSO to be disabled. Without the feature-cum-flaw in Help Viewer, the disk: phenomenon doesn't have much effect, but theoretially, I suppose, an attacker could saturate your DSL line and fill up your hard drive.
The help: protocal is the big one, but I thought I would pass that on.
I found a fix in 20 seconds. Simply create a password protected dmg file of terminal and trash the uncompressed app. Help viewer will hit a wall and ask for a default app. This puts the onus back on the user to let it go any further. This is also handy since most users will never have a need for terminal and will prevent the uninitated from mucking around in the command line.
I couldn't get it to work on my install of Jag 10.2.8 - the Finder complained that "there is no default application specified to open the document 'du'." Not sure if this means it only happens on Panther or if it's just a peculiarity of my settings.
I tried Bronovsky's scripts (the du and the ls) on 10.2.8, and I got error boxes ("Choose application") both times. I'm relieved not to have to worry about it, but I wonder what's going on.
Charlie, it doesn't have to use Terminal. That's just what the proof of concepts are using right now.
The malicious party could easily induce a download of an extremely small disk image of nothing but a little Applescript and then use the help vulnerability to launch that instead.
This is while file: also needs to be whacked.
Ted, do you have terminal on your system? For some reason, Terminal isn't being launched in your case.
FWIW, du is a Unix utility that displays disk usage and is found at /usr/bin/du.
Ted and Meg, it looks as though this is a Panther-specific bug.
Charlie, I use Terminal multiple times a day as an ssh client, and also to manage files on my local webserver (which I use for testing).
I suspect that most of the people who read my blog also use Terminal to some extent, if only as a telnet/ssh client.
May be a panther thing, Jaguar won't open it. Or my firewall program may have already done its thing.
> This is while file: also needs to be whacked.
I think you mean 'disk:' not 'file:' :)
So I downloaded Moreinternet and linked the help protocol with Chess. Went to the terrifying but harmless example, and it opened up Chess. I now also have a little Speech commands icon open now, which I think has something to do with Chess.
Anyway, is there anything else I have to do?
Thanks for posting this, btw.
Kris
ksmith@sff.net
I use Terminal *constantly*. The frequency with which I use it calls into question the semantic distinction between "continuous" and "continual" -- proof (if any were needed) that I am a command-line retrogrouch.
But I actually quit out of it (the horror!) to see if Help would call it up. No go. My condolences to you Panthers... I guess I'm okay with being an pass� Jaguarette.
"I suspect that most of the people who read my blog also use Terminal to some extent, if only as a telnet/ssh client."
-- Thanks Liz, I felt a little indignant at being treated like a n00b at unix. ;-) I use the command line every single day on my iBook.
"I think you mean �disk:� not �file:� :)"
You're absolutely right, Chris. Thanks. :-)
I don't like installing freeware to fix a bug on my OS. What does MoreInternet do? If one is security conscious one should be able to do this using just vi or a simple editor.
Thanks for highlighting this flaw and fix.
Scary indeed.
Henry, I agree. I didn't want to install MoreInternet either. I ended up changing the help: protocol helper using Microsoft Internet Explorer, as thats the only UI for this that I can find on my system. Using IE is hardly better than MoreInternet for the users who don't already have it installed.
You might try exploring the defaults command (specifically "defaults read com.apple.LaunchServices LSPrefsBindings") and see if you can find an easy way to change it using the shell (please post if you do!). More comments on Jay Allen's page.
Odd. I'm running 10.3.3, installed MoreInternet, and it doesn't show the Disk: protocol. I fixed Help:, but Disk: isn't there...
Do I need to add it?
Yes, CML, I would add it and point it to something pointless.
The MoreInternet application is *very* slow to download, thanks to all the folks looking to patch their systems. Anyone know of a mirror?
dce - I ran into the same problem, googled and found this, which was by degrees faster.
I also show no "Disk" listing in More Internet.
I did a search for it but returned no results; how does one then add it to the list?
(embarrassed by my lack of geekness)
No need to be embarrassed!
The MoreInternet pane gives you an "Add" button, just below the list of protocols. Click on that, and add "disk:" to the list. Then follow the same steps to assign a benign app.
Having a single set of bindings for trusted and untrusted sources is why Internet Explorer and Outlook have been security nightmares for most of the past decade.
I can understand Microsoft doing this: they have political reasons for "integrating" the desktop and the browser (they're not good reasons... trying to weasel out of an agreement with the DoJ is never a good reason). I can't understand Apple, though: there should be at least *two* unrelated sets of bindings... one to be used for applications that work with local documents and one for applications that work with untrusted documents...
and the bindings for applications that work with untrusted documents should be *absolutely* minimal.
In fact, by default and in the absence of explicit user action nothing should ever be transferred from an untrusted document to another application, or any integration of trusted and untrusted namespaces. That includes:
Helper application for URL protocols (eg help:)
Helper applications for mime types (eg video/windows-media)
Helper applications for file extensions (eg .wma, .zip)
Internet-enabled disk images and installers.
If the target application is not known to be suitable for handling untrusted data, it must not be passed untrusted data.
If an application is known to be suitable for handling untrusted data, it must not be presented with helper applications that aren't similarly trusted.
This is a really basic security principle, one that nobody I know would have imagined would be commonly violated until Microsoft not only kicked it over but refused to pick it up again. For gods' sake, folks, don't accept the same insanity from Apple, and don't let Apple get away with a one-shot patch just for this specific instance of the problem... that way lies the Outlook-exploit-of-the-week syndrome.
So, if I've used MoreInternet to change the help and disk protocal, do I still need to uncheck the "open safe files" option in Safari?
Thanks, Liz!
I feel much better now...
FYI I used the freeware app "misfox" which also allows one to modify helper apps and protocol associations. Set "help" and "disk" to "Chess.app" and all is fine.
Misfox is here:
http://www.clauss-net.de/misfox/misfox.html
There is a mirror for the moreInternet preference pane add-on at http://homepage.mac.com/WebObjects/FileSharing.woa/wa/default?user=diggorylaycock&templatefn=FileSharing.html&xmlfn=TKDocument.1.xml&sitefn=RootSite.xml&aff=consumer&cty=US&lang=en
The latest version is 1.1.1. (I've put the link in the "posted by" link for this entry, just below.)
thanks brian....just a regular mac user here and your fix was simple and clear.
Here's an easy fix that doesn't require any shareware to be downloaded.
1) Open up your moldy copy of Explorer 5.2
2) Go to preferences->network->protocol helpers and change it to Chess.
Don't use TextEdit because it's scriptable too!
3) Quit Explorer and go back to Safari.
Wow. Thanks, Liz, and thanks, Jay.
Can anyone post _where_ exactly moreinternet makes it's
changes? I'd rather do it by hand than use moreinternet,
if only to understand what's going on better. (though for the
meantime, I have used moreinternet to make the changes)
Problem: Though I installed moreinternet as host (vice user), that only means it's available to all users, not that the settings affect all users. When I changed the helper apps, it only changed them for ME, not for the whole system. I gather this since only my .plist got a new timestamp. Now, how do I force the entire system to change it's helper apps? I don't want to have to log in as every user and change it by hand, or (worse) email them and trust them to do it.
You can disable this exploit by removing the execute permissions of Help
Viewer.app.
As root issue a chmod 744 /System/Library/CoreServices/Help\
Viewer.app/
If you need to use Help Viewer.app afterwards just restore the
execute privileges to the wheel or other groups as appropriate. A small
bother, you don't even have to trust a third party utility. Once Apple fixes this
you can leave the execute permissions on again. The path might be different in earlier version of OS X.
-EKM
Just had an idea -- but I'm too tired (and probably don't have the skillzz) to put it into practice. Maybe somebody can pick it up and do it.
Use the security hole on your blog home page to launch terminal, list some files (the "scary but harmless" stuff), and print out an explanation linking to an informative weblog post (like this one) which tells the user how to fix the problem. Or even better (if possible?) open a browser session with the url in question.
Maybe it would encourage people to fix it?
Thanks for the help.
Do you know you were featured on The Screen Savers?
One thing to note, is that this isn't limited to web apps at all. It appears to be part of "LaunchServices".
For example, there's a commandline program called "open" which you can give a filename or a URL, and it will open it in the appropriate way. http: URLs open in your preferred browser, file: URLs open the file based on the extension or type/creator, etc.
It will also work with "disk:" and "help:" URLs.
Luckily, the MoreInternet fix works with this, too. So anything that uses LaunchServices to find out what to do with a disk: or help: URL should be prevented from wreaking havoc if you change the handling.
Came through Boing Boing... Thank you!
Back to the "disk" thing, it wasn't it my list either, and then I tried to add it, but it's still not in the list. What am I doing wrong? If you know, please mail me at shane [at] dosagedesign [dot] com
"Can anyone post where exactly moreinternet makes it���s changes?"
MoreInternet uses the InternetConfig API, which is different from LaunchServices, though they overlap. IC is part of Carbon (and in fact has been around since System 7, in one form or another).
So. To answer your question: LaunchServices has been described above, and IC's preferences are stored in ~/Library/com.apple.internetconfig.plist, but you have to be a real serious hacker to modify the helper apps in that file, since it uses a binary alias record (along with some other binary info) to store its data.
If you are on the run to change the protocool helpers for "disk" and "help" you also should change the helper for "telnet".
Why?
Enter "telnet://-nMyFile" in your favorite browser. This will write an empty trace file called "MyFile" in the users homedir. If MyFile already exsists it will be overritten. My Firefox version even accepts telnet as an image source, iframe etc. Not as serious as the "help" problem, but serious enough.
Damn, you're absolutely right fukami. This would allow a malicious user to overwrite any file that the web surfing user has write permissions on.
While this definitely isn't as serious as the original problem, there are a lot of important and predictably located files in the user's home directory.
Liz, I believe that all 10.2.x systems ARE affected. See the section entitled "System applicability" on my updated post for more on that.
Another option I just heard about is Paranoid Android from Unsanity. The 'droid uses a different approach: It watches protocol links, and when it sees an unusal one (like help:), it pops an alert, giving you the relevant information and asking whether you want to run the application or not.
I tested it on 10.2.8 Server.
It opens the Help app but will not run the "du". Finder say's: There is no default application specified to open the document "du".
deeboo, that's a failure of the demo exploit, but it's a positive test for the vulnerability. The du command doesn't work on 10.2 but the fact that it was attempted means Help Viewer ran the script.
I'm running 10.2.8 and Mozilla. MoreInternet won't fix the bug (same problem as Ted's post above) and I manually changed it in IE 5.2 (see Travis Whitton's post above) but the flaw still pays off EVEN FOR IE. What the heck? Am I just stuck with this bug?
hi,
i am currently using (blindly experimenting would be more exact) freebsd and noticed that the "scary but harmless example also works here.
I downloaded and installed the MoreInternet preference panel, but it won't allow me to set the helper application to Chess, as suggested. In fact, the only apps that it allows me to choose appear to be ones that run scripts.
The test on bronosky.com opens up whatever application I assign to the above mentioned protocols. I think this means I'm in trouble.
Is there a list somewhere of unscriptable applications?
I installed this on my wife's iBook:
http://www.unsanity.com/haxies/pa/
and it worked. However, it requires 10.3, the machine I'm currently using is 10.2.8
i installed MoreInternet, tried to change the helper by dragging and by clicking on change. no good. it says "there is a problem setting the app as the helper" when i try to change it to chess, calculator or preview. i tried changing it at root in terminal by running chmod 744 /System/Library/CoreServices/Help\
Viewer.app/, also no good. what the #!*&?
Hi,
I was just mucking around. I think that you can negate this exploit from being able to run by setting Help Viewer.app's permissions to Owner System, No Access. Group Wheel, No Access and Others No Access. You would of course do this with Help Viewer closed.
After installing this I've noticed that I can no longer run Mac Help. Whenever I launch the program manually it doesn't work.
Is there a workaround for this? Also, how does one uninstall this freeware? Where exactly is the Help Viewer app located anyway? I see the Terminal address listed above but can't seem to locate it manually.
I use Opera 7.5 for the Mac and it appears to be immune to this exploit. I visited the terrifying but harmless example and in Opera all I get is an error. In Safari, indeed, it runs du. So browsing with Opera is another option.
Liz, I have just blogged this post:
Friday, May 21, 2004
��
MAC OS X SECURITY FLAW IS A HOAX:
Confirmed by Apple Technical Support in India
After I completed the five steps (see my previous post), my mac was working fine. Until I couldn't open any web pages. Either my ISP Virgin.net was at a standstill - or something was wrong. More likely I'd done something wrong with that chessboard :-) Because I have a 3-year warranty, I phoned Apple Technical Support to check on what I'd done.
A very helpful technician called Boris, had not heard of the OS X flaw, so I gave him my blog URL and asked him to get it up on his screen. He'd not heard of weblogs. He read my latest posts. And then offered to formally log this enquiry, make some investigations and phone me back on my mobile in ten minutes. I am typing this while I await his call.
He has just phoned. After speaking in-depth with a Product Specialist he says Apple emphatically state: there is not a security flaw in the mac operating system. He said Apple engineers around the world, work on macs every day, month after month and year after year and there is no way there is a security flaw for mac operating system. He said a few months back they gave out a security warning about a trojan horse on Microsoft software - but it had nothing to do with the operating system. I asked him if he was 100% sure. He said yes. I asked if it was a hoax. He said, well yes. I suggested that Apple post this confirmation on their website before this rumour and hoax gathers momentum on the Internet. He agreed to put the suggestion forward.
Because my machine was acting up, Boris talked me through the steps of reinstalling my software using the software install and restore CD. It took half an hour. Everything is now as good as new again. I'm glad it was only a hoax. Apple are still as awesome as they say :-)
I am pinging a copy of this good news - via Technorati - to: Chris Young, Wired News, Jay Allen, Liz Lawley and Jim O'Connell.
(sigh) And my response to the above.
Hi Liz,
Quite a fast moving situation. Thanks to you and Jay Allen for clueing me in. I think you may be very interested in this MacNN thread: http://forums.macnn.com/showthread.php?s=&threadid=213043&perpage=50&pagenumber=5 Especially page 5, post 7 by Developer (and the later confirming posts). A new counter measure called Paranoid Android came out of this new scenario.
http://www.unsanity.com/haxies/pa/
After reading you may want to recommend Paranoid Android as part of the necessary safeguards along with the help:, disk:, telnet:, "safe files off" steps. Page 6, post 28 by theolein and the first post in the thread by Developer give a thorough summary of the full dangers uncovered in the thread.
Ingrid,
When sending out notice that you think this is a hoax, please include reference to the MacNN thread as a possibly compelling counter argument. You may not understand the nature of this security vulnerability but your friends might find the arguments in the thread convincing. I just think it would be a shame if confusing claims of this being a hoax start spreading unnecessarily.
Ingrid, I've replied on your blog, as well. This is _not_ a hoax, nor is it a rumor. It's a well-documented recently discovered flaw; that a tech support guy in India who's never heard of blogs says it's not a problem isn't particularly compelling.
Before dismissing it as untrue, I'd strongly suggest that anyone concerned read the MacNN thread listed above, as well as the Secunia advisory and the Wired News article.
It seems that my install of Jaguar 10.2.8 is perversely opposed to patching this.
The MoreInternet dmg won't mount. I tried MisFox but it won't let me pick a helper that isn't scriptable (no Chess or Calculator, but TextEdit, Stickies, hell, even Acrobat are acceptable, and after Googling, they all checked out as scriptable). I then tried the IE solution (setting to Chess) and checked the proof of concept, but Safari didn't seem to pay what IE had to say any heed, and went ahead and opened Help Viewer.
Is anybody else having similar problems? Anybody have any suggestions? Earlier on a command-line fix was requested for posting; I second the matter.
For now I'm just gonna set everything to Stickies and chmod -x it since I never use it anyway; if anybody else is in my situation, I'd recommend doing something similar if nobody else thinks of a nicer way to get around this.
Try RCDefault. It is recommended by Jay Allen and John Grubel to whom I link:
http://daringfireball.net/
John explains how RCDefault is the more robust solution vis-a-vis More Internet for changing protocol helpers.
Oh and "Paranoid Android" is probably a good idea, considering the deeper exploit uncovered on a MacNN thread. See my post above.
What about gopher? remember IE had a hole with gopher a few years back?
Software Update has a patch from Apple for this.
Now, when I try the bronosky link, HelpViewer starts up, but the following message is written to the Console:
2004-05-21 19:24:46.362 Help Viewer[3821] help://runscript called by another application!
ie, Help Viewer is now checking who is telling it to run a script, and presumably ignoring requests from other applications.
I suppose there could still be a problem, if someone puts the gnarly scripting inside of an Apple Help file.
I've been reading all the linked sites for over an hour and have yet to see anyone mention OS X 10.1.5. I know, it's old but hasn't given me any problems so I haven't had a reason to upgrade.
I'm not particularly geeky when it comes to the Mac anymore (I left those days behind when OS X came along) so much of this talk is a bit too much on the technical side. I've run the bronosky page (in Camino) and it opened my help app but I just upgraded to the new version of Camino and the page no longer opens anything. However, the latter half of the page with the form and browse button might as well be gibberish. What does it mean? Do I need to do anything there?
Also, since I have an older version of OS X, I can't install MoreInternet or Paranoid Android. So are there workarounds for me? Or am I actually affected (it would seem I am, if my help app opened before the new version of Camino - although I never open a downloaded file immediately).
Apple has posted an update for this. Check Software Update.
Jon, the fix doesn't fix all of the problems, I'm afraid.
http://securityfocus.com/bid/10341
I'm on Mac OS X 10.2.8 and MoreInternet didn't work at all for me. It wouldn't accept Chess as an App. I tried Internet Explorer 5.2 and was able to set Chess as the application but it didn't make any difference to Safari. I tried RCDefault and that works.
Just ran software update and there is a patch from the FUTURE! It downloaded a new security patch for 5.24.04 that patches the Help Viewer. Sweeeeet!
The patch addresses only part of the problem. See http://discussions.info.apple.com/WebX?14@111.Qu0xaICCnzD.0@.68936654
Also, there is a "disks" protocol which needs to be rerouted via Misfox or MoreInternet. In fact, there are a whole number of protocols that need to be rerouted to text edit or stickies. See http://secunia.com/advisories/11689/
In general the discussion on apple.com/support (click discussions, click Safari) is very helpful. It's a little less techincal than the discussion on MacNN.
Best regards,
Matt
I've installed the security patch rom Apple, supposedly for this problem.
See http://www.apple.com/support/downloads/securityupdate__2004-05-24_(10_3_3).html
When I click the link for the "scary but harmless" example, I do not get a Terminal window at all. Instead, only my browser's window appears, with the author's dire warning, "This is not good! Aren't you glad..."
Consequently, I am not sure whether nothing malicious *could not* have been done. Since Terminal did not open up, can I safely assume that this hole has been plugged by the Apple patch?
Lou