Security Update 2004-06-07

Discussion in 'Apple' started by Tom Harrington, Jun 7, 2004.

  1. Apple's got a new security update that looks like it's meant to address
    the recent URI security exploits.

    Looks like updating to how LaunchServices decides whether to run an
    application based on a URI, along with disabling disk:// URIs, and some
    other things. Details at these addresses:

    <http://docs.info.apple.com/article.html?artnum=61798>
    <http://docs.info.apple.com/article.html?artnum=25785>

    The second link above makes it sound sorta-kinda like what Paranoid
    Android does.

    I don't know whether this handles all the demo exploits online yet; will
    post more once I get it installed, and reboot.
     
    Tom Harrington, Jun 7, 2004
    #1
    1. Advertisements

  2. Not quite. PA asks for every scheme it doesn't trust; Apple's update
    asks for every new application launched indirectly, whether through an
    URL or a document double-click. Then it remembers.

    Apple seems to have provided a good fix here.

    But, mind you, I'm still installing it too. :)
     
    Steven Fisher, Jun 7, 2004
    #2
    1. Advertisements

  3. OK, I installed the update and removed Paranoid Android. Going over the
    sample exploits, found at
    <http://www.unsanity.com/haxies/pa/whitepaper/>:

    1. Unsanity example #1: Clicking the link results in an unexpected disk
    image being downloaded. Once downloaded, it's mounted (because I have
    this enabled in Safari). I then get a dialog box warning me that the
    (demo) application "OSXMalware" is about to be launched, and that it's
    in the "MalwareDiskImage" folder. I get cancel and open buttons, so
    this exploit looks to be covered.

    2. Unsanity example #2 (FTP): Clicking the link causes my FTP helper to
    be launched, and to open the FTP site. If the helper is the Finder (the
    default), I get the same kind of warning as above. If the helper is
    some other application, it launches and goes to the site, but of course
    there's no danger then. So this seems covered as well.

    Looks like the holes are plugged. Probably. The security holes as
    discussed so far are based on the idea of an application being
    surreptitiously downloaded to your disk, and launched via a URI. That
    seems to be covered now, since this would be the first time the
    application had been launched. But this may just be shifting the
    problem. Consider the following possible scheme (and poke any holes in
    it that you find):

    I've got some application installed which I'll call FriendlyApp.
    FriendlyApp is not a trojan, not on its own, at least. But it handles a
    URL scheme of some kind. Someone knowing that lots of people have
    FriendlyApp installed could conceivably arrange a URI exploit that would
    cause FriendlyApp to run. If FriendlyApp has a security hole of its
    own, it could accidentally become a trojan under the influence of a
    rogue web site. I don't know how likely this is, I'm just speculating.
    Paranoid Android would still catch this, but I don't think the new
    security update will. If I'm mistaken I'm sure someone will point out
    the flaw in my reasoning.

    One annoying detail in all of this: The Paranoid Android installer
    helpfully includes Unsanity APE, if needed. However its uninstaller
    does not remove APE. So I'll have to look for something at Unsanity's
    site to get me rid of it.
     
    Tom Harrington, Jun 7, 2004
    #3
  4. Surreptitious downloading was not a necessary element of the recently
    discovered security hole. As shown by Unsanity's example #1, the "disk"
    URL scheme could be used to mount a remote disk image without actually
    downloading it to a local volume. Safari's auto-open setting was
    irrelevant. Security Update 2004-06-07 seems to have fixed this by
    eliminating the ability of DiskImageMounter (now bumped to version
    10.3.5) to handle such URL schemes. Rubicode's Default Apps preference
    pane now shows that the "disks" scheme is gone and the "disk" scheme no
    longer has a default app.

    The only practical defense against insecure applications is not to use
    them. Had Safari been designed to delete files in response to some
    command embedded in a web page, the only protection would have been to
    disable Safari, partially or totally. Safari would not have been using
    Launch Services and would not have been doing anything extraordinary, as
    far as the system could tell. Neither Paranoid Android nor Apple's
    latest security update could stop it. Nor should they attempt to do so.

    Applications read, write, create, and delete files all the time. That's
    how they work and why we use them. Putting up a warning dialog every
    time an application tries to do anything "suspicious" would be the only
    protection -- and would be so annoying that nobody would use it.

    In talking about this last security vulnerability, some people have
    tended to talk about this or that as being *the* problem. It wasn't
    really a single flaw but a collection of system and application
    functions that could be strung together into a path of exploitation.
    Connect the dots. Which function(s) needed to be modified or eliminated
    entailed choosing between functions based on their usefulness and
    dangerousness. Apple's choices seem to have preserved maximum user
    convenience while still plugging the holes.

    While its useful to think about security in a comprehensive way, I don't
    think we'll ever see grand architectural (much less foolproof) solutions
    for it.
     
    Neill Massello, Jun 8, 2004
    #4
  5. Internal Error
    Cannot Process Command
    Oops! We seem to have run into technical difficulties and cannot
    complete your download request. It could be that the download link you
    tried to access has changed and the developer forgot to notify us. Want
    to let us know so we can get it fixed? Send us an email or make your way
    back to Mac OS X Downloads for any other downloads you need.


    just overload?
    or ????
     
    J.Random Luser, Jun 8, 2004
    #5
  6. Tom Harrington

    Howard Shubs Guest

    What happened when you tried it again?
     
    Howard Shubs, Jun 8, 2004
    #6
  7. According to macfixit.com, there are two versions of the patch - one
    for OS 10.3.3 and one for OS 10.3.4. Are you perhaps trying to
    download the wrong version?

    Cathy
     
    Cathy Stevenson, Jun 8, 2004
    #7
  8. Probablly because some of the other Unsanity haxies use APE.

    Cathy
     
    Cathy Stevenson, Jun 8, 2004
    #8
  9. Yeah, I know that. But if an installer includes an item, the
    corresponding uninstaller should at least have the option to remove that
    item.
     
    Tom Harrington, Jun 8, 2004
    #9
  10. It came right an hour later.
    That was a danged error msg tho', never seen one like that from Apple
    before ;-)
     
    J.Random Luser, Jun 8, 2004
    #10
  11. Made slightly easier by Apple's implementation of their Network File
    System (not the old NFS we all love or hate, p'raps a version of .Net).
    Both PA and Security Update 2004-06-07 hide the gory details from the
    average user, and thus permit the unwary to install Trojans. The best
    defence here is social engineering, which happens to be the method of
    attack... As Apple's market share climbs, expect to see increased
    intrusion rates.

    For hints on Apple's directions in distributed filesystems:
    look at the WWDC program of Technical Sessions:
    http://developer.apple.com/wwdc/descriptions/
    eg.

    102 - Network Kernel Extensions
    Learn about the new and improved Network Kernel Programming Interfaces
    for developing Network Kernel Extensions (NKEs)...

    104 - Core Networking
    Mac OS X offers a rich set of programming interfaces for networking
    ‹combining built-in support for industry-standard media types,
    protocols and services with innovative services from Apple....

    405 - Understanding Document Binding on MacOS X
    Uniform Type Identifiers (UTIs) are a new way of specifying document
    and data types. In this session, we'll cover how UTIs are used by
    Launch Services to enhance and simplify document binding....

    406 - Modern Networking using CF Networking
    CFNetwork is at the heart of the fast and reliable networking built
    into Mac OS X. This session is for those interested in accessing
    the network from within an application's normal event context without
    getting into the details of raw sockets or specific networking
    protocols...


    Now what was all that fuss about when MS wanted to embed IE in Win98????
     
    J.Random Luser, Jun 8, 2004
    #11
  12. MS wanted to embed IE in Win98, and lock out all competing web browsers.
    Apple is showing developers how they can access the network from within
    their own applications. Why, it's like night and day.
     
    Michelle Steiner, Jun 8, 2004
    #12
  13. Tom Harrington

    sn00ge Guest

    [snip]

    I noticed this as well. I downloaded the APE installer from the
    Unsanity site, and it does have an "uninstall APE" option.
     
    sn00ge, Jun 9, 2004
    #13
  14. Tom Harrington

    PeterG Guest

    From (bad) experience I keep away from all Unsanity and APE stuff. YMMV

    --
    Peter

    Remove MEAT I'm a vegetarian

    plalp MEAT at freeuk daught com
     
    PeterG, Jun 9, 2004
    #14
  15. Normally I avoid it as well, but with the recent URI exploits I decided
    it was worth installing PA, even if it did require APE.
     
    Tom Harrington, Jun 9, 2004
    #15
  16. Tom Harrington

    PeterG Guest

    Didn't the recent update fix this?

    --
    Peter

    Remove MEAT I'm a vegetarian

    plalp MEAT at freeuk daught com
     
    PeterG, Jun 9, 2004
    #16
  17. That's more or less exactly what I said, earlier in this very discussion
    thread. I used PA (and APE) for a little while because I thought the
    situation warranted it, but I don't use it now.
     
    Tom Harrington, Jun 10, 2004
    #17
  18. Tom Harrington

    PeterG Guest

    Oops sorry; that's what happens when you enter mid way through a thread and
    with snip postings.

    --
    Peter

    Remove MEAT I'm a vegetarian

    plalp MEAT at freeuk daught com
     
    PeterG, Jun 10, 2004
    #18
  19. Tom Harrington

    d49ot Guest

    That's more or less exactly what I said, earlier in this very discussion
    thread. I used PA (and APE) for a little while because I thought the
    situation warranted it, but I don't use it now.[/QUOTE]

    I'm still using PA because I'm on OS 10.2.6 and really do not wish to
    upgrade to 10.2.8 at this time. APE hasn't given me any trouble on
    either of my two machines -- at least none that I can detect. What sort
    of problems has it caused?
    Am I correct to assume that it's safe to continue this way -- that PA
    will protect my system as well as the new security update does for
    10.2.8 and above?
    It hasn't given me any alerts except when I try to sync to my Palm
    Pilot. I haven't figured out yet how to tell it that's okay, so I've
    just been clicking "allow."
     
    d49ot, Jun 10, 2004
    #19
  20. Tom Harrington

    d49ot Guest

    System Prefs->APE Manager-> Paranoid Android->Settings: hit the plus
    sign and type the URL scheme you want to always allow.[/QUOTE]

    I can't find anything labelled "settings" when I get to Paranoid
    Android.
    When I click on APE in Systems Preferences, I get a window showing
    Paranoid Android selected under "Application Enhancers." There are three
    tabs: Exclude List (which is blank); Enhanced Applications (which lists
    all the apps presumably protected by PA) and Information (which has the
    read-me material.)
    I'm using PA 1.1. Couldn't find a version number for APE but it's
    the one that installed with PA 1.1.
     
    d49ot, Jun 11, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.