As the Apple Turns    About    Reruns    Contact    Preferences Thu 3:11 AM

Fun With(out) Security (5/17/04)
SceneLink
 

Woo-hoo, it's like we Mac users have been in Security Issue Heaven recently, isn't it? After years and years of watching forlornly as Windows users had all the fun, Macfolk are finally starting to see a little action these days. First there was that questionable but clever little demo Trojan whereby arbitrary executable code was embedded in the ID3 tags of an MP3 file. Then there was this fake Word 2004 installer floating around, which was just a "delete everything we can" script with a custom icon pasted on top-- not exactly a security hole, since any system that lets you delete any files would be susceptible to that sort of thing, but still, it was a real piece of Mac OS X malware found in the wild.

And now there's this new hole in Mac OS X that apparently lets the bad guys exploit Help Viewer to run code on your system just by getting you to click a single link on a web site they set up. Faithful viewer Bernd Schnitker was the first to inform us that, as detailed by the security web site Secunia, "the 'help' URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using 'help:runscript.'" In other words, Help Viewer is allowed to run AppleScripts and the like, provided they're somewhere on your system, and will do so if instructed to via a web link to "help:runscript=..." which specifies where the script resides. The upshot is that some clever folks could slap together a web page that automatically sends you a .dmg disk image (which, with default settings, Safari etc. will automatically mount), waits a little while, and then redirects your browser to the help:runscript URI pointing to the script included on the mounted disk image.

Don't believe it could work? Well, the site insecure.ws not only has a description of the problem, but also put together a proof-of-concept web page that exploits the hole. Click here to see it in action; while it won't actually harm your system, it'll prove that it could if it wanted to; if you haven't messed with any relevant default Safari settings, you'll see a disk image mount on the Desktop, Help Viewer launch, and Terminal spawn a new window informing you that you've been compromised. Don't forget to toss that scary "owned.txt" file that the script slapped into your home directory just to make you sleep a little less soundly at night. (We don't sleep anyway, so we're thinking of keeping it around. It classes up the joint a little.)

For what it's worth, if you want to protect yourself from this sort of thing happening until Apple issues another Security Update, it's not too difficult; you can either tell Safari (or whatever browser you use) not to mount downloaded disk images (uncheck "Open 'safe' files after downloading" in the General Preferences), or better yet, use something like the More Internet preference pane to rename the help URI handler. Geez, three security issues of varying degrees of ickiness in the space of less than six weeks; multiply that by ten, and we'll almost be where Windows is! Enterprise sales, here we come!


 
SceneLink (4698)
And Now For A Word From Our Sponsors
 

As an Amazon Associate, AtAT earns from qualifying purchases


 

The above scene was taken from the 5/17/04 episode:

May 17, 2004: Another Mac OS X security issue comes to light, and this one has a fun proof-of-concept web page. Meanwhile, Gwyneth Paltrow names her kid "Apple," and the G5 cluster at Virginia Tech may be vanishing from the next list of the top supercomputers...

Other scenes from that episode:

  • 4699: "It's A... Golden Delicious!" (5/17/04)   Huzzahs and hosannas to the new little person! We're not sure how closely you follow the entertainment news (you should be studying it like a bloodhound on espresso, because you never know when another Ashton-Demi pairing might send pork belly futures soaring again), but faithful viewer Keith Bradnam informed us over the weekend that, according to the BBC News, the lovely and talented Gwyneth Paltrow gave birth to a healthy baby girl last Friday...

  • 4700: 3 to Nowhere With A Bullet (5/17/04)   Say, remember just six months ago when Apple (the computer company, not Baby Paltrow, who was merely a human bean at the time) made waves in the hardcore geek community because Virginia Tech managed to build the world's third-fastest supercomputer out of off-the-shelf Power Mac G5s in a matter of months for a cost normally associated less with massive parallel computational clusters and more with, for example, a large fries and a Coke?...

Or view the entire episode as originally broadcast...
Vote Early, Vote Often!
Why did you tune in to this '90s relic of a soap opera?
Nostalgia is the next best thing to feeling alive
My name is Rip Van Winkle and I just woke up; what did I miss?
I'm trying to pretend the last 20 years never happened
I mean, if it worked for Friends, why not?
I came here looking for a receptacle in which to place the cremated remains of my deceased Java applets (think about it)

(1237 votes)

As an Amazon Associate, AtAT earns from qualifying purchases

DISCLAIMER: AtAT was not a news site any more than Inside Edition was a "real" news show. We made Dawson's Creek look like 60 Minutes. We engaged in rampant guesswork, wild speculation, and pure fabrication for the entertainment of our viewers. Sure, everything here was "inspired by actual events," but so was Amityville II: The Possession. So lighten up.

Site best viewed with a sense of humor. AtAT is not responsible for lost or stolen articles. Keep hands inside car at all times. The drinking of beverages while watching AtAT is strongly discouraged; AtAT is not responsible for damage, discomfort, or staining caused by spit-takes or "nosers."

Everything you see here that isn't attributed to other parties is copyright ©,1997-2024 J. Miller and may not be reproduced or rebroadcast without his explicit consent (or possibly the express written consent of Major League Baseball, but we doubt it).