As the Apple Turns    About    Reruns    Contact    Preferences Wed 8:32 PM

Big Gaping Hole Take 2 (& 3) (5/24/04)
SceneLink
 

Why so glum, chum? 'Cause that look of dejection sails far beyond the city limits of Monday Bluesville and nestles somewhere east of the Thursday Dumps. We're going to hazard a guess and assume that this has something to do with the Help Viewer security hole-- specifically, the fact that Apple patched it Friday night. You installed the update and verified that Help Viewer no longer launches local scripts when pages containing demo exploits are loaded, so you figure that Apple has indeed plugged what is arguably Mac OS X's first ever Gaping Chasm o' Vulnerability-- and its departure has, understandably, left some viewers like yourself feeling vaguely regretful and empty.

While literally no one reported any damage resulting from the flaw and its negative impact on the world at large paled in comparison to even the mildest Windows worm, for a brief, shining moment, we Mac users stood shoulder to shoulder with the Wintel crowd as we contended with a security flaw of practically Microsoftian proportions... and now that moment has seemingly passed. Of course you're grieving a little. Well, cheer up, Bucko; we aren't out of the woods yet. Unsanity, the maker of the freeware Paranoid Android software that was written to protect against the Help Viewer exploit, has posted a white paper explaining that clever malware authors can avoid using the "help:" protocol entirely by registering their own custom protocols. There's a linked demo exploit which still managed to write a file into our home directory even after we'd applied the Security Update and unchecked "open 'safe' files after downloading." So Apple's got a little more work to do, apparently.

Or possibly even a lot-- because meanwhile, faithful viewer Larry Vinson points out another glaring vulnerability in Mac OS X described over at Daring Fireball-- and Security Update 2004-05-24 reportedly does nothing to fix it, either. Buckle up for another URI-related vulnerability, just like the "help:" one, although with rather less potential for creative evil. This time the problem rests with the "telnet:" scheme, which, by default, is mapped to Mac OS X's Terminal application. It turns out that Mac OS X will pass along anything after the standard two slashes as a command line argument to the UNIX "telnet" command, which sounds relatively harmless until you hear that one possible argument is the "-n" flag, which specifies that telnet should log all activity for the session into the filename specified. That wouldn't be a problem, except that if a file with the same name already exists in the given location, telnet will overwrite said file with its log. Without even saying "please." Which is, we're sure you'll agree, pretty rude.

The upshot is that anyone can slap together a web page that automatically launches Terminal and overwrites data that happens to sit in a known location. Sure, it won't nuke any files for which the current user lacks write permissions, so it's unlikely that this hole could be exploited in such a way as to hose your entire Mac OS X system, and we didn't have much luck specifying filenames with spaces in them (though we were probably just doing it wrong)-- but we were able to create a web page that completely annihilated all of our Stickies. Before visiting the page, we had a rainbow of about thirty happy little notes, crammed full of random info-snippets like driving directions, bank transaction numbers, and a recipe for pie crust so flaky you'd think it believed in astrology; after visiting the page, we relaunched Stickies and found ourselves staring into a single lonely yellow rectangle with a cursor blinking forlornly within. Yikes. Just yikes.

No, it's not quite as sexy as the Help Viewer exploit, which could execute arbitrary chunks of code and theoretically even be used to spread a self-propagating worm, but any security hole that allows a web page to wipe quantities of data from your hard drive still qualifies as pretty effin' nasty in our book. So as we all sit around waiting for the next Security Update, we definitely recommend that you at least disable the telnet: URI protocol until Apple issues a real fix. There are plenty of ways to go about it; we used the freeware More Internet preference pane (which everyone should have installed-- it's Internet Config for Mac OS X, dontchaknow) to map telnet: to Image Capture instead of Terminal. After all, when was the last time you came across a legitimate telnet: link, anyway?

Of course, that doesn't fix the "arbitrary custom protocol" problem illustrated in Unsanity's white paper, so maybe the best course of action is to install Paranoid Android. We haven't had a chance to put it through its paces yet, but given that its author was able to blow through Apple's Security Update like so much wet Kleenex, we have to assume he knows what he's doing. Meanwhile, smile! We're still dealing with security issues of arguably Wintellian proportions; it's almost like we're using what the IT guys refer to as "real computers"! Can newfound respect for our chosen platform be far behind?

 
SceneLink (4712)
And Now For A Word From Our Sponsors
 

As an Amazon Associate, AtAT earns from qualifying purchases

 

The above scene was taken from the 5/24/04 episode:

May 24, 2004: Turns out that Security Update doesn't fix everything after all. Meanwhile, Apple tries to unload its low-end G5s on registered developers, and a puma gets shot and killed in Steve Jobs's neighborhood-- that can't be a good sign...

Other scenes from that episode:

  • 4713: T-Minus 35 Days & Counting (5/24/04)   Official reminder time, folks: it's now just five weeks until Apple's Worldwide Developers Conference, which means this is officially the beginning of the standard pre-show speculation season. As you are all no doubt aware, weeks T-minus-5 through T-minus-3 are designated a "Low Intensity Guesstimation Period," so don't sprain a lobe or anything; this is just the warmup to the heavy lifting later...

  • 4714: When Symbolism Gets Ugly (5/24/04)   You know, we aren't the type who usually reads too much into omens and the like, but every once in a while one comes along that's pretty tough to ignore-- a two-headed black calf born under a new moon, the seas frothing with blood beneath a sky blazing with fire, finding a bonus thirteenth shell in an Old El Paso Taco Dinner Kit, that sort of thing...

Or view the entire episode as originally broadcast...
Vote Early, Vote Often!
Why did you tune in to this '90s relic of a soap opera?
Nostalgia is the next best thing to feeling alive
My name is Rip Van Winkle and I just woke up; what did I miss?
I'm trying to pretend the last 20 years never happened
I mean, if it worked for Friends, why not?
I came here looking for a receptacle in which to place the cremated remains of my deceased Java applets (think about it)

(1241 votes)

As an Amazon Associate, AtAT earns from qualifying purchases

DISCLAIMER: AtAT was not a news site any more than Inside Edition was a "real" news show. We made Dawson's Creek look like 60 Minutes. We engaged in rampant guesswork, wild speculation, and pure fabrication for the entertainment of our viewers. Sure, everything here was "inspired by actual events," but so was Amityville II: The Possession. So lighten up.

Site best viewed with a sense of humor. AtAT is not responsible for lost or stolen articles. Keep hands inside car at all times. The drinking of beverages while watching AtAT is strongly discouraged; AtAT is not responsible for damage, discomfort, or staining caused by spit-takes or "nosers."

Everything you see here that isn't attributed to other parties is copyright ©,1997-2024 J. Miller and may not be reproduced or rebroadcast without his explicit consent (or possibly the express written consent of Major League Baseball, but we doubt it).