Re: Mac OS X Security Vulnerability

From: Aron Roberts <aron_at_socrates.berkeley.edu>
Date: Wed May 19 2004 - 14:14:23 PDT

At 13:07 -0700 2004-05-19, Chris Ferreira wrote:
>Important story on an OS X security vulnerability:
>
>http://story.news.yahoo.com/news?tmpl=story&cid=74&e=3&u=/cmp/20040519/tc_cmp/20600174

   The article states that:

>Secunia [the company which identified this vulnerability] says
>there's no easy way to fix the flaw ...

   Secunia does identify several methods by which Mac OS X users can
protect themselves against this vulnerability, as a list of
"Mitigating actions" at <http://secunia.com/advisories/11622/>. The
most important of these actions is likely.

>Change the protocol helpers (applications) for URI handlers which
>are not required.

   At least on its face, it appears that changing the applications
designated to handle the "help://" and "disk://" protocols may
provide protection from this vulnerability.

   Obligatory disclaimer: the following are not official instructions
from Apple. It is possible that they may not fully or even partially
protect you from this vulnerability. Although I believe it to be
highly unlikely, Seriously Nasty Things (tm) could potentially happen
if you follow these or any other unofficial instructions:

   Here's how you can do this:

   1. Get the "More Internet Preference Pane" from:
      http://www.monkeyfood.com/software/moreinternet/

   2. Open the ".dmg" file you downloaded from that site.

      This will mount the "More Internet" disk.

   3. On that disk, open the "install prefpane" script.

      This will install the "More Internet" preferences pane.

   4. Select "System Preferences..." from the Apple menu.

   5. Select the "More Internet" item in the System Preferences window
      or from the "View" menu (if that menu appears).

      This will display the window for the "More Internet" preferences pane.

   To change the helper application for the "help" ("help://") protocol:

   6. In the list of "Helpers By Protocol" at left, click "help".

      After doing so, "Help Viewer" should be displayed as the
      default application for handling the "help" protocol.

   7. Drag the icon for another application of your choice
      onto the specified area in the "More Internet" preferences pane
      OR
      Click the "Change" button and navigate to and select
      another application of your choice.

      "Chess" and "TextEdit" have been variously suggested as
      appropriate applications to use as a less-vulnerable alternative
      to "Help Viewer".

   To specify a default helper application for the "disk" ("disk://")
   protocol:

   8. In the list of "Helpers By Protocol" at left, look for "disk".

      If this name appears, click its name, then repeat the instructions
      in step 7, above,specifying a relatively benign application, such
      as Chess or TextEdit, as the default helper application for the
      "disk" protocol.

      If this name does not appear:

   9. Click the "Add" button.

  10. In the "What is the protocol you wish to add" text entry field,
      type:

         disk

  11. Click the "Add" button.

  12. Repeat the instructions in step 7, above, specifying a relatively
      benign application, such as Chess or TextEdit, as the default helper
      application for the "disk" protocol.

   (For the sake of completeness, some participants in discussions of
this vulnerability have suggested that the default helper
applications, if any, for protocols such as "telnet://" and "ssh://"
should also be changed in a similar manner.)

>Does anybody know of a place on the Apple site that posts security
>updates/problems? I looked on the site and haven't found any mention
>on this particular issue. This seems like a relatively important
>security flaw and I am surprised I couldn't find any information
>directly from Apple.

   Apple Product Security
   http://www.info.apple.com/usen/security/index.html

   As noted on that page:

>For the protection of our customers, Apple does not disclose,
>discuss or confirm security issues until a full investigation has
>occurred and any necessary patches or releases are available.

   (Just noted that Bob Callaway also posted this latter information ...)

   Another handy Apple security reference is the list of security updates at:

   Apple Security Updates
   http://docs.info.apple.com/article.html?artnum=61798

Aron Roberts
Workstation Software Support Group

P.S. A couple of discussions regarding this vulnerability include:

http://discussions.info.apple.com/WebX?128@74.aapOa9uBmlt.1@.689369bf

http://www.macfixit.com/article.php?story=20040519024257161

------------------------------------------------------------------------
The following was automatically added to this message by the list server:

For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Wed May 19 14:17:23 2004

This archive was generated by hypermail 2.1.8 : Wed May 19 2004 - 14:17:23 PDT