Back to previous post: Bad advice on cover letters

Go to Making Light's front page.

Forward to next post: Taking your own bad advice

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

May 18, 2004

Bleeping huge security hole
Posted by Teresa at 09:50 PM *

If you have a Macintosh running OSX, you have a problem. Deal with it right now. Tonight. Seriously.

IMO, the best overall summary and recommendations.

Jay Allen’s more technical discussion.

A completely terrifying demo of the hole. Click on it and watch how the “help:” protocol can be used to (for instance) fire up your Terminal program and run “du”. As the demo says, it could just as easily have run “rm -rf”.

(Mom, “rm -rf” means “Wipe everything on my hard drive.” If Matt’s got OSX running on your computer, you need to take care of this.)

Here’s where to get the fix—but read the other stuff first.

More:

Here’s how Patrick explained it to me:

It is possible to write a URL that, when invoked from one’s default browser, invokes Apple’s Help program, which is itself a mini-browser which uses a subset of HTML. The trouble is that unlike a well-written, full-fledged, OSX browser, the Help program is (a.) fully scriptable; and (b.) fully capable of running any application or command for which the user has privileges.

This is where “rm -rf” and other nightmares come in. Terminal is a very powerful program. For instance, instead of wiping your hard drive, a malfeasant could have Terminal send all the data on your hard drive to the destination of his choice.

When you click on the URL for the demo, it launches the Help program, which in turn launches Terminal on your own machine—and then, without any intervention from you, runs “du”. This is harmless, but has the quite terrifying property of scrolling through a complete list of the files on your computer. At that moment, you realize that you’re the data loss equivalent of a spider held above a fire by someone’s cupped hands.

The solution is to break the link that allows the “help:” protocol to launch the Help program. Read the links, download the software, and do what it says. It’s fast and easy. Once you’ve done it, anyone who tries to get at you via the “help:” protocol security hole will wind up launching the chess game, which at worst will beat you at chess.

Comments on Bleeping huge security hole:
#1 ::: Jay Allen ::: (view all by) ::: May 18, 2004, 10:22 PM:

"It is possible to write a URL that, when invoked from one’s default browser, invokes Apple’s Help program, which is itself a mini-browser which uses a subset of HTML. The trouble is that unlike a well-written, full-fledged, OSX browser, the Help program is (a.) fully scriptable; and (b.) fully capable of running any application or command for which the user has privileges."

That is a pretty damn near perfect laymen's explanation.

"This is where “rm -rf” and other nightmares come in. "

Well, I actually, that's where we're "lucky". Due to a technical restriction, the command actually can't have any spaces in it. Thank God for small miracles.

However, just before kicking off the help:// link, the malicious web page could launch a send your browser a "disk://..." URI which would download, say, a disk image to you which would be automatically mounted on your desktop (with or without the safe files checkbox checked mind you) and containing a shell script or Applescript contained inside with exactly the same instructions (Delete what you can).

After THAT, the browser would send the "help://" URI with the path to the script in the mouted diskimage on your desktop.

Roundabout for sure, but not too hard to create. THAT'S what scares me so much.

"And I’m the Admin on this machine.

I'm curious. Do you mean that you have superuser or root priviliges or are you using the default Mac OS X user? You're not actually using the computer logged in as root are you? Eek!

Thanks for highlighting this on your blog, Teresa!

#2 ::: Yoon Ha Lee ::: (view all by) ::: May 18, 2004, 10:25 PM:

Eek! rm bad if I'm not the one doing it...

One comment in the first link suggests this applies only to Panther. I'm still reading to find out whether I specifically need to do anything (I'm running Jaguar).

Thanks for pointing this out!

#3 ::: Chris Burkhardt ::: (view all by) ::: May 18, 2004, 10:27 PM:

No, I don't think it can run "rm -rf /", because the executable name can't have spaces in it (so you can't pass arguments to shell commands).

But what a malicious person CAN do is remotely mount a disk image which contains a script with no spaces in it's name which calls "rm -rf /", which is in turn executed by this flaw.

More complicated, but the same sad result :)

#4 ::: Teresa Nielsen Hayden ::: (view all by) ::: May 18, 2004, 10:30 PM:

No no no. Not logged in as root. I'm not that imprudent.

The layman's version up there is word-for-word Patrick's explanation. He narrated, I transcribed.

Even if the commands are restricted, anything that can reach into my own desktop toolbar, fire up Terminal, and riffle through my files, is Plenty Bad Enough.

#5 ::: Chris Burkhardt ::: (view all by) ::: May 18, 2004, 10:30 PM:

d'oh, I'm slow and don't preview correctly even when I'm forced to. Sorry about that less understandable echo of Jay. :-[

Yoon: I haven't read whether this affects anything but Panther (though I rather suspect it does :-( )

#6 ::: Teresa Nielsen Hayden ::: (view all by) ::: May 18, 2004, 10:32 PM:

Chris, you and Jay Allen vibrate as one.

#7 ::: Graydon ::: (view all by) ::: May 18, 2004, 10:34 PM:

Teresa --

Why are you running anything so that your default shell's home directory is / ?

'Cause even without the horrid scary security hole, you're going to type the wrong thing someday; this is a law of nature.

rm -f * ~
~ not found

is a programmer joke for a reason. (The typical programmer editor uses ~ to indicate 'this is the backup file I made when I opened that file you told me to'; you want to clean those out from time to time, so, rm -f *~; if you get that space in there, and everyone has, poof, empty directory.)

#8 ::: Avram ::: (view all by) ::: May 18, 2004, 10:37 PM:

Oddly, More Internet wouldn’t let me use Chess as the substitute help app; it said Chess didn’t have a creator code. I used Cuppa instead. I’m using an old version of More Internet, which is probably the trouble.

#9 ::: Patrick Nielsen Hayden ::: (view all by) ::: May 18, 2004, 10:38 PM:

"I'm curious. Do you mean that you have superuser or root priviliges or are you using the default Mac OS X user? You're not actually using the computer logged in as root are you? Eek!"

Not to worry. Teresa merely has "admin" privileges on her blue-and-white G3. She isn't running as root.

Of course, root is enabled, and she is the Empress of the Universe, so at any moment frogs might rain out of the sky, sheep might give birth to cows, and the Medium Lobster might be invited to join Crooked Timber, but those are the risks we live with in order to run a truly modern, multitasking, multi-threaded, hypersonic, scriptable, POSIX-compliant, cinnamon-flavored OS with moisture-trapping action. In which, naturally, Microsoft Word takes 45 to 90 seconds to launch. It's good that some things never change.

#10 ::: Patrick Nielsen Hayden ::: (view all by) ::: May 18, 2004, 10:40 PM:

Graydon, there there. Teresa's home directory isn't actually at /. Niiiiiice literal-minded geek. Put the torches down and let's have story time now.

#11 ::: Teresa Nielsen Hayden ::: (view all by) ::: May 18, 2004, 10:44 PM:

Don't mind us. We're giggly with relief at getting that hole plugged.

I would never keep all my files in one directory. I'm constitutionally incapable of being that tidy and consistent. I wish I were, but I'm not.

#12 ::: James D. Macdonald ::: (view all by) ::: May 18, 2004, 10:45 PM:

This is a flaw in OS X, not in a particular browser. The hole works in MSIE, Firefox, Safari, Mozilla, Camino....

#13 ::: melissa ::: (view all by) ::: May 18, 2004, 10:49 PM:

Thanks for the information - fixing my system now. I greatly appreicate the helpful advice as well as the great humor
(the last posting...)

#14 ::: Graydon ::: (view all by) ::: May 18, 2004, 10:51 PM:

Patrick, tonight is the night I accidentally cooked rice in vinegar and buffalo blood, and it was good. I'm not presently willing to put strong limits on the possible strangeness of the universe.

#15 ::: Patrick Nielsen Hayden ::: (view all by) ::: May 18, 2004, 10:51 PM:

Mostly, in fact, Teresa keeps her actual working files on the jiant external FireWire drive, and leaves her OS X "home directory" to be colonized by Microsoft Office config settings, AIM log files, Mail.app mailboxes, miscellaneous files on the Desktop, and the like.

I suspect a lot of migrators from OS 9 and before do the same. One of the glories of the old Mac OS was its liberality about file location. Expecting its habitues to adopt the rigors of Windows- or Unix-style filesystem organization is like asking Quakers to take up the Tridentine Mass. It's theoretically possible, but it isn't actually going to happen.

(Of course, the fact that Apple let Microsoft colonize the userspace "Documents" directory with its farking Office preferences folder didn't help, either.)

#16 ::: Matt McIrvin ::: (view all by) ::: May 18, 2004, 10:52 PM:

This all sounds legit, and More Internet looks like an app I need to get anyway.

But it's also worth mentioning to the people out there in Internet-land that if somebody says "There is a security hole in your computer!!! Quick, fix it, now! The way to do it is to download and install the following application..." and you don't at least do a little sanity checking before following directions, then you have a security hole in your brain.

#17 ::: Matt McIrvin ::: (view all by) ::: May 18, 2004, 10:55 PM:

...And, by the way, Patrick wasn't in fact advocating that people do that, so I hope nobody thought I was accusing him of it.

#18 ::: chance ::: (view all by) ::: May 18, 2004, 11:01 PM:

woof. thanks.

#19 ::: Joseph Holmes ::: (view all by) ::: May 18, 2004, 11:01 PM:

I'm always skeptical about these Mac OS X security flaws (so far, not a one has actually been exploited), but I've taken this one seriously because I trust the people reporting it and because it's such an easy, painless fix. But as I said, so far, this one exists in theory. No one has yet exploited it. And every few hours we seem to find a new wrinkle ("actually it can't run "rm -rf /", because..."

Nonetheless, um, I *have* taken the precautions. I like the little utility here: http://isophonic.net/

-=-Joe

#20 ::: Teresa Nielsen Hayden ::: (view all by) ::: May 18, 2004, 11:49 PM:

I want to know how Graydon did that.

Accidentally? Cooked? In buffalo's blood?

What?

Graydon, are you channeling James Nicoll?

#21 ::: Yoon Ha Lee ::: (view all by) ::: May 19, 2004, 12:03 AM:

--in case it's of interest to anyone, the exploit did indeed affect 10.2.6. Now that my headache has abated, I've patched it. Joseph Holmes, thanks for the link; it worked like a charm.

#22 ::: Nancy Hanger ::: (view all by) ::: May 19, 2004, 12:25 AM:

Strangely enough, it launches Help in 10.2.8, but Terminal doesn't start up (and, yes, I have Terminal on this machine and use it all the time).

(On this iBook, it launches Help, and then tells me it doesn't have a program associated with running "a du file" -- which makes me think it tried to launch Terminal but couldn't for reasons unclear to me.)

#23 ::: Graydon ::: (view all by) ::: May 19, 2004, 12:26 AM:

Teresa --

I mistook the small container of leftover marinade for the small container of dripping.

The butcher shop I favour had buffalo stew meat on for six bucks a pound a week or so back, but it needed marinading, being of its nature rather tough. The leftover marinade was mostly cider vinegar and blood with the odd bit of herbs and spices, as per usual, but I thought I might get to use it again. Wasn't expecting to cook rice in it, though.

One of those culinary things one isn't sure one dares try to do again on purpose.

#24 ::: Madeleine Robins ::: (view all by) ::: May 19, 2004, 12:33 AM:

Can anyone confirm that this Nasty Thingy only affects Panther and not earlier versions of OS X? Inquiring minds want to know...

#25 ::: Will "scifantasy" Frank ::: (view all by) ::: May 19, 2004, 12:47 AM:

Well, once I read this I tried to see if I should fix it for my sister's iMac (OS 10 or 10.1 at latest), and it didn't work...so I'd lean towards "not the earliest versions of OS X." As to Jaguar, I dunno.

#26 ::: Will "scifantasy" Frank ::: (view all by) ::: May 19, 2004, 12:48 AM:

Clarify: The hole wasn't there. It couldn't run "du" in the demo case.

#27 ::: Yoon Ha Lee ::: (view all by) ::: May 19, 2004, 12:59 AM:

Nancy, clearly I wasn't as much past the headache as I thought. The "du" thing was what happened to me, too, so the hole wasn't there (10.2.6). Nevertheless.

#28 ::: Lenny Bailes ::: (view all by) ::: May 19, 2004, 01:32 AM:

This sounds like it's similar to a "buffer overun" flaw in the Windows XP help program. (There's a patch for that here.)

#29 ::: Phill ::: (view all by) ::: May 19, 2004, 01:39 AM:

This is actually a completely different class of bug to the buffer overrun bugs that are often reported in Microsoft code (and are endemic in almost programs written in C or C++, including most of the Unix O/S).

There is a work arround for the spaces issue, so yes you can run rm -f / if you know how, so fix the damn thing before the work arround is more widely known (and don't bother asking me what it is you don't need to know).

#30 ::: Julia Jones ::: (view all by) ::: May 19, 2004, 01:43 AM:

I'm glad I wasn't the only one who thought that Graydon was channelling James - and even more glad that there was a rational explanation. :-)

#31 ::: David Goldfarb ::: (view all by) ::: May 19, 2004, 01:44 AM:

Oddly, More Internet wouldn’t let me use Chess as the substitute help app; it said Chess didn’t have a creator code.

The version I downloaded accepted Chess without a qualm. (And I did try going back to the demo URL, and it did start up Chess.)

#32 ::: super bun bun ::: (view all by) ::: May 19, 2004, 02:47 AM:

Not that I am about to try, but it might be possible to add that elusive space by URL-encoding the string. To add a space, you would simply put %20 in its place. So the command would look something like:

"help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt string='usr:bin:rm%20-rf"

Has this been tried yet?

#33 ::: Charlie Stross ::: (view all by) ::: May 19, 2004, 05:56 AM:

Hmm.

I tried setting the help:// handler to invoke XCode so I could see (and edit, and debug ...) whateverthehell it is that anyone exploiting the hole is throwing at me. Sadly, XCode doesn't seem to want to open the test scriptlets.

Must dig further into the OS/X developer docs ...

#34 ::: John (B). ::: (view all by) ::: May 19, 2004, 06:48 AM:

Just in case there are any people out there who are hesitant to act on this lest it prove to be an urban myth, MacFixIt now has a late breaker up on their site about this problem at the following URL:

http://www.macfixit.com/article.php?story=20040519024257161

I'll report back if I encounter any problems running the work around...

#35 ::: Jay Allen ::: (view all by) ::: May 19, 2004, 07:32 AM:

Chris, you and Jay Allen vibrate as one.

Oh God. Please, no one tell my girlfriend.

if somebody says "There is a security hole in your computer!!! Quick, fix it, now! The way to do it is to download and install the following application..." and you don't at least do a little sanity checking before following directions, then you have a security hole in your brain.

I get what you're saying and on principle, I agree with you. However, in this case seeing a hole in my operating system large enough to drive a Mack truck through pretty much gave me enough confidence that it was the right move. It was neither subtle nor theoretical.

#36 ::: Graydon ::: (view all by) ::: May 19, 2004, 08:10 AM:

Julia --

Despite James' greater skill with anecdote and my lesser tendency to scar, I have not had a life so free of odd and surprising trauma as it seems you must suppose.

#37 ::: Erik V. Olson ::: (view all by) ::: May 19, 2004, 08:18 AM:

1) This hole's pretty serious, but not the worst I've seen. Still, it's a bad hole. "patch <spackle >hole".

2) Jay - being an "Administrator" on OS X basically means that you have sudo usage rights. In the GUI, it means you can change the "locked/unlocked" status of the system control panels, and if you run an installer that needs admin privs (translation, calls sudo) your password, not the root password, is enough. Many, I'd even say most, OS X installations don't have the root account active at all.

There is a danger here -- if you've run something that fires sudo and asks you for the password, then this hole exploits "sudo rm -rf /", you've just lost.

3) Graydon -- no, OS X doesn't use / as the home directory for anyone, not even root (if you've enable the account.)

4) TNH -- however, just because your root doesn't mean this wouldn't hurt. If this script kicked off "rm -rf", the most likely place that command would run is in your home directory -- and since you almost certainly do have rights on everything in that directory, it would delete them all.

5) Phill -- is spot on. There's ways around the space issues, and fixing it is the right thing to do. And I'll quote Bruce Schneier "Patching doesn't work" and me "But patch anyway, since not patching is even worse."

6) In general. Any exploit that allows you to run a command with privs is one that can be exploited. Thus, even local exploits are worth patching. The combo that occurs is a remote, non-root exploit (which gets them on your box, but only as a user) and then a local root exploit (which lets them own the box.) Attacking a box from a local account is much easier than attacking remotely and gettint root privs right away.

#38 ::: Jay Allen ::: (view all by) ::: May 19, 2004, 10:22 AM:

Jay - being an "Administrator" on OS X basically means that you...

Heh, thanks Erik. I'm aware. I've got one of those first generation Titanium lapwarmers doing its job. I simply wanted to be sure that Teresa wasn't doing day-to-day stuff logged in as root.

#39 ::: Peter da Silva ::: (view all by) ::: May 19, 2004, 10:27 AM:

This is exactly why I have been pushing in every forum I can, and sending feedback to Apple, for the past several months, urging that they back away from the increasing integration between the browser and other applications. Having a single set of bindings for trusted and untrusted sources is why Internet Explorer and Outlook have been security nightmares for most of the past decade.

I can understand Microsoft doing this: they have political reasons for "integrating" the desktop and the browser (they're not good reasons... trying to weasel out of an agreement with the DoJ is never a good reason). I can't understand Apple, though: there should be at least *two* unrelated sets of bindings... one to be used for applications that work with local documents and one for applications that work with untrusted documents... and the bindings for applications that work with untrusted documents should be *absolutely* minimal.

In fact, by default and in the absence of explicit uuser action nothing should ever be transferred from an untrusted document to another application, or any integration of trusted and untrusted namespaces. That includes:

Helper application for URL protocols (eg help:)
Helper applications for mime types (eg video/windows-media)
Helper applications for file extensions (eg .wma, .zip)
Internet-enabled disk images and installers.

If the target application is not known to be suitable for handling untrusted data, it must not be passed untrusted data.

If an application is known to be suitable for handling untrusted data, it must not be presented with helper applications that aren't similarly trusted.

This is a really basic security principle, one that nobody I know would have imagined would be commonly violated until Microsoft not only kicked it over but refused to pick it up again. For gods' sake, folks, don't accept the same insanity from Apple, and don't let Apple get away with a one-shot patch just for this specific instance of the problem... that way lies the Outlook-exploit-of-the-week syndrome.

#40 ::: Jill Smith ::: (view all by) ::: May 19, 2004, 10:35 AM:

The More Internet disk image doesn't mount on my machine (iBook, Panther). It is "not recognized."

Wha?

#41 ::: Dan Blum ::: (view all by) ::: May 19, 2004, 11:49 AM:
I would never keep all my files in one directory. I'm constitutionally incapable of being that tidy and consistent. I wish I were, but I'm not.

I think this must be another one of those basic dichotomies of the universe. I tend to keep everything in one directory (e.g., 26,000 e-mails in Outlook), but I think of this as being untidy - I can't be bothered to sort things, mostly. I do much the same thing with paper - make a big stack and shuffle through it when I need something.

#42 ::: Dan Hoey ::: (view all by) ::: May 19, 2004, 01:49 PM:

Matt McIrvin:

This all sounds legit, and More Internet looks like an app I need to get anyway.
But it's also worth mentioning to the people out there in Internet-land that if somebody says "There is a security hole in your computer!!! Quick, fix it, now! The way to do it is to download and install the following application..." and you don't at least do a little sanity checking before following directions, then you have a security hole in your brain.

I'm very, very paranoid on exactly that issue. Fortunately, you don't have to download any of those tools. You should have Internet Explorer on your OSX (even if you're wise enough not to use it for browsing) and IE's "Protocol helpers" preferences allow you to fix this problem. Just change the "help" and "disk" helpers to an innocuous app like Chess. I wanted to use Calculator, but that doesn't work for some reason, so whatever you use, test it.

Thanks to Leif, on Jay Allen's blog, for this fix.

#43 ::: Dan Hoey ::: (view all by) ::: May 19, 2004, 02:27 PM:

Jay: I get what you're saying and on principle, I agree with you. However, in this case seeing a hole in my operating system large enough to drive a Mack truck through pretty much gave me enough confidence that it was the right move. It was neither subtle nor theoretical.

Oddly enough, it was just this feature of the problem that made me more paranoid than usual. The technique of scaring people into doing something unwise is one of the big malware pumps on the net right now. It might even be more effective than the lures, since it pushes the victims so fast.

That's not to say that I have any reason to distrust moreInternet, misfox, or vince, other than the feeling of being pushed at them. But I'm very relieved that Internet Explorer can be used to fix the problem. And I didn't browse from a MacOSX system to search for the fix.

#44 ::: Clark E Myers ::: (view all by) ::: May 19, 2004, 02:42 PM:

Notice the social engineering was done long ago in an early Java sandbox - the sandbox considered type a directory to the console (but not to a network device) a perfectly safe command of purely local interest and so permitted it in all cases.

The social engineering was to have a website order a directory to the screen and display fixed text of we are now pick one reading or copying or deleting the following files none of this was happening.

Followed by panic followed by a chance to do the wrong thing.

I wonder who teaches social engineering, I'd like to read their texts.

#45 ::: EKM ::: (view all by) ::: May 19, 2004, 05:58 PM:

You can disable this exploit by removing the execute permissions of Help
Viewer.app.

As root issue a chmod 744 /System/Library/CoreServices/Help\
Viewer.app/


If you need to use Help Viewer.app afterwards just restore the
execute privileges to the wheel or other groups as appropriate. A small
bother, you don't even have to trust a third party utility. Once Apple fixes this
you can leave the execute permissions on again. The path might be different in earlier version of OS X.


-EKM

#46 ::: Rachel Reiss ::: (view all by) ::: May 20, 2004, 11:02 AM:

Oh, my aching head. I'm running OS 10.2.8--does the hole affect me or not? (I've just spent over 2 days trying to fix a multitude of Classic problems, and have no more room in my head for understanding MacOS problems. Sigh.) Help!

#47 ::: Rachel Reiss ::: (view all by) ::: May 20, 2004, 11:03 AM:

Oh, my aching head. I'm running OS 10.2.8--does the hole affect me or not? (I've just spent over 2 days trying to fix a multitude of Classic problems, and have no more room in my head for understanding MacOS problems. Sigh.) Help!

#48 ::: Rachel Reiss ::: (view all by) ::: May 20, 2004, 11:05 AM:

Oh, my aching head. I'm running OS 10.2.8--does the hole affect me or not? (I've just spent over 2 days trying to fix a multitude of Classic problems, and have no more room in my head for understanding MacOS problems. Sigh.) Help!

#49 ::: Jay Allen ::: (view all by) ::: May 20, 2004, 12:22 PM:

Yes, I do believe that ALL 10.2.x systems are affected. See the section entitled "System applicability" on my updated post for more on that.

In addition, the telnet:// protocol is also exploitable. It's not as serious because arbitrary remote commands can't be executed, however an attacker can overwrite (zeroing-out) any file that a user has write permissions on.

#50 ::: erik nelson ::: (view all by) ::: May 20, 2004, 12:56 PM:

would simply changing the priveleges of the Help Viewer be a sufficient fix?

#51 ::: Dan Hoey ::: (view all by) ::: May 20, 2004, 02:17 PM:

erik nelson: would simply changing the priveleges of the Help Viewer be a sufficient fix?

No, it wouldn't affect the problems with the "disk" and "telnet" URI's at all. Anyway, I'd think running Internet Explorer (for its "Protocol Helpers" preference pane) would be easier for most users. Have people really gone to the trouble of deinstalling IE? Or is there a release of OSX that doesn't install it by default?

#52 ::: Rachel Reiss ::: (view all by) ::: May 20, 2004, 04:35 PM:

Is it enough to disable the "open safe files after downloading"?

#53 ::: Rachel Reiss ::: (view all by) ::: May 20, 2004, 04:37 PM:

(By the way, sorry for the inadvertent earlier triple post--I only sent it once, honest!)

#54 ::: Rachel Reiss ::: (view all by) ::: May 20, 2004, 05:13 PM:

Okay, never mind. I surrender. I cannot do just the minimum and expect it to work. I dutifully downloaded More Internet and redirected help, disk (after having to add it, it didn't turn up automatically in the list), and telnet to a game on my disk that I don't play. (MoreInternet wouldn't let me use Chess, I don't know why.) I've disabled the open-safe-documents preference. I bow to OS experts.

This has been a very bad week for me with MacOSs.

I'm starting to think that typewriters had their points.

#55 ::: Yoon Ha Lee ::: (view all by) ::: May 20, 2004, 06:54 PM:

Rachel Reiss: you're not alone. I love my Mac, but I feel longing for a typewriter. And I'm pretty sure I learned on a manual, and wouldn't mind one of those to play with. (Yes, I'm weird.)

#56 ::: Alan Hamilton ::: (view all by) ::: May 20, 2004, 09:14 PM:

There are three ways of dealing with the "I can't use a space here" problem in Unix/Linux/*nix: quoting, escaping, or substitution. Generally, one or more in combination will solve the problem.

Quoting is just "quote marks" or 'quote marks'. The main difference between " and ' is whether the shell will process what's in the quotes or not. 'My name is $HOSTNAME' will return the literal text My name is $HOSTNAME, while "My name is $HOSTNAME" will return My name is actual.machine.name.com .

Escaping is using a backslash to remove the special meaning of a character. This\ is\ escaped. The shell will consider that one word, not three as the backslash removes the special meaning of "separates a word" from the space. You can use it on other problem characters. "Quote marks (\") can be escaped". This lets you use a quote in the middle without closing the quoted text.

The tricky one is substitution. You use something that the shell considers a space, but but doesn't look like a space to other programs. For example, cd /usr requires typing a space between cd and /usr. Or not: cd${IFS}/usr. The $IFS is the Internal Field Separator. It contains the characters the shell will use to divide up words. The curly brackets {} prevent it from running into the text that follows it.

#57 ::: Kathy Li ::: (view all by) ::: May 20, 2004, 09:15 PM:

Went looking at Forwarding Address: OS X, which mentions a better fix than More Internet, RCDefaultApp. It's a Preference Pane.

If I understand correctly, the vulnerability can also be exploited through the disk:// and disks:// protocols, which don't show up in MisFox or More Internet. Additionally, there's a "disable" setting. (I had actually hooked help:// up to BioRhythm X :-).

#58 ::: Rachel Reiss ::: (view all by) ::: May 20, 2004, 09:16 PM:

Oh, I learned on a manual too--my mother's old college typewriter. I loved that thing, she let me use it when I was still in grade school, I felt so grown up. And I spent quite a bit of time poking at it until I figured out exactly how it worked, which meant I could at least understand what was wrong when it didn't work, which I can't, mostly, with my Mac. (And I love my Mac too, I have a 17" flat panel iMac, it's nice to look at and it does everything I need a computer to do. When it works. Which right now it doesn't, so much.)

#59 ::: Daniel Martin ::: (view all by) ::: May 20, 2004, 10:24 PM:

Ew. Ew Ew Ew Ew Ew. Attacks like this are especially nasty because they can be triggered by Cross site scripting attacks, so that it becomes dangerous even to follow links to sites you know and trust.

For example, you'd never expect a link to nielsenhayden.com to trigger a javascript window showing a famous phone number, would you? Cross-site scripting attacks require constant vigilance to root out, and can erase the distinction between "safe" and "unsafe" sites. In the past, cross-site scripting attacks against some of the builtin pages on internet explorer (which bypasses ie's security) have caused Microsoft some embarassment.

#60 ::: Ben Zvan ::: (view all by) ::: May 21, 2004, 07:54 PM:

I just looked at the terrifying demo and, acting without reading further, I decided that I could just "break" help a little. This fix isn't as drastic as EKM's fix since Help Viewer can still run this way. It also doesn't involve any 3rd party apps like the MoreInternet pane.

The responsible AppleScript has been named as /Library/Documentation/Help/MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt
so you can just navigate your way to the file manually or copy the following line into the field that pops up when you type Shift-Command-G in the finder:
/Library/Documentation/Help/MacHelp.help/Contents/Resources/English.lproj/shrd/
Then just rename the script "OpnApp.scpt" to "dontOpnApp.scpt".

What this does is keep the help viewer application from finding the script is uses for opening any other applications. If you use help regularly, this will keep you from using the function "Open System Preferences for me" etc. This won't effect any other possible protocol problems like telnet://starwars or ssh:// or file:/// though.

Thanks for pointing this out. I consider myself a mac guru and had no knowledge of this exploit. I had heard about the QuickTime hole though.

#61 ::: DV Girl ::: (view all by) ::: May 21, 2004, 08:51 PM:

I just got the software update pop-up on my Mac for Security Patch for 'HelpView and Terminal' as the listed features. I assume this is the 'official' patch from Apple.

#62 ::: Lisa Spangenberg ::: (view all by) ::: May 21, 2004, 10:42 PM:

Yep; it's the official Apple update. If you're really worried, download it now via Software Update. If, like me, you tend to let others find the bugs, you might wait a couple of days to make sure the kinks really are worked out. And if you really are like me, you'll likely want to run Disk Utility's Verify Permissions/Repair permissions after the install, just 'cause.

#63 ::: Just Helping ::: (view all by) ::: May 22, 2004, 02:33 PM:

the iCab browser (www.icab.de; currently free "preview" version
but widely used) has a Preferences > Security setting "Launch Programs by HTML Links" which has settings choices like "Always Ask", "Always Permit", "Never Permit", etc. I haven't tried setting that to "Always Permit" to find out, but it sounds like that might solve the problem if set to "Never" or "Ask"? In general, iCab has pretty thorough preferences settings available.

#64 ::: Rachel Reiss ::: (view all by) ::: May 22, 2004, 09:54 PM:

I've just downloaded the same Security Update. Kudos to all those who pointed it out, not only for providing fixes and so forth, but also for forcing Apple to finally address the problem!

Of course, this raises the question: does the update really fix the problem? Or do we still need the prescribed fixes? Inquiring minds want to know...

#65 ::: Dan Hoey ::: (view all by) ::: May 24, 2004, 11:51 AM:

Rachel Reiss: Of course, this raises the question: does the update really fix the problem? Or do we still need the prescribed fixes?

The update does not fix the problem. See, for example, secunia.com's advisory:

This vulnerability has been confirmed on a fully patched Mac OS X system (including the patch "Security Update 2004-05-24 for Mac OS X" released by Apple, which fixes the "help" URI handler vulnerability).

There's more at Sander Tekelenburg's site. Apple is still losing ground on this one.


#66 ::: Rachel Reiss ::: (view all by) ::: May 25, 2004, 09:29 AM:

Dan: Thanks for that last link--I followed the advice there and downloaded Paranoid Android on the "every little bit helps" theory. Hope I've finally got a safe system, but of course there's no such thing, really.

#67 ::: Patrick Nielsen Hayden ::: (view all by) ::: May 25, 2004, 03:14 PM:

John Gruber sums up the current state of play with admirable clarity here.

Short version:

Download and install Apple's patch.

Turn off Safari’s "Open 'safe files after downloading" preference.

Get RCDefaultApp. (If you already installed More Internet, get rid of it.) Use it to set the following protocols to "disabled":

afp:
disk:
disks:
telnet:

Finally, either disable "ftp:" or set it to a real FTP program, i.e., not the default setting of the Finder.

You do not need Paranoid Android if you do all of that; and, in general, "haxies" are well to avoid if you don't need them.

#68 ::: Dan Hoey ::: (view all by) ::: May 25, 2004, 04:15 PM:

Patrick: ...Get RCDefaultApp. (If you already installed More Internet, get rid of it.) Use it to set the following protocols to "disabled"...

I'm still missing why you advise RCDefaultApp over More Internet, or either of them over Internet Explorer. I used IE to set the handler for those URIs to a safe application, and the tests John Gruber points to run that application.

I think IE is still included in MacOS, isn't it? I'm no fan of IE, but when it's already there, and it seems to do the trick, why download a new tool?

#69 ::: Patrick Nielsen Hayden ::: (view all by) ::: May 25, 2004, 04:51 PM:

I said I was summarizing Gruber; for further explanations, read his actual posts. (He's a good explainer, generally worth reading anyway.)

Regarding More Internet or MSIE, as I understand it, either of those is probably OK. The advantage of RCDefaultApp is that you can simply disable a protocol, rather than setting it to some silly alternate app. Clearer and more elegant, to some values of elegant.

(Of course, by "disable", we mean disconnect the protocol from LaunchServices, I believe. AFP, disk images, telnet, etc., will all still work fine; they just won't fire up as the result of the user clicking J. Random URL.)

It's a fine point. If you prefer to use "More Internet" or the settings buried in MSIE you'll undoubtably be secure.

#70 ::: Rachel Reiss ::: (view all by) ::: May 25, 2004, 04:58 PM:

Thanks, Patrick. I followed your instructions--admirably clear and lucid (and yes, I prefer "disabled" to launching a game!), by the way--except that I couldn't disable "disks:" in URL, because it doesn't seem to exist.

(where does one get a real FTP programs, she wonders. quietly to herself.)

I have a headache, but I think I feel safer. (But there's always something...I'm not really paranoid, it's just that they are all out to get me.)

#71 ::: Patrick Nielsen Hayden ::: (view all by) ::: May 25, 2004, 05:05 PM:

There are lots of FTP programs available for OS X. I personally like the old command-line stalwart ncftp, but if you want a nice front end, Fugu is open-source and supports secure ftp, scp, and ssh.

Are you saying the "disks" protocol wasn't listed in the URL tab of RCDefaultApp? Are you using Jaguar or Panther?

(For extra entertainment, imagine the above two paragraphs being read aloud at the 1956 Worldcon banquet.)

#72 ::: Dan Hoey ::: (view all by) ::: May 25, 2004, 06:23 PM:

Patrick, I actually did read John Gruber's page, and didn't get the difference between RCDefaultApp and the other solutions. But he answered his e-mail, and by reading words of few syllables I finally got it.

The actual database we have to edit is called "Launch Services", but MSIE, MoreInternet, and MisFox edit a compatibility database called "Internet Config". When you set a URI handler in IC, it writes through to LS, so the vulnerability is patched. But from the IC level you don't see those URIs that have been registered in LS but not IC. That's why you have to create a disks: URI if you're using an IC-based tool.

#73 ::: Rachel Reiss ::: (view all by) ::: May 25, 2004, 06:28 PM:

Thank you for the pointer (not to mention all the help--which of course I just mentioned, so just pretend I didn't)--I'll give Fugu a look-see.

And yes (she said confusingly), the "disks" protocol wasn't listed in the URL tab of RCDefaultApp, only "disk". Which I disabled. And I'm running 10.2.8--maybe it doesn't exist yet? ...and now it sounds like I'm time traveling, which would be even more appropriate (read aloud etc.)

#74 ::: David Goldfarb ::: (view all by) ::: May 26, 2004, 12:14 AM:

So how do I get rid of MoreInternet? It's...less than obvious.

#75 ::: Patrick Nielsen Hayden ::: (view all by) ::: May 26, 2004, 12:20 AM:

Depending on whether you installed it for "all users on this machine" or just yourself, it's either in /Library/PreferencePanes/, or ~/Library/PreferencePanes/ -- i.e., either the system library or your user library.

To uninstall, drag the file to the trash. You won't be able to empty the trash until you restart (or at least re-login), but don't worry about it.

#76 ::: David Goldfarb ::: (view all by) ::: May 26, 2004, 03:43 AM:

Thanks. Actually, I was able to empty the trash with the preference pane in....

#77 ::: Marina ::: (view all by) ::: August 17, 2004, 10:26 AM:

I wonder if I have a normal blog site structure..I would appreciate your coming to my blog and leaving some "fresh" ideas and proposals concerning what it is better to rebuild or reorganize.
I need your help and support. Thanks.

#78 ::: Tom Whitmore wonders whether this is comment spam ::: (view all by) ::: August 17, 2004, 10:59 AM:

Haven't checked, but this msg sure looks like it might be!

#79 ::: Andy Perrin (thinks it's not CS) ::: (view all by) ::: August 17, 2004, 11:03 AM:

There's a real blog on the other end. I think it's just a poster in need of gorm.

Choose:
Smaller type (our default)
Larger type
Even larger type, with serifs

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012 by Patrick & Teresa Nielsen Hayden. All rights reserved.