Mac OS X vulnerability

This entry was published at least two years ago (originally posted on May 19, 2004). Since that time the information may have become outdated or my beliefs may have changed (in general, assume a more open and liberal current viewpoint). A fuller disclaimer is available.

News broke across the ‘net over the past day or so that there is a verifiable, serious security threat under Mac OS X 10.3 (Panther) involving Safari (or any other web browser) and the Help viewer application.

What’s going on is that Mac OS X maps different “helper applications” to handle different protocols as you surf around the internet. A ‘net address that begins with http:// is handled by Safari (or your default web browser), an address that begins with ftp:// is handled by the Finder’s built-in FTP, and so on.

By default, the help:// protocol is handed off to Apple’s Help application, which (no big surprise here) is a viewer for documentation for OS X applications. Some documentation is stored locally on your hard drive, but Apple wanted to make it easy for updates to the documentation to be added, so Help also has the ability to fetch documents over the ‘net — essentially, it’s a stripped-down web browser. And that’s where the vulnerability kicks in.

While Safari has built-in controls to prevent malicious attacks, the Help viewer does not. It is able to run scripts that are fed to it, and can do so with the full user permissions of whichever user is logged in to the machine at the moment.

In this rather disturbing example of the exploit, the web page makes a help:// call, which launches the Help application. Help is then directed to an Applescript which is fed the terminal command ‘du‘ (disk usage, I believe), which presents a scrolling list of all the files on your hard drive inside a terminal window. Now, this is just an example, so it’s harmless — but if the Applescript or the terminal command had been more malicious in nature, some serious damage could have been done.

Luckily, the fix for this is quite simple:

  1. In Safari, go to Safari > Preferences…. In the “General” settings pane, uncheck “Open ‘safe’ files after downloading.”
  2. Download and install the ~~More Internet Preference Pane~~ [RCDefaultApp preference pane]{.underline}.
  3. Open your System Preferences (Apple Menu > System Preferences…) and go to the ~~More Internet~~ RCDefaultApp{.underline} preference pane (it should be at the very bottom of the System Preferences window).
  4. Scroll down the protocol list and click on the ‘help’ protocol, then ~~change that to an application other than Safari or Help — many people are recommending changing it to the Chess game application, as it’s harmless and will provide a distinct visual clue that something has happened~~ [set it to ‘\<disabled>’. Do the same for the ‘disk’ and ‘disks’ protcols]{.underline}.
  5. There is no step 5. You’re done!

(via lots and lots of people)

Update: John Gruber recommends another application for the same approach, as MoreInternet doesn’t show the disk:// and disks:// protocols that can also be used for this attack.

iTunes: “Coda” by Webley, Jason from the album Only Just Beginning (2004, 10:10).