Archives: May 2004
Fri May, 21 2004
Mac OS X Security Hole
Sander Tekelenburg has written a great description of the issues involved in the Mac OS X URI Handler Arbitrary Code Execution security hole. The new "help protocol" security hole is a serious one. I've written before to debunk the stupid exaggerations of the Trojan Horses recently released. Those amounted to "don't run bad programs - bad programs can do bad things."
This "help protocol" problem is serious - it can affect a Mac user who has done nothing more foolish than visit a web site. Not just dangerous ones either. People could easily post links to dangerous sites on forums and deceive people into clicking those links.
Apple better fix this quickly. In the meantime, there are several fixes available. A bunch are discussed at MacOSXHints.com. It doesn't sound like Don't Go There GURLfriend does enough. Either manually reset the help protocol handler and disable "open safe files" or use something that does more than just modify the script containing the flawed code.
 comments (2740 views) | link
Thu May, 13 2004
Intego attacks Mac OS X
Fear-mongering software maker Intego has done it again: taken the obvious idea that you should not run applications whose contents you cannot trust and turned it into a supposed "security threat." Come on, Intego, Apple has real security issues to take care of, without having to figure out a way to prevent a user from deleting his own files. The most telling quoted from Intego:
"This Trojan horse highlights a serious weakness with Mac OS X. Since it is built on a Unix foundation, it can run powerful commands very easily. These commands can delete or damage a user's files with no warning, and AppleScript offers no protection against malicious commands."
Ah, yes, the horrible dangers of being able to delete your own files.
This has nothing to do with the capabilities of AppleScript, the command line, or anything. You could write an application that did this using: BASIC, perl, Pascal, C, C++, Objective-C, python, ruby, bash-shell, c-shell, zsh, tcsh, ada, AppleScript, lisp, scheme, Java, and just about another language that has the ability to make file system calls.
This is just a simple reminder that you should NOT run applications that you don't know are safe. Anyone could write a "trojan horse" for any platform that does this. Programs routinely have the ability to delete files and/or folders - they need to. Something like this could be written for any operating system, and if the user is dumb enough to run it, there is nothing you can do.
Do you want to verify every time your web browser decides to clear old files from its cache?
Intego is outright lying when they say this exposes a "serious weakness in OS X." Yeah, the weakness of letting a user delete his own files. Perhaps you should be forced to save all files onto CD. None of this crazy read-write media for you.
Apple may even have grounds to sue for damage to business. Intego's claims cross the typical fear-mongering of anti-virus companies into outright slander.
So, there is NOTHING for Apple (or Microsoft, for that matter) to do about this. The spokespeople quoted here are probably going to have to take a day off to recover from having to deal with all the numbskulls this lie brought out of the woodwork.
No offense to TMO, but this needs to be completely exposed for the lie it is. Doesn't hurt to remind people to avoid being stupid, though.
"Hey, Johnny - if someone tells you to drag your Home directory into the Trash can and then choose 'Secure Empty Trash' from the File menu, don't do it."
 comments (2276 views) | link