Monday, May 24, 2004

The OS X security vulnerability is generalized and serious

Daring Fireball: About the Help Viewer Security Update, and, Also, Why I Don't Think You Need Paranoid Android

Security is expensive and customers don't value it that highly. The OS X security problem are deep and are related to an infrastructure with nice capabilities, but absent security. A good summary:
... This is a generalized and serious vulnerability in Mac OS X:

1. Remote web server causes a volume to be mounted in the file system, and the contents of the volume are displayed by the Finder.
2. The now-mounted remote volume contains a malicious application that contains an Info.plist file that asks to register a custom URI scheme with Launch Services.
3. Upon displaying the malicious application, the Finder registers the new URI scheme, as per the app’s Info.plist file.
4. After waiting a few seconds for steps 1-3 to occur, the remote web server sends another URI, using the newly-registered scheme.
5. Launch Services will launch the remote application.

The key to prevention is to nip it at step #1, and prevent remote servers from automatically mounting volumes in your file system.

To protect your Mac, you should definitely disable the following URI protocols, using RCDefaultApp:

* disk:
* disks:
* afp:

You should also assign the ‘ftp:’ protocol to any application other than the Finder. (Or disable it, but I think that’s overkill.)

‘afp:’ is the scheme for AppleShare servers; I have confirmed that an ‘afp:’ URI in the following form will allow a remote AppleShare volume to be mounted automatically and silently:


Note that disabling the ‘afp:’ protocol using RCDefaultApp will not prevent you from connecting to AppleShare servers manually. You can still connect to AppleShare servers using the Finder’s Connect to Server command, or using the Network dingus in a Finder window sidebar. Disabling the ‘afp:’ protocol merely prevents ‘afp:’ URIs from being passed to the Finder from other applications — e.g. a web browser.

You must also make sure your web browser and ‘ftp:’ handler do not automatically expand or process quote-unquote “safe” files.

No comments: