As you may be aware, a potentially serious security vulnerability
has been identified in Apple's Mac OS X operating system.
Earlier this week, this issue was discussed on the MAGNet and
Micronet lists (archived at
<http://ls.berkeley.edu/mail/micronet/2004/0734.html>). This is a
follow-up:
1) All Mac OS X users are potentially at risk from this
vulnerability, which can give an attacker the
power to run an arbitrary script on your computer with
the same privileges that you have as the current user.
Exploits of this vulnerability appear to be simple to
create, so the risk is real. You should make sure that
your Macintosh, as well as any Macintoshes you support,
are protected from this vulnerability.
2) There is an excellent, concise summary of the vulnerability on
John Gruder's "Daring Fireball" blog:
"Disabling Unsafe URI Handlers With RCDefaultApp"
http://daringfireball.net/2004/05/unsafe_uri_handlers
3) Apple has just released a "Security Update 2004-05-24"
that is intended to address this issue. At least under
Mac OS X 10.3 ("Panther"), this update is now available
via Software Update. (In Panther, you can select
"Software Update..." from the Apple menu; in earlier
versions of Mac OS X, you can select "System Preferences..."
from the Apple menu and click "Software Update".)
The brief description of this Security Update states that it
includes an update to the Help Viewer application.
4) John's Gruder's article, above, was written before this
Security Update was released. It isn't clear at this time
whether additional steps might still be required to obtain
protection from this vulnerability, beyond the just-released
update from Apple.
Nonetheless ...
5) John's article suggests that you use the free RCDefaultApp
preference pane to disable handling of the "help:", "disk:",
and "disks:" protocols. It describes where to obtain RCDefaultApp
and how to use it to disable handling of these protocols.
(He also suggests disabling handling of the "telnet:" protocol
to protect against a second, unrelated vulnerability.)
It might still be prudent, at least on a temporary basis, to
follow these suggestions - to disable handling of certain
protocols - until it is crystal clear that this just-released Security
Update or a successor update, if any, completely addresses the
protocol-handling vulnerabilities in Mac OS X.
Aron Roberts
Workstation Software Support Group
P.S. John Gruder's suggestion that you use RCDefaultApp is preferable
to one I made in a posting on Wednesday, which described how you can
use the More Internet Preference Pane to disable handling of various
protocols. This is because RCDefaultApp presents a more complete
list of protocols, and allows disabling them outright, rather than
just assigning their handling to an arbitrary, harmless application,
such as Apple's Chess application.
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Fri May 21 16:10:21 2004
This archive was generated by hypermail 2.1.8 : Fri May 21 2004 - 16:10:21 PDT