That is a pretty damn near perfect laymen's explanation.

"This is where “rm -rf” and other nightmares come in. "

Well, I actually, that's where we're "lucky". Due to a technical restriction, the command actually can't have any spaces in it. Thank God for small miracles.

However, just before kicking off the help:// link, the malicious web page could launch a send your browser a "disk://..." URI which would download, say, a disk image to you which would be automatically mounted on your desktop (with or without the safe files checkbox checked mind you) and containing a shell script or Applescript contained inside with exactly the same instructions (Delete what you can).

After THAT, the browser would send the "help://" URI with the path to the script in the mouted diskimage on your desktop.

Roundabout for sure, but not too hard to create. THAT'S what scares me so much.

"And I’m the Admin on this machine.

I'm curious. Do you mean that you have superuser or root priviliges or are you using the default Mac OS X user? You're not actually using the computer logged in as root are you? Eek!

Thanks for highlighting this on your blog, Teresa!

One comment in the first link suggests this applies only to Panther. I'm still reading to find out whether I specifically need to do anything (I'm running Jaguar).

Thanks for pointing this out!

But what a malicious person CAN do is remotely mount a disk image which contains a script with no spaces in it's name which calls "rm -rf /", which is in turn executed by this flaw.

More complicated, but the same sad result :)

The layman's version up there is word-for-word Patrick's explanation. He narrated, I transcribed.

Even if the commands are restricted, anything that can reach into my own desktop toolbar, fire up Terminal, and riffle through my files, is Plenty Bad Enough.

Yoon: I haven't read whether this affects anything but Panther (though I rather suspect it does :-( )

Why are you running anything so that your default shell's home directory is / ?

'Cause even without the horrid scary security hole, you're going to type the wrong thing someday; this is a law of nature.

rm -f * ~
~ not found

is a programmer joke for a reason. (The typical programmer editor uses ~ to indicate 'this is the backup file I made when I opened that file you told me to'; you want to clean those out from time to time, so, rm -f *~; if you get that space in there, and everyone has, poof, empty directory.)

Not to worry. Teresa merely has "admin" privileges on her blue-and-white G3. She isn't running as root.

Of course, root is enabled, and she is the Empress of the Universe, so at any moment frogs might rain out of the sky, sheep might give birth to cows, and the Medium Lobster might be invited to join Crooked Timber, but those are the risks we live with in order to run a truly modern, multitasking, multi-threaded, hypersonic, scriptable, POSIX-compliant, cinnamon-flavored OS with moisture-trapping action. In which, naturally, Microsoft Word takes 45 to 90 seconds to launch. It's good that some things never change.

I would never keep all my files in one directory. I'm constitutionally incapable of being that tidy and consistent. I wish I were, but I'm not.

I suspect a lot of migrators from OS 9 and before do the same. One of the glories of the old Mac OS was its liberality about file location. Expecting its habitues to adopt the rigors of Windows- or Unix-style filesystem organization is like asking Quakers to take up the Tridentine Mass. It's theoretically possible, but it isn't actually going to happen.

(Of course, the fact that Apple let Microsoft colonize the userspace "Documents" directory with its farking Office preferences folder didn't help, either.)

But it's also worth mentioning to the people out there in Internet-land that if somebody says "There is a security hole in your computer!!! Quick, fix it, now! The way to do it is to download and install the following application..." and you don't at least do a little sanity checking before following directions, then you have a security hole in your brain.

Nonetheless, um, I *have* taken the precautions. I like the little utility here: http://isophonic.net/

-=-Joe

Accidentally? Cooked? In buffalo's blood?

What?

Graydon, are you channeling James Nicoll?

(On this iBook, it launches Help, and then tells me it doesn't have a program associated with running "a du file" -- which makes me think it tried to launch Terminal but couldn't for reasons unclear to me.)

I mistook the small container of leftover marinade for the small container of dripping.

The butcher shop I favour had buffalo stew meat on for six bucks a pound a week or so back, but it needed marinading, being of its nature rather tough. The leftover marinade was mostly cider vinegar and blood with the odd bit of herbs and spices, as per usual, but I thought I might get to use it again. Wasn't expecting to cook rice in it, though.

One of those culinary things one isn't sure one dares try to do again on purpose.

There is a work arround for the spaces issue, so yes you can run rm -f / if you know how, so fix the damn thing before the work arround is more widely known (and don't bother asking me what it is you don't need to know).

The version I downloaded accepted Chess without a qualm. (And I did try going back to the demo URL, and it did start up Chess.)

"help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt string='usr:bin:rm%20-rf"

Has this been tried yet?

I tried setting the help:// handler to invoke XCode so I could see (and edit, and debug ...) whateverthehell it is that anyone exploiting the hole is throwing at me. Sadly, XCode doesn't seem to want to open the test scriptlets.

Must dig further into the OS/X developer docs ...

http://www.macfixit.com/article.php?story=20040519024257161

I'll report back if I encounter any problems running the work around...

Oh God. Please, no one tell my girlfriend.

if somebody says "There is a security hole in your computer!!! Quick, fix it, now! The way to do it is to download and install the following application..." and you don't at least do a little sanity checking before following directions, then you have a security hole in your brain.

I get what you're saying and on principle, I agree with you. However, in this case seeing a hole in my operating system large enough to drive a Mack truck through pretty much gave me enough confidence that it was the right move. It was neither subtle nor theoretical.

Despite James' greater skill with anecdote and my lesser tendency to scar, I have not had a life so free of odd and surprising trauma as it seems you must suppose.

2) Jay - being an "Administrator" on OS X basically means that you have sudo usage rights. In the GUI, it means you can change the "locked/unlocked" status of the system control panels, and if you run an installer that needs admin privs (translation, calls sudo) your password, not the root password, is enough. Many, I'd even say most, OS X installations don't have the root account active at all.

There is a danger here -- if you've run something that fires sudo and asks you for the password, then this hole exploits "sudo rm -rf /", you've just lost.

3) Graydon -- no, OS X doesn't use / as the home directory for anyone, not even root (if you've enable the account.)

4) TNH -- however, just because your root doesn't mean this wouldn't hurt. If this script kicked off "rm -rf", the most likely place that command would run is in your home directory -- and since you almost certainly do have rights on everything in that directory, it would delete them all.

5) Phill -- is spot on. There's ways around the space issues, and fixing it is the right thing to do. And I'll quote Bruce Schneier "Patching doesn't work" and me "But patch anyway, since not patching is even worse."

6) In general. Any exploit that allows you to run a command with privs is one that can be exploited. Thus, even local exploits are worth patching. The combo that occurs is a remote, non-root exploit (which gets them on your box, but only as a user) and then a local root exploit (which lets them own the box.) Attacking a box from a local account is much easier than attacking remotely and gettint root privs right away.

Jay - being an "Administrator" on OS X basically means that you...

Heh, thanks Erik. I'm aware. I've got one of those first generation Titanium lapwarmers doing its job. I simply wanted to be sure that Teresa wasn't doing day-to-day stuff logged in as root.

I can understand Microsoft doing this: they have political reasons for "integrating" the desktop and the browser (they're not good reasons... trying to weasel out of an agreement with the DoJ is never a good reason). I can't understand Apple, though: there should be at least *two* unrelated sets of bindings... one to be used for applications that work with local documents and one for applications that work with untrusted documents... and the bindings for applications that work with untrusted documents should be *absolutely* minimal.

In fact, by default and in the absence of explicit uuser action nothing should ever be transferred from an untrusted document to another application, or any integration of trusted and untrusted namespaces. That includes:

Helper application for URL protocols (eg help:)
Helper applications for mime types (eg video/windows-media)
Helper applications for file extensions (eg .wma, .zip)
Internet-enabled disk images and installers.

If the target application is not known to be suitable for handling untrusted data, it must not be passed untrusted data.

If an application is known to be suitable for handling untrusted data, it must not be presented with helper applications that aren't similarly trusted.

This is a really basic security principle, one that nobody I know would have imagined would be commonly violated until Microsoft not only kicked it over but refused to pick it up again. For gods' sake, folks, don't accept the same insanity from Apple, and don't let Apple get away with a one-shot patch just for this specific instance of the problem... that way lies the Outlook-exploit-of-the-week syndrome.

Wha?

I think this must be another one of those basic dichotomies of the universe. I tend to keep everything in one directory (e.g., 26,000 e-mails in Outlook), but I think of this as being untidy - I can't be bothered to sort things, mostly. I do much the same thing with paper - make a big stack and shuffle through it when I need something.

This all sounds legit, and More Internet looks like an app I need to get anyway.

But it's also worth mentioning to the people out there in Internet-land that if somebody says "There is a security hole in your computer!!! Quick, fix it, now! The way to do it is to download and install the following application..." and you don't at least do a little sanity checking before following directions, then you have a security hole in your brain.

I'm very, very paranoid on exactly that issue. Fortunately, you don't have to download any of those tools. You should have Internet Explorer on your OSX (even if you're wise enough not to use it for browsing) and IE's "Protocol helpers" preferences allow you to fix this problem. Just change the "help" and "disk" helpers to an innocuous app like Chess. I wanted to use Calculator, but that doesn't work for some reason, so whatever you use, test it.

Thanks to Leif, on Jay Allen's blog, for this fix.

Oddly enough, it was just this feature of the problem that made me more paranoid than usual. The technique of scaring people into doing something unwise is one of the big malware pumps on the net right now. It might even be more effective than the lures, since it pushes the victims so fast.

That's not to say that I have any reason to distrust moreInternet, misfox, or vince, other than the feeling of being pushed at them. But I'm very relieved that Internet Explorer can be used to fix the problem. And I didn't browse from a MacOSX system to search for the fix.

The social engineering was to have a website order a directory to the screen and display fixed text of we are now pick one reading or copying or deleting the following files none of this was happening.

Followed by panic followed by a chance to do the wrong thing.

I wonder who teaches social engineering, I'd like to read their texts.

In addition, the telnet:// protocol is also exploitable. It's not as serious because arbitrary remote commands can't be executed, however an attacker can overwrite (zeroing-out) any file that a user has write permissions on.

No, it wouldn't affect the problems with the "disk" and "telnet" URI's at all. Anyway, I'd think running Internet Explorer (for its "Protocol Helpers" preference pane) would be easier for most users. Have people really gone to the trouble of deinstalling IE? Or is there a release of OSX that doesn't install it by default?

This has been a very bad week for me with MacOSs.

I'm starting to think that typewriters had their points.

Quoting is just "quote marks" or 'quote marks'. The main difference between " and ' is whether the shell will process what's in the quotes or not. 'My name is $HOSTNAME' will return the literal text My name is $HOSTNAME, while "My name is $HOSTNAME" will return My name is actual.machine.name.com .

Escaping is using a backslash to remove the special meaning of a character. This\ is\ escaped. The shell will consider that one word, not three as the backslash removes the special meaning of "separates a word" from the space. You can use it on other problem characters. "Quote marks (\") can be escaped". This lets you use a quote in the middle without closing the quoted text.

The tricky one is substitution. You use something that the shell considers a space, but but doesn't look like a space to other programs. For example, cd /usr requires typing a space between cd and /usr. Or not: cd${IFS}/usr. The $IFS is the Internal Field Separator. It contains the characters the shell will use to divide up words. The curly brackets {} prevent it from running into the text that follows it.

If I understand correctly, the vulnerability can also be exploited through the disk:// and disks:// protocols, which don't show up in MisFox or More Internet. Additionally, there's a "disable" setting. (I had actually hooked help:// up to BioRhythm X :-).

For example, you'd never expect a link to nielsenhayden.com to trigger a javascript window showing a famous phone number, would you? Cross-site scripting attacks require constant vigilance to root out, and can erase the distinction between "safe" and "unsafe" sites. In the past, cross-site scripting attacks against some of the builtin pages on internet explorer (which bypasses ie's security) have caused Microsoft some embarassment.

The responsible AppleScript has been named as /Library/Documentation/Help/MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt
so you can just navigate your way to the file manually or copy the following line into the field that pops up when you type Shift-Command-G in the finder:
/Library/Documentation/Help/MacHelp.help/Contents/Resources/English.lproj/shrd/
Then just rename the script "OpnApp.scpt" to "dontOpnApp.scpt".

What this does is keep the help viewer application from finding the script is uses for opening any other applications. If you use help regularly, this will keep you from using the function "Open System Preferences for me" etc. This won't effect any other possible protocol problems like telnet://starwars or ssh:// or file:/// though.

Thanks for pointing this out. I consider myself a mac guru and had no knowledge of this exploit. I had heard about the QuickTime hole though.

Of course, this raises the question: does the update really fix the problem? Or do we still need the prescribed fixes? Inquiring minds want to know...

The update does not fix the problem. See, for example, secunia.com's advisory:

This vulnerability has been confirmed on a fully patched Mac OS X system (including the patch "Security Update 2004-05-24 for Mac OS X" released by Apple, which fixes the "help" URI handler vulnerability).

There's more at Sander Tekelenburg's site. Apple is still losing ground on this one.

Short version:

Download and install Apple's patch.

Turn off Safari’s "Open 'safe files after downloading" preference.

Get RCDefaultApp. (If you already installed More Internet, get rid of it.) Use it to set the following protocols to "disabled":

afp:
disk:
disks:
telnet:

Finally, either disable "ftp:" or set it to a real FTP program, i.e., not the default setting of the Finder.

You do not need Paranoid Android if you do all of that; and, in general, "haxies" are well to avoid if you don't need them.

I'm still missing why you advise RCDefaultApp over More Internet, or either of them over Internet Explorer. I used IE to set the handler for those URIs to a safe application, and the tests John Gruber points to run that application.

I think IE is still included in MacOS, isn't it? I'm no fan of IE, but when it's already there, and it seems to do the trick, why download a new tool?

Regarding More Internet or MSIE, as I understand it, either of those is probably OK. The advantage of RCDefaultApp is that you can simply disable a protocol, rather than setting it to some silly alternate app. Clearer and more elegant, to some values of elegant.

(Of course, by "disable", we mean disconnect the protocol from LaunchServices, I believe. AFP, disk images, telnet, etc., will all still work fine; they just won't fire up as the result of the user clicking J. Random URL.)

It's a fine point. If you prefer to use "More Internet" or the settings buried in MSIE you'll undoubtably be secure.

(where does one get a real FTP programs, she wonders. quietly to herself.)

I have a headache, but I think I feel safer. (But there's always something...I'm not really paranoid, it's just that they are all out to get me.)

Are you saying the "disks" protocol wasn't listed in the URL tab of RCDefaultApp? Are you using Jaguar or Panther?

(For extra entertainment, imagine the above two paragraphs being read aloud at the 1956 Worldcon banquet.)

The actual database we have to edit is called "Launch Services", but MSIE, MoreInternet, and MisFox edit a compatibility database called "Internet Config". When you set a URI handler in IC, it writes through to LS, so the vulnerability is patched. But from the IC level you don't see those URIs that have been registered in LS but not IC. That's why you have to create a disks: URI if you're using an IC-based tool.

And yes (she said confusingly), the "disks" protocol wasn't listed in the URL tab of RCDefaultApp, only "disk". Which I disabled. And I'm running 10.2.8--maybe it doesn't exist yet? ...and now it sounds like I'm time traveling, which would be even more appropriate (read aloud etc.)

To uninstall, drag the file to the trash. You won't be able to empty the trash until you restart (or at least re-login), but don't worry about it.