I downloaded the latest Apple security update for the Help Viewer exploit - is my Mac secure now? I'm confused - I've heard that there are two parts to this exploit, or something. Does Apple's security update fully solve the problem? If not, where should I go to get a proper patch. Thanks.

(I hate having to worry about things like this :( )

(I hate having to worry about things like this :( )It's a good thing you're a Mac user, then. Imagine having to worry about these kinds of things every single day as a Windows user. :p

Anyhow, the security update indeed does not *fully* correct the issue. Apple's update corrects the help protocol flaw but not the disk protocol flaw.

This page will exploit the bug even after the security update (or so I've read; I'm on an old Mac OS 9 machine now): http://www.geekspiff.com/unlinkedCrap/innocousPage.html

There is a haxie out by Unsanity called Paranoid Android, but I have to advise not to install it because it requires use of the sometimes problematic APE framework.

Instead, you can simply install the More Internet (http://www.macupdate.com/info.php/id/12849) preference pane and change the "disk" protocol (add it if not present) and change the mapped application to something benign like Chess (or TextEdit). If you don't trust Apple's update, do the same with the "help" protocol. This procedure is detailed here (http://mamamusings.net/archives/2004/05/18/serious_os_x_security_problem.php).

Also, if you use Safari, disable the option to open safe files after download.

I've used More Internet and tested it locally and this appears to fix the hole. Just try the geekspiff link afterwards to see for yourself.

Update: You should also change the "disks" and "telnet" protocols.

So, bottom line:
The disk, disks, and telnet protocols have *not* been patched by Apple and should be manually changed.
The help protocol has been fixed, but you may safely change it anyway if you are paranoid.

More details here: http://daringfireball.net/2004/05/help_viewer_security_update

I really like that link. The author also explains that Unsanity is hyping things a bit more than necessary.

Thanks Brad, I think I'm all patched up now. Went to Daring Fireball... I love pedants ;)

Wish I didn't have to do this kinda stuff tho <frownie>

What's up with Apple? I find it hard to believe that they didn't know about the other helper app vulnerabilities. Didn't they even test OSX for other methods of attack?

Actually, Apple apparently knew about this for weeks (or months?) as it was reported a long time ago. :confused:

I'm moving this to Mac OS X since it would be helpful for regular readers of that forum.

What's up with Apple? I find it hard to believe that they didn't know about the other helper app vulnerabilities. Didn't they even test OSX for other methods of attack?

actually... no

apple does NOT have a security department...

http://www.businessweek.com/print/bwdaily/dnflash/apr2001/nf2001051_727.htm?tc

:( where is that skeptical smily?

If this was a bug resulting in an exploit, all these probems would have been fixed in a day or two. But unfortunately for Apple and Mac OS X users, it is an architectual problem. The way LaunchServices works has turned out to be insecure when used by web browsers (and similar). It has evidently taken Apple a while to fix and will probably take a while longer.

Barto

Brad,

Thanks for the links and alternative to PA. That thing was pretty regularly interuppting my workflow and further I had no idea the thing was screwing with Protected Memory. Unsanity should explicitly state that... pretty weak IMO.

I used the RCDefault App to make the recommended changes. It's a much more flexible tool that PA and less likely to screw up your apps as well, evidently.