Once installed, Paranoid Android watches for unknown URL schemes and displays a warning dialog that lets you cancel the action before your Mac can be compromised. I’m certain Apple is working furiously to come up with a fix until they do, the best advice for normal users (other than to keep good backups!) seems to be to download and install Paranoid Android, a free utility developed by Unsanity. This is not a Trojan horse, it’s not a virus, and although several people have posted proofs-of-concept, I’m not aware of any reports of any actual malicious software that uses this technique. Without in any way detracting from the serious nature of this vulnerability, it’s important to clarify a few things. To quote from Maurice Sendak, "’And now,’ cried Max, ‘let the wild rumpus start!’" Kudos to TidBITS Talk reader Sander Tekelenburg for a coherent page explaining this process. That subsequent URL tells Mac OS X to launch the malicious application. The server providing the URL waits a short while (until the disk image is mounted and URL scheme registered) and then automatically redirects the user to another URL that uses the just-registered scheme. When a user clicks the link (which would of course be obscured to look like something else), the disk image is downloaded, mounted, and the special URL scheme is registered with Mac OS X. Suffice to say, the concern over Help Viewer was merely a special case of the overall vulnerability, which revolves around an attacker being able to post a disk image containing a malicious application that registers a special URL scheme. Unfortunately for everyone involved, Apple’s fix was merely a band-aid on what now seems like a much more involved and deep-seated problem, which I’ll let Matt Neuburg explain separately elsewhere in this issue. (The security update also included a fix to URL processing within Terminal for users of Mac OS X 10.2 Jaguar again, Apple provided no details.) Although Apple’s description was terse, as always, it appears that the security update installs a new version of Help Viewer that presumably eliminates that program’s capability to execute AppleScripts sent via help URLs. Turning off Safari’s Open "Safe" Files After Downloading option in its General preference pane isn’t sufficient protection (and the vulnerability is even present if you use some other Web browsers).Īpple responded within days, issuing Security Update. When you combine the capability to download and automatically mount a disk image (which could contain a malicious AppleScript script) and the capability to run that AppleScript (because it’s in a known location) via Help Viewer, you end up with a recipe for trouble. The problem was initially thought to revolve around only two of these URL schemes: disk and help. The exploit relies on unsafe actions that Apple allows for certain URL schemes (such as the http, ftp, or mailto bit at the beginning of a URL) and makes it possible for a malicious code to be delivered and executed silently, without the user realizing anything has happened. It’s not a Trojan horse, but a recently revealed security vulnerability does appear to be a very real concern. URL-Based Mac OS X Vulnerability Revealed #1630: Apple Books changes in iOS 16, simplified USB branding, recovering a lost Google Workspace account.#1631: iOS 16.0.3 and watchOS 9.0.2, roller coasters trigger Crash Detection, Medications in iOS 16, watchOS 9 Low Power Mode.#1632: Apple Card Savings accounts, SOS in the iPhone status bar, Tab Wrangler, Focus in iOS 16.#1633: macOS 13 Ventura and other OS updates, 10th-gen iPad, M2 iPad Pro, 3rd-gen Apple TV 4K, Apple services price hikes.#1634: New Messages features, Apple Q4 2022 results, Preview drops PostScript, iOS/iPadOS 15.7.1, Dvorak on iPhone and iPad.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |