## May 24, 2004

### Rampant Paranoia

Now that MacOSX has been smitten with two remote protocol handler vulnerabilities in less that a week, people are running a bit scared. Jason Harris claims to have found a new one, in which a hostile attacker gets LaunchServices to register a new URI scheme, for which a surreptitiously-downloaded hostile application is the default handler.

Mr. Harris provides two sample exploits, differing in the protocol used to download the hostile application to the victim’s machine. If successful, they are supposed to create a file, “owned.txt” in the victim’s home directory. When I tried the exploits in Mozilla, the hostile attempts were blocked with the messages, “malware is not a registered protocol.” and “guardian 452 is not a registered protocol.” No disk was remote-mounted (I do have the “disk://” protocol disabled using the RCDefaultApp PreferencePane) and no file was downloaded via FTP.

I was equally unsuccessful in getting either exploit to work in Safari, though no helpful diagnostic error message was given. I’m not saying there’s no possibility of an exploit here (though I’m somewhat incredulous that the mere act of downloading an application — not launching it, not installing it in /Applications/, merely downloading it — would be enough to get LaunchServices to register it as the default handler for some unknown URI scheme), but it’s a bit premature of Mr. Harris to claim

Because this sample exploit registers its own URI scheme, none of the methods people had been using involving disabling certain scripts, moving Help.app or changing the ‘help’ URI scheme would protect against it. At this time, only Paranoid Android provides protection from it.

Dick Cheney makes me paranoid, but the author of my beloved Chicken of the VNC? Nah…

Update (5/25/2004): John Gruber has a more thorough analysis of this new “threat”. According to John, the hostile application gets registered with LaunchServices when it is displayed in the Finder (still sounds wacky to me, but if you say so …). That would happen, for instance, if you had the Finder assigned as your ftp:// helper. Me, I have that task assigned to Mozilla. If the hostile application doesn’t get registered, it can’t be used to attack you.

I find this “display an application in the Finder, and it’s automatically registered as a URI handler” — if true — to be very disturbing. Only applications in /Network/Applications, /Applications and \$HOME/Applications should be automatically-registered as URI handlers. That’s true of Services, why should URI handlers be different?

Update (6/7/2004): The 2004-06-07 Security Update has a more comprehensive fix for this whole class of problems. Kudos to Apple for their quick work on the issue and for their forthright and comprehensible explanations of their fixes.

Posted by distler at May 24, 2004 1:46 AM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/368