Mac OS X security exploit and countermeasure

Tuesday 18 May 2004 at 23:06

Thanks to Jeff for posting this info on the COMUG mailing list and thanks also to to Simon's other pointers regarding the Mac OS X help url exploit. Update: It is important that you follow this procedure for each user on your Mac -- the protocol helper preferences are stored separately for each user (more details at the bottom).

Mac OS X handles various URLs specially. By default 'help' urls are handled by Apple's Help Viewer which has the feature of allowing you to run an arbitrary script or shell command. See Simon's post for links to harmless examples of the exploit, links to more detailed discussion, and to his preferred fix.

The countermeasure is to change the application that handles 'help' urls to something other than Help Viewer. The fixes Jeff and Simon pointed to both require downloads, and from reading the more detailed discussion, I think Simon's is a more complete solution. But it turns out you don't have to download anything, though I had to swallow a little pride.

Internet Explorer allows you to change the protocol helpers for the OS.

The fix is very easy. Here's the very granular step-by-step instructions (don't be daunted by the number of steps -- I described every button click :-). I tested this with OS X 10.3.3 and IE 5.2.3 -- the steps might differ on other versions.

  1. Launch Internet Explorer.
  2. From the Explorer* menu select *Preferences....
  3. In the left hand window pane, under the Network* section, select *Protocol Helpers.
  4. In the right hand window pane, select the help protocol.
  5. Click the Change... button (a Protocol Helper Editor window will appear).
  6. Click the Choose Helper... (the Open dialog box will appear).
  7. Choose an application other than Help Viewer* -- I chose *TextEdit.
  8. Click the Open button (which will return you to the Protocol Helper Editor window).
  9. Confirm that there's a check in the Use current application if possible checkbox.
  10. Click the OK button (which will return you to the Preferences window).
  11. Click the OK button (which will close the Preferences window).

Simon's post also mentions creating a helper for the 'disk' protocol. The Finder will happily mount remote disk images from a URL which could be used in a two-part exploit: in one link you would mount a nasty script in a known location on the victim's computer via the 'disk' url and in the other link you would use the 'help' url to launch that nasty script. However, 'ftp' urls will also be mounted by the Finder, and I'm fairly sure that the .Mac iDisk uses a 'webdav' url. There may well be others I don't know about. Disabling the 'help' url vulnerability will at least prevent a link on a web page from launching a nasty script. Breaking those other urls is more than I'm willing to do on my own system. Having said that, expect to see some social engineering emails trying to get clicking assistance from naive Mac users.

Update: Another member of COMUG, Dan Oetting mentioned in another email that these preferences need to be set for each user. So I dug a little harder to see where they might be stored. It looks like they are here: ~/Library/Preferences/com.apple.internetconfig.plist. That might open the possibility of creating a script to change the settings if you have a lot of macs to fix. It's not a trivial change because the values of the protocol helpers are stored in some encoded format.

Quick XML rant: what is the point of using an XML file for preferences if you're going to store values using some other encoded format? If Apple had gone a little further xml-ifying the Internet Config preferences file, someone would already have written the script to automate the change for networks of many computers, or Macs with many user accounts.