Mobile| Contact

Sign up now to receive security alerts

Updated 8/10/2004


Apple has released an update for OS X, 10.3.5 that fixes several serious security flaws. These same patches are available for 10.2.8 users as a Security Update. Check Software Update in your System Preferences or download the updates from Apple's website (see the links below).

The updates fix the recently publicized PNG vulnerability by updating a system library component, preventing a possible buffer overflow exploit. It also patches a hole in Safari where a malicious website could steal sensitive form information and a vulnerability in working with network traffic that could leave your computer open to a DoS (Denial of Service) attack.

The Mac OS X Combined Update 10.3.5 includes the security update, and should be installed by all Panther (10.3) users.

Security Update 2004-08-09 (10.2.8) fixes the same security flaws in present in Jaguar (10.2).

Updated 6/8/2004


Yesterday Apple released Security Update 2004-06-7 to address the remaining vulnerabilities that were not addressed by Security Update 2004-05-24 and Mac OS X 10.3.4. While there have been no known exploits of these vulnerabilities, our recommendation is to update to Mac OS X 10.2.8 or Mac OS X 10.3.4 (if you haven't already done so) and installing all recent Security Updates (e.g., Security Update 2004-05-24 and Security Update 2004-06-07).

Like Paranoid Android, Security Update 2004-06-07 intercepts and alerts you before allowing any untrustworthy URI schemes to launch (a 'untrustworthy' URI scheme is any attempt to automatically launch a previously unused application). As such, after you can safely remove or disable Paranoid Android (or, re-enable any protocols that were disabled using RCDefaultApp) after installing Security Update 2004-06-07.

The easiest way to remove PA is to run the installer again and click Uninstall. Alternately, you can disable it by using the APE Manager preference pane or removing the "Paranoid Android.ape" file from your Application Enhancers folder (either in the ~/Library or /Library folder, depending on whether you installed PA for the current user only or all users).

If you previously used the RCDefaultApp or More Internet preference panes, re-enable the afp: and telnet: protocols by re-assigning them to the Finder and Terminal respectively (the disk: and disks: protocols were simply removed by Security Update 2004-06-07).

For more detail, including a description of the new alert dialog, see Apple's website.

Originally posted on 5/26/2004:


You may have read over the past week of the 'first major security problem' that affects Mac OS X. The problem is more accurately described as 'several potential problems' that could allow a web site to launch a malicious application on your Mac without your consent or knowledge. It has to do with something called Uniform Resource Indicators (URIs; one of the most familiar URIs is the Uniform Resource Location or URL for short). Mac OS X uses URIs to send http: links to your preferred Web browser, mailto: links to your preferred email program, webcal: links for shared iCal calendars, etc.

The first problem (and the only problem fixed by the Security Update 2004-05-24) has to do with the Help Viewer application, the help: URI, and an oversight that allowed web pages to use the help: URI as a 'back-door' into running innocuous applications without your consent. Installing the security update fixes this vulnerability by making sure that only the Help Viewer application can use the help: URI which effectively blocks the potential for misuse. As an added bonus, the Security Update 2004-05-24 can be installed without restarting your Mac so it won't even interrupt your workflow.

But this doesn't fix the other (and potentially more serious) issues with the way that Mac OS X handles the disk:, disks:, and afp: URIs. The disk(s): URI is used to mount a remote disk image (.dmg) without requiring you to download the file. If you've ever downloaded an application from the Internet, odds are that several of them have been distributed as disk images. And mounting it without having to download certainly sounds like a clean and convenient way of doing things. But because of the UNIX underpinnings of Mac OS X, mounting a remote volume or disk image 'transparently' opens up a potentially nasty security hole that several security experts (including us) rate as 'extremely critical.'

The final security issue has to do with the telnet: URI. You may remember telnet from back in the days before a browser called NCSA Mosaic and the World Wide Web. Telnet is still very much alive and because Mac OS X is UNIX-based, it's now built-in. The problem is that the telnet: security hole (which is fixed by the Security Update 2004-05-24 for Mac OS X 10.2.8, but not Mac OS X 10.3.3 or 10.3.4) makes is possible for a particularly nasty web site to over-write any file (or folder) in your Home folder (and possibly even files/folder outside your Home folder).

Before you get too worried and start wondering whether you should switch to a PC (you shouldn't), we have to point out that there are no known cases of any of these security vulnerabilities being exploited. But we do believe that it's better to be safe than sorry.

The first step to protect yourself is to install the Security Update 2004-05-24. It's available for both Mac OS X 10.2.8 and Mac OS X 10.3.3 and 10.3.4 (if you are using an earlier version of 10.2 or 10.3, you'll have to upgrade to the latest release before you can install the Security Update).

The second step depends on how comfortable you are changing various preferences for your Mac. If you'd rather not mess with more instructions to follow, your safest solution is to install the free Paranoid Android utility from Unsanity (makers of FruitMenu and WindowShade X) and let it be paranoid for you. Paranoid Android (PA for short) will intercept, alert you, and then provide you with an opportunity to allow or cancel any potentially exploitable URI scheme. Initially PA is extremely paranoid, only allowing the basic http:, https: and mailto: URI schemes, but you can add additional URIs via it's preferences (found in the APE Manager preference pane). One other advantage of PA is that you can easily and quickly install it for every user on your Mac (if you have multiple accounts set up).

Sign up now to receive security alertsIf you are comfortable with modifying individual user preferences, you'll want to first disable the 'Open "safe" files after downloading" preference in Safari (if you use Internet Explorer instead of Safari you'll want to disable StuffIt Expander's processing of Disk Images under the Internet preference instead). You'll also want to disable the analogous preferences for any other web browsers or FTP clients. Next, download the free RCDefaultApp utility by Rubicode and DISABLE the afp:, disk:, disks:, and telnet: protocols. You'll also want to change the default application for the ftp: protocol to something other than the Finder (if you don't already have an FTP program like Fetch, Transmit, Interarchy, or FTPeel, try the free CyberDuck instead).

Follow Up:


Now that you've insulated yourself (or if you're just curious), you can 'test' yourself against benign examples at the University of Wisconsin-Madison's Division of Information Technology.

If you have any questions about these potentially serious security exploits, our methodology, or just questions in general, please don't hesitate contacting us. We are here to help. More information on these security issues can be found at these web sites:

Apple Security Updates
DaringFireball
Secunia
Unsanity
C|Net News.com
Apple Authorized Service ProviderApple Authorized Reseller
Having Macintosh trouble? Looking for an award-winning Apple consultant or Apple Authorized Service Provider with a proven 17-year track record? Call MacMedics at 1-866-MAC-MEDICS, we are a well-established, Apple Macintosh consulting firm and Macintosh service and repair shop, with a great track record of helping Mac users in the Washington, Baltimore, Annapolis, Philadelphia, and Northern Virginia areas. MacMedics walk-in service center is located in Millersville, MD just off I-97 at Benfield Blvd. (10 minutes from Annapolis Mall or 15 minutes from Baltimore's Inner Harbor & M&T Bank Stadium), near Severna Park and Arnold. Mac Medics provides service and repairs, consulting, sales, and training exclusively for the Apple Macintosh computer platform. MacMedics services Macs in professional, educational, goverment and home environments. MacMedics is 100% Macintosh-only consulting and service firm. Our staff has over 200 years of combined Macintosh real-world experience and they have completed over 45,000 on-site service calls. Since 1989 we've been offering our progressive style of on-site Mac service, consulting, and training to the entire Mid-Atlantic area with no travel charges. Mac Medics: Expert Mac Service and Macintosh Consulting serving the Baltimore-Washington area. The Baltimore area's largest and oldest All-Macintosh and iPod repair shop. http://www.macservicecenter.com