An Ounce of Prevention ====================== By John Gruber Monday, 24 May 2004 In a nutshell, here is my advice for how to close the various URI-related vulnerabilities in Mac OS X. For more details, see my previous articles: * "[Using the 'telnet:' URI Protocol to Delete Files] [t]" * "[About the Help Viewer Security Update, and, Also, Why I Don’t Think You Need Paranoid Android] [p]" This page is intended to serve as a consolidated, comprehensive, and to-the-point list of instructions for closing all known URI-related vulnerabilities affecting Mac OS X. If new information or exploits are identified, I plan to revise this document in-place. 1. If you haven't done so already, install Security Update 2004-05-24. This fixes the Help Viewer 'help:runscript' vulnerability. 2. If you're running Panther, upgrade to version 10.3.4 using Software Update. 10.3.4 contains an updated version of Terminal which closed the 'telnet:' vulnerability. (If you're running Jaguar, the 'telnet:' vulnerability was closed in Software Update 2004-05-24.) 3. Turn off Safari's "Open 'safe' files after downloading" preference. If you use another browser, turn off any similar options (e.g. [Camino][]'s "Automatically open downloaded files" pref). You should also turn off similar options in your default FTP client (e.g. Interarchy's "Post process files" pref). Doing this prevents downloaded disk images (e.g. `.dmg` files) from mounting automatically, and prevents archives (e.g. `.zip`, `.tar.gz`, `.sit`, .etc) from being expanded automatically. Automatic mounting/expansion of these files allows a malicious application contained in an image/archive to register for a custom URI scheme with Launch Services; which scheme could subsequently be used by a web server to launch the application. 4. Using [RCDefaultApp][], set the default application for the following URI protocols to "<disable>": * afp: * disk: * disks: 'afp:' defaults to the Finder; 'disk:' and 'disks:' to DiskImageMounter. These default settings are vulnerable. (If you're using Jaguar, the 'disks:' (note plural) protocol probably isn't defined.) The 'ftp:' protocol is also assigned to the Finder by default. You should either assign it to another applications (e.g. [Interarchy][], [Transmit][], [Fetch][], [FTPeel][], etc.) or disable it. Do not leave it assigned to the Finder. These changes prevent web servers from being able to automatically mount server volumes on your Mac. Similar to reasons in step #2, a mounted server volume could contain an application which registers a custom URI scheme with Launch Services, which in turn could be used by the web server to launch the application. FAQ --- * *What if I have multiple users on the same machine? Must I go through these steps for each account?* Yes. Although you only need to install RCDefaultApp once, if you put it in /Library/PreferencePanes. But these settings are stored per-user, so you will need to change them for each user on the Mac. * *What are the down sides to taking these measures? What will I be missing out on?* Very little. You'll still be able to use protocols like 'afp:' and 'ftp:', and you'll still be able to mount disk images. It's just that you won't be able to perform these actions simply by clicking a link in a web page. It's very likely that you've never used URIs with the 'afp:' or 'disk:' schemes. Turning off the "Open 'safe' files after downloading" preference in your web browser means that you'll have to manually open downloaded archives and disk images. I.e. by double-clicking `.zip` and `.dmg` files after you download them. * *What's the best resource with innocuous example exploits using these techniques?* has example exploits for downloaded zip archives and disk images, and for the 'afp:', 'disk:', and 'ftp:' protocols. [RCDefaultApp]: http://www.rubicode.com/Software/RCDefaultApp/ [Camino]: http://www.mozilla.org/projects/camino/ [Interarchy]: http://www.interarchy.com/ [Transmit]: http://www.panic.com/transmit/ [Fetch]: http://www.fetchsoftworks.com/ [FTPeel]: http://freshlysqueezedsoftware.com/products/ftpeel/ [t]: /2004/05/telnet_protocol "Using the 'telnet:' URI Protocol to Delete Files" [p]: /2004/05/help_viewer_security_update "About the Help Viewer Security Update, and, Also, Why I Don’t Think You Need Paranoid Android"