After the recent discussions about the possibilites of Mac viri or malware, there seems to have been discovered a proper bug in OSX now that gives you the full quality of exploitability that our Windows friends have enjoyed for a while.
The problem with this is that as soon as the words Mac and bug make it together into the public, there is such a lot of noise generated by the zealots, Windows advocates and such people, that the tricky questions, such as 'what went wrong' won't be discussed properly, that focus may shift to spectacular but irrelevant topics and that the correct answers to these questions aren't available or hard to find.
For example, many of the public reports of this bug I saw blame Safari for the problem. But is it really a Safari related problem. Isn't Safari just opening the URLs you throw at it – using the appropriate helper application wherever possible? That's just its job. Another common line is that it's insecure that OSX will predictably mount disk images as
/Volumes/Disk/. This is at the same time incorrect (as OSX is perfectly capable of dynamically generating new names should the one it wants already be taken) and misleading. Misleading because that behaviour in itself isn't insecure.
To me it looks more like the bug has to be located in the Help Viewer application. Being able to run a script by calling an URL is a very powerful and dangerous thing. Designing an application where you recognise 'hm, I may have to run scripts in here when coming from various different places' and concluding 'why not use URLs and the system-wide URL-helper mechanism to do this' because 'it's very convenient' probably just means you didn't think this through and did a bad job.
The protocol helper mechanism is very useful and important. That's without question. But it is also a very powerful feature. Particularly as URLs and applications containing them in a clickable form are ubiquitous these days. In general, interfaces that let other applications use your own, need to be designed with great care by programmers. Otherwise applications may be abused for evil purposed like they are in this case.
Using the internet protocol helper mechanism for something that could have been achieved in another, less accessible way, would have been a good idea. I hope Apple straighten this out soon and perhaps also adjust their developer documentation accordingly, pointing out that while it is easy to set your application up as a protocol helper for some protocol – great care should be exercised when doing this.
Fun ideas for trojans using this technique come immediately.
Right, it isn’t Safari’s fault… the exploit also works in Mozilla, Camino, FireFox, and IE (I’ve heard both Opera and OmniWeb are immune for some reason, but I haven’t tested).
I wouldn’t call it a “bug”… both Help Viewer and the help: URI handler are doing everything they were designed to do. Unfortunately the ability to use Help Viewer to execute an arbitrary file (which it was meant to do for all those “Open XXX for me” links in the help files) can be exploited to do some bad, bad things through the help: handler. It’s a security hole.
Which Apple should fix :-(
Received data seems to be invalid. The wanted file does probably not exist or the guys at last.fm changed something.