OS X Security Flaw Plagues Web Browsers

A Danish IT security company published an advisory Monday that warns of two Uniform Resource Identifier (URI) flaws in at least two Web browsers that run on Mac OS X.

Secunia wrote that it has confirmed these vulnerabilities in Safari 1.2.1 and in Microsoft's (Nasdaq: MSFT) Internet Explorer (IE) 5.2. The firm also stated that the flaws might affect other Mac OS-compatible browsers.

Secunia CTO Thomas Kristensen told MacNewsWorld on Wednesday that the vulnerability can affect any Mac browser that supports the OS X URI handler. A URI is a string of characters, such as "ftp:" or "http:" that points the browser window to the proper resource.

The company updated its rating of the flaw Tuesday from "critical" to "extremely critical" because so many working exploits are obtainable.

Little Help

According to Secunia, malicious Web sites can compromise Mac OS X computers in two ways. A "help" URI handler can execute what the firm termed an "arbitrary local script (.scpt)" through "the classic directory traversal character sequence using 'help:runscript.'"

In addition, the flaw also allows malicious sites to secretly put random files on a victim's computer by using the "disk" URI handler.

"The risk is that a URI can be used to download and mount a disk locally on the user's computer. Then, the malicious Web site, knowing the location of the disk, can open and execute scripts, which could include delivering viruses or keystroke loggers and similar damaging programs," Kristensen explained.

An OS Issue

"Since this is an operating system issue and not a browser issue, there are limited methods to protect a system against these attacks," Kristensen noted. "We have found that, in Internet Explorer, a user can access the Preferences Pane for IE, and change the helper's protocol for each help URI handler."

However, Kristensen advised that this issue ultimately has to be addressed by Apple (Nasdaq: AAPL).

Meanwhile, Secunia recommends that OS X users avoid "untrusted" Web sites; rename any URI handlers that are not necessary; and not use the Web as a "privileged user."

Delayed Reaction

Secunia first learned of these vulnerabilities from someone with the handle "lixlpixel." Lixlpixel disclosed on his Web site that he first told Apple about the problem back on February 23rd but did not receive a reply.

Lixlpixel decided to come forward with the information because "these 'exploits' are on the rise, and it's so easy to protect yourself."

In an exclusive interview Wednesday, lixlpixel told MacNewsWorld that, after waiting on Apple's reply, he finally posted the advisory to a Swiss Macintosh Web site.

"This is how Secunia picked up on the vulnerability," lixlpixel said, adding he had not contacted Secunia directly.

"Just by the nature of the Internet, this post took off," he continued.

Means of Discovery

"I was building a site where PHP and AppleScript work together to achieve what I wanted. That's when I discovered that you could start applications on the Mac via [a] URL," lixlpixel said.

"Of course that's no big deal , but then I realized that if you knew the location of the downloaded program on the user's machine, it gets more dangerous. That's why I notified Apple."

Apple declined to comment specifically on this issue with MacNewsWorld, although the company did release an official statement.

"We take security very seriously at Apple, and we are actively investigating this potential security issue," Apple's statement read. "While no operating system can be completely secure from all threats, Apple has an excellent track record of identifying and rapidly correcting potential vulnerabilities."

Potential Solution

According to lixlpixel, one option users have is to download a freeware preference panel called More Internet, from a Web site called "Monkey Food." The preference panel works by giving users the ability to decide which applications they want to set as Internet protocol helpers.

"Just installing it will not help," said lixlpixel. "It is important to then change the Internet protocol helpers to an unprivileged application, such as Chess or Text Edit."

This reporter tried to download More Internet to test in Safari; however, the Monkey Food Web site was overwhelmed with traffic. A mirror site then became available.

The application is straightforward and allows a user to access Mac OS X's System Preferences and make changes to all Internet helper protocols.

Reaction 'Overwhelming'

When asked about More Internet, Secunia CTO Kristensen said that his firm does not promote or endorse third-party software that "may or may not address a security issue." He asserted that Apple needs to address the problem because the vulnerability is Mac OS-based.

For his part, lixlpixel admitted being a bit overwhelmed by the reaction. "I am a big fan of Apple. [I] use their systems and have converted several friends to Mac. I don't want to be seen as trying to hurt Apple," he said.

Lixlpixel also confirmed he was in contact with an Apple public relations employee in Germany and was awaiting that person's return call.

Future Risks

When asked if publicizing this flaw could spur more attacks on Mac OS X, Kristensen said that any operating system that focuses on adding usability features through a graphical user interface will inevitably run the risk of releasing loopholes through which security can be compromised.

"Apple's advantage is the more secure nature of its FreeBSD Unix core," Kristensen continued.

In an interview with MacNewsWorld, Yankee Group senior analyst Laura DiDio pointed to a study released in February by MI2g, a London-based security-consulting firm. In a review of 17,500 hacks, they found Mac OS X and FreeBSD to be among the least attacked operating systems, accounting for just over 4 percent of all hacks.

Avenues to Take

DiDio said that no operating system or software application is immune to security threats and urged OS X users to practice the same security due diligence as their Windows, Unix and Linux counterparts.

"Statistics don't mean a thing if your firm is the one that falls victim to a successful penetration," she said.

DiDio then suggested some processes for reporting security concerns, based on Yankee Group research.

"There are several avenues one should take. First is the direct route -- that is informing the vendor. Customers who think that their OS has been compromised should file a formal incident report –- via hard copy, e-mail and phone calls to the vendor," DiDio explained.

"Escalate the reporting process according to the severity and pervasiveness of the attack. Checking with local Apple Mac user groups and Internet user groups is also helpful in discerning how much of an issue this is," she added.