Washington Apple Pi

A Community of Apple iPad, iPhone and Mac Users

Best of the TCS

Recent Apple Security Enhancement

edited by Richard “Dick” Rucker

Washington Apple Pi Journal, reprint information

The following is a message thread that appeared in this location:
Menu >> Computing >> Mac OS System Software >> Apple's bold security enhancement

Apple's bold security enhancement #2844
FROM: Jon Thomason
TO: All 07:16 PM Monday, Jun 07, 2004

Apple released a security update today. Unlike the vast majority of these patches, which simply resolve a bug and prevent software from misbehaving, this one actually introduces new system behavior to help users assess risk.

http://docs.info.apple.com/article.html?artnum=25785

I spoke of an approach like this back in April, in the context of dealing with newly-downloaded Trojan horse applications which a user thinks are documents.

http://tcs.wap.org/topic?b=union&top=1070#1096
http://tcs.wap.org/topic?b=union&top=1070#1097

Today's security update doesn't solve that -- but it solves a related problem in a surprisingly similar way. Specifically, it solves the problem which Unsanity described in a whitepaper promoting their Paranoid Android software.

http://www.unsanity.com/haxies/pa/whitepaper
http://daringfireball.net/2004/05/help_viewer_security_update

My remarks back in April were essentially blue-sky what-if brainstorming. I never imagined that anything like this would be introduced into Panther as-is, let alone Jaguar. Or that it might be introduced in a point update, let alone a security update. At my wildest moments, I figured it could be a behavioral change they introduced with 10.4 Tiger and a much-enhanced Finder application.

Anyway -- my thought was that if the user can't immediately tell that a file is actually an application, possibly even a Trojan horse application, then the system could maybe keep track of applications which the user has seen before. And upon launching one that he hasn't, the system presents a warning message.

Today's update does exactly that -- but not for applications double-clicked directly. (That would be annoying, and new, and while it might be useful to add a low-level administrator's option for something like that, it's really not something they can just slip into a sudden security update for everybody.)

Instead, they only do it for applications launched indirectly -- as described in the Unsanity whitepaper. Those launched to handle a particular document, or a particular URI request. If the application has already been launched directly by double-clicking on it, at any point, then there's no change.

I think this is quite clever. And VERY bold, to have been conceived, written, tested, and distributed in about three weeks in response to a vulnerability.

They can take it several steps further in major system updates, but I'm duly impressed by how they handled the immediate theoretical issue at hand.

Apple's bold security enhancement #2848
FROM: Richard Rucker
TO: Jon Thomason/all 05:25 PM Tuesday, Jun 08, 2004

A Unix/Windows guru friend of mine pointed me to this article:

http://www.infoworld.com/article/04/05/17/HNmacoshole_1.html

The title of that May 17 article is:

" Mac OS X hit with another serious security issue 'Highly critical hole' allows remote system access" By: Kieren McCarthy, Techworld.com.

The article concluded with this paragraph:
" While constant problems with Microsoft's software -- in particular Windows -- continue to have a far greater impact than holes in Macs, Microsoft's more open approach to security holes was only learnt through a misguided effort in the past to keep security issues quiet, a lesson that Apple could well heed."

Below is my reply sent earlier today, thanks in part to Jon's message #2844 and TidBITS#732/07-Jun-04.

Just thought you might like to know that Apple's security update 2004-06-07 became available for user download yesterday.

I just finished making the update on my machine, which took less than 5 minutes from clicking on Software Update to completion of Restart at the end of its installation.
The changes made by this update are:

(1) Launch Services now alerts a user if an application that wants to launch has never been launched directly by this user before; i.e., if the user has never double-clicked on the application's icon or name before.

If he has, even if this is the first time, the application is launched without an alert. The thought apparently is: User be aware, but we're not going to protect you if you intentionally do dumb things.

I'm guessing here, but something is now tracking the usage of all applications installed on the machine by each user's account. It will generate an alert if a particular user has never double-clicked on this application before. That is, if the launch sequence was requested by some document or URL, and not the user himself.

I've not seen the alert, but I'll bet it says something more helpful than, but along the lines of: "launch this application at your peril."

By implication: Apple seems to have concluded that Trojan Horses and the like, which are designed to trick the gullible into double-clicking them, are not Apple's problem.

(2)Registration of "disk URLs" has been removed so that disk images accessed by that scheme will no longer mount automatically. That is, if you have made contact with a URL that, in turn, downloaded a disk image to your hard drive, then you will have to mount that disk image yourself to make use of it, and you do that at your own risk.

Seems reasonable to me.

(3)In Apple's browser, Safari, it has been possible for certain downloaded files to be opened when the "Show in Finder" button is clicked. That feature has been eliminated, presumably to avoid opening and launching a downloaded application inadvertently.
May 17 to June 7, that's 21 days or 3 weeks from alarm bells to solution. How's that for responsiveness on Apple's part?

Apple's bold security enhancement #2849
FROM: Lawrence Charters
TO: Richard Rucker/all 06:38 PM Tuesday, Jun 08, 2004

> By implication: Apple seems to have concluded that Trojan
> Horses and the like, which are designed to trick the
> gullible into double-clicking them, are not Apple's problem.

I don't know that I'd phrase it quite that way, but yes, that is the general idea. A Trojan horse is, by definition, a case of false advertising: it _looks_ like a Greek offering, but is actually full of sweaty soldiers.

A Trojan horse program is, indeed, a valid program. It just doesn't do what it says or implies or looks like it might, should, ought to. Apple would be hard pressed to write a set of rules that can prevent the user from being duped. If it _could_ -- Microsoft would go bankrupt.

Apple's bold security enhancement #2850
FROM: Jon Thomason
TO: Richard Rucker/all 08:46 PM Tuesday, Jun 08, 2004

> May 17 to June 7, that's 21 days or 3 weeks from alarm bells
> to solution. How's that for responsiveness on Apple's part?

To date they've been keeping technical information separately available from the piece that every grandma needs to know. A lot of people trying to peer in cold from the Windows world to draw direct comparisons aren't aware of that, but Mac-savvy network administrators always have been.

http://www.apple.com/security/
http://www.apple.com/support/security/
http://www.info.apple.com/usen/security/security_updates.html

Still, Apple has been listening to the twists and turns taking place outside while addressing this, and they're willing to make corresponding adjustments.

http://maccentral.macworld.com/news/2004/06/07/appleupdate/

It seems to me the InfoWorld article, while not wrong, draws its conclusions from the continuing clash of cultures and expectations between those worlds. Not so much from objective security concerns, but from a shortcut of thinking that prematurely places Apple under the terms of Microsoft's house arrest.

Apple's the new guy, as far as InfoWorld is concerned. And as much as one may be impatient for the new guy to adjust to each detail of our preexisting expectations, it's a two-way street. The new guy's big challenge is to bring forward a non-tech-savvy majority of its users into the cutthroat wired world.

The rest of us may need to accommodate the fact that they boil down the story to those users for approachability. Technical details are readily available to the others who need it -- Apple merely deals with the two groups separately, as appropriate to the needs and expectations of each group. That's uncommon, but reasonable. Either we can afford them that change or they'll need to start scaring their novice users and numbing them to danger, just like everyone else.

As Apple grows to become more familiar with outside customs -and- others grow to become more familiar with what they're trying to do, we'll meet halfway. Personally, I hope this is possible to achieve with more perspective than has been attainable in the Windows world for so many years running. We'll see.