DealsOnTheWeb Daily Deal: J&R Computerworld.com: Free Shipping on TVs 42" and Under - Extended
Monday's Mac Gadget
by John F. Braun
 |
Need to Protect Your Mac from Malware? You Need These Gadgets! |
RCDefaultApp 1.1 (Freeware)
Rubicode
Paranoid Android 1.1 (Freeware)
Unsanity
This has certainly been an exciting week in the Mac security arena. There was the report of a serious security flaw in Mac OS X, as well as an update which addresses some of the initial exploits. Since the update, some new exploits have been identified. These exploits touch different parts of Mac OS X, including URL and "safe" file handling, and the execution of a hostile AppleScript.
Unlike some other type of viruses, which are spread over a network and are very difficult to track, most of the recent exploits require visiting a Web page that contains the malware. This means that it would be relatively easy to identify the site providing the hostile content, but that doesn't mean some script kiddie won't try (a complete writeup about these exploits can be found at Unsanity). Fortunately, the Mac community has responded quickly, and there are tools you can use to not only protect against malware, but customize how Mac OS X deals with URLs.
Safari and other programs use a URL to help decide what program to use to process a request. The http:// type is the most common, but there are also others that you may not be aware of, such as disk:// which can act on a disk image that you've previously downloaded. The ability to examine and change these values have varied with each version of Mac OS; the most recent version hides these values pretty well, but the folks at Rubicode have come up with RCDefaultApp, a spiffy preference pane that will let you examine and change URL and other low-level Mac OS X settings.
Examine and Configure Your URL Handlers
(click for a larger picture)
RCDefaultApp presents all of this information using a clean, sensible layout. As shown above, clicking on the "URLs" portion of the pane shows each registered URL type, and displays the application, as well as the directory path to the application.
In addition to helping you learn more about how Mac OS X operates, you can also use this feature to help improve your system's security by redirecting or disabling requests for certain URL types. For example, although the disk:// handler is convenient, mounting a disk image after it has been downloaded, some of the reported exploits take advantage of this mechanism. Therefore, you may want to disable handling of disk://, just to be safe.
Concerning the issue of disk mounting, you may also want to configure Safari not to automatically open "safe" files after downloading. Inconvenient? Sure, but this is the dance between usability and security that every operating system has to deal with; Mac users just didn't need to deal with this balance until recently.
RCDefaultApp also allows you to examine and change some other settings. The "Extensions" portion will let you see what application is configured to handle each file extension, which is the value that is after the period, such as ".jpg" for a JPEG graphic image. The "File Types" setting is another file attribute that is used to determine which application should handle a file. Sure, you can access these settings on a per-file basis by using "Get Info," but RCDefaultApp is much more convenient. Finally, there's a way to configure the handler for each major Internet application (Web, E-mail, News and FTP) and which application should be used for a file with a specific MIME type.
Another application that we found helpful in detecting existing and new security exploits is a "haxie" called Paranoid Android (any Hitchhiker's fans out there?) from the folks at Unsanity. Paranoid Android will watch URL access attempts, and display a dialog when a request for an unusual or risky type of URL is made.
Paranoid Android Detected a Risky URL
For all of the identified exploits, Paranoid Android can intercept and disable requests so that they pose no risk. You can of course allow the request, just make sure that it is being made from a server that you know. The other type of exploit that Paranoid Android will protect against is the launching of a handler for an unknown URL type. Normally, a handler for an unknown URL type can be downloaded and executed without user intervention. In some cases, this could also be exploited by malware to do nasty things to your system. If you observe a request for an unusual URL type, you should probably deny it unless you know why the request is being made.
So make sure you not only understand more about how your Mac operates, but protect against security exploits, and get RCDefaultApp and Paranoid Android now!
Have any other Gadgets that help secure your Mac. Send an e-mail to John and he'll check it out.
Monday's Mac Gadget is here to help you with those cool things that we all just have to have on our Macs. Shareware, Freeware, Postcardware, Emailware, and even commercial apps, Monday's Mac Gadget is here to help you find and use the best of these programs.
John is a software engineer who works in the corporate R&D group of a Fortune 500 company, focusing on all aspects of communications technology. He has several degrees that claim he knows what he's doing when it comes to computers. After watching co-workers reinstall Windows, search for device drivers, and experience other horrors during the day, he's glad that he comes home to a Mac (compatible) computer. Have any comments, suggestions, or favorite Gadgets? Drop John a line at
You can also Post Your Comments below.
Current Monday's Mac Gadget
- Want to Supercharge Your Dock? Check Out Todos! - August 21st
- Worried About Your Mac Getting Jacked? Get JackSMS - June 12th
- Want iChat with Tabs? Try Chax! - April 3rd
Visit Monday's Mac Gadget Archives for more great Mac Gadgets!
Observer Comments
Mon May 24, 2004 11:42 am Subject: Why You Don't Need Paranoid Android...
Interesting read as always from John Gruber at Daring Fireball
"disk:// which can act on a disk image that you've previously downloaded."
Your story isn't quite accurate or at least doesn't sound accurate. the exploit can be used to download a disk image then execute malicious code within. Later on, it clarifies, but this is something not to mislead users.
For more clarification, check out Daring Fireball
In essence the exploit happens thusly:
- You click on a link (or visit some web page containing some meta refreshes with no user input needed).
- Said link could be a javascript function (or just a disk://somedisk.dmg)
- Once downloaded (and if you have, for e.g., Safari set to open such 'safe files' by default) it is automatically mounted by the Finder (potentially without the user realizing it) at which point any application found at the top level of the image which may happen to contain information about a custom URL scheme (e.g., malware://) registers itself with Launch Services as the default application for said scheme.
- after a couple of seconds the wep pages issues a request for said scheme, which is then passed off to Launch Services by the browser and thus the application is launched - and potentially any of your files that you have privileges over are cooked....
Recommended solution is using RCDefaultApp to disable disk, disks, telnet, ftp, afp, x-man-page URL schemes. Again, have a read of Daring Fireball for further info...
Recent Headlines - Updated Saturday, November 29th, 2008
- Sat., 9:00 PM
- Podcast - Apple Weekly Report #135: Apple Lawsuits, Banned iPhone Ad, Green MacBook Ad
- Fri., 12:45 PM
- Podcast - Mac Geek Gab #178: Batch Permission Changes, Encrypting Follow-up, Re-Enabling AirPort, and GigE speeds
- Thu., 1:30 PM
- iPO Review - Scosche kickBACK iPhone case
- 7:00 AM
- Happy Thanksgiving from TMO!
- Wed., 6:00 PM
- TMO Appearances - Nancy Gravley Joins MacJury Gift Guide
- 5:15 PM
- TMO Visits The Bay, a Premium Apple Reseller in New Zealand
- 3:25 PM
- iPO Oh the Games You'll Play - iPhone: The Wii of Handheld Gaming Devices?
- 2:15 PM
- Sonnet Releases Simply Fast FireWire 800 to 400 Adapter
- 1:10 PM
- Mac Gaming News - Disney Plans 1st Annual PotC Online Thanksgiving Event
- 12:05 PM
- iPodObserver - UK Shuts Down iPhone 3G Ad
- 11:15 AM
- TMO Appearances - Jeff Gamet on MacJury Gift Guide
- 10:30 AM
- TMO Contest - TMO Announces Macworld Expo Pass Winners
- 9:50 AM
- PhotoCopy 1.1 Adds iPhoto Event Support
- 9:15 AM
- Acclivity Buys MYOB US
- 8:30 AM
- Review - Bento 2 Holiday Pack
- 7:50 AM
- Microsoft Offers Black Friday Office Discount
- 7:30 AM
- iPO Quick Tip - iPhone: Google Street View
The Mac Observer Reader Specials
- Download Typestyler, still the Ultimate Styling Tool for Internet, Print and Video Graphics. Works great in Classic with a Native OS X Version on the way. Free Tryout: www.typestyler.com
New MacPro Memory 800Mhz With Apple Spec Heat Sink - 2GB $72 / 4GB $104 / 8GB $204. Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: Mac Pro FB-DIMMs: 2Gig kit $95, 4Gig Kit $179, 8Gig Kit $355! MacBook 2Gig Kit $78, 4Gig Kit $149! Click hereFor the latest Apple products use Ciao a comparison website to find laptops like MacBook Air. Then find the best prices on MP3 players and use our comparison tool to evaluate cell phones.
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
Marshmallow Popper Gun Shooter: $9.99 Delivered - Make the Yam Side Dish a Sporting Event 
OnSale's ThanksGiving Day/Black Friday Combo Sale - Turkey, Deals, and LeftOvers - The Holiday Trifecta! 
Fall Knuckle Deep into Dell Small Business's Black Friday Sale - Going on Now!!!!! 
File Your Nails Now - Overstock's Black Friday Sale is Coming! Get Great Gifts at Great Prices 
