<div id="popup_box_thanks" style="display:none" onClick="close_popup_thanks('popup_box_thanks', 'ts')"><br>Thanks for submitting your tip! All submissions are moderated by an editor before appearing online. We've reset the form so you can enter another tip. Or you can close the tip submission box. <div class="x_close" id="thanks_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('popup_box_thanks', 'ts'); return true;">Close</a></div></div>
<div class="tbf_row"><div class="tbf_wide_extra_top not_bold">Please submit only technical tips that will help other TidBITS readers better use their Macs, iPhones, and related software and hardware. All product announcements should be sent to <a href="mailto:releases@tidbits.com">releases@tidbits.com</a>.</div></div>
<div class="tbf_left">URL</div><div class="tbf_right"><input type="text" value="" name="tip_link_url" tabindex="3"><span class="tip_description"><br>Enter the URL to a Web page that supports your tip.</span></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_left">Linked text</div><div class="tbf_right"><input type="text" value="" name="tip_link_label" tabindex="4"><span class="tip_description"><br>Enter the name of the page linked above.</span></div>
<div class="tbf_wide"><input type="submit" value="Preview Your Tip" name="preview_tip" onClick="fill_preview('tipbits_enclosure_preview', 'ts', this.form); return false;" tabindex="7"> <input type="submit" value="Send Us Your Tip!" name="submit_this_tip" onClick="handle_tip_submission('ts', '', this.form, 'tip'); return false;" tabindex="8"></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_wide"><span class="fine_print">When you submit a tip, you give us permission to use it. Read <a href="javascript:void(0)" onClick="generic_show_hide('tip_terms')">our terms</a> for more details. All submissions are reviewed before publication.</span></div>
<div class="tbf_wide"><span class="fine_print">Our terms: By submitting a tip, you agree to assign TidBITS Publishing Inc., a non-exclusive, worldwide, perpetual license to reproduce, publish, and distribute your tip in connection with the TidBITS Web site and associated products in any media. You agree that you created the content you submitted, and that you have the right to assign us this license. You give us permission to use your name, but your email address won't be publicly displayed or shared. We review all submissions before publication, and reserve the right to select which submissions we feel are appropriate for our readers and to edit those we publish.</span></div>
<div id="comment_thanks" style="display:none" onClick="close_popup_thanks('comment_thanks', 'comm')"><br>Thanks for submitting a comment! Please check your email for a link that, when clicked, will verify that you're a real person and cause your comment to appear immediately. <div class="x_close" id="comment_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('comment_thanks', 'comm'); return true;">Close</a></div></div>
<div class="tbf_wide"><span class="fine_print">Our terms: We reserve the right to edit or delete any comment, so please post thoughtfully. We use your email address <i>only</i> to send you a one-time verification message confirming that you posted this comment. We also store your address to allow you to verify using other Web browsers in the future. For more info, see our <a href="http://db.tidbits.com/privacy.html">privacy policy</a>.</span></div>
<li><a href="/feeds/tidbits.rss" title="Subscribe via RSS" class="gettb">RSS <img src="/images/feed-icon-12x12.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe via RSS"></a></li>
<li><a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276986548" title="Subscribe to the podcast" class="gettb">Podcast <img src="/images/feed-icon-12x12_podcast.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe to the postcast"></a></li>
<li><a href="http://www.twitter.com/TidBITS" title="Get Article Updates via Twitter" class="gettb">Twitter <img src="/images/feed_icon_12x12_twitter.png" width="12" height="12" border="0" class="nav_img" alt="Get Article Updates via Twitter"></a></li>
<li><a href="http://www.facebook.com/pages/TidBITS/195314925519" title="Go to the TidBITS Page at Facebook" class="gettb">Facebook <img src="/images/feed_icon_12x12_facebook.gif" width="12" height="12" border="0" class="nav_img" alt="Go to the TidBITS Page at Facebook"></a></li>
<li><a href="javascript:void(0)" title="Sections" class="tabhead" onClick="return showhide('articleslist')">Sections <span id="articleslist_triangle"><img src="/images/nav_triangle_open.gif" width="9" height="9" border="0" class="navtriangle" id="articleslist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('stafflist')" title="Staff" class="tabhead">Staff <span id="stafflist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="stafflist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" title="Issues" class="tabhead" onClick="return showhide('issuelist')">Weekly Issues <span id="issuelist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="issuelist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('abouttidbits')" title="About TidBITS" class="tabhead">About TidBITS <span id="abouttidbits_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="abouttidbits_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<div class="center_top">Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling <a href="http://www.takecontrolbooks.com/?pt=TB-TAGLINE" style="color:yellow">Take Control</a> ebooks.</div>
<!-- begin centercolumn -->
<div id="centercolumn">
<!-- begin rightcolumn_container -->
<div id="rightcolumn_container">
<!-- begin rightcolumn -->
<!-- rightcolumn is embedded within centercolumn so featured text wraps around it -->
</div><!-- end tearoffbox_wide_container for watchlist items -->
<!-- begin tearoff box wide -->
<div class="tearoffbox_wide_container">
<div class="tearoffbox_wide_tips">
<div class="tip_display">
<div class="tips_sponsor_logo">
</div>
<h6>How to Make an iPhone Screenshot</h6>
<p><p>Want to take a screenshot of something on your iPhone or iPod touch? Press the Home button and Power button briefly at the same time, and an image of your screen will be saved to the Photos app (and will sync with iPhoto when you next connect). Don't hold the buttons too long or your device will either power down or reboot.</p></p>
</div>
<div class="tearoffbox_wide_bottom_tips">
<div style="padding-bottom:35px"><div class="tip_display" style="float:left"><p><br><a href="/tipbits/100">Link to this tip</a></p></div><div class="tip_display" style="float:right; width:150px">
<div class="tbf_wide_80" id="hc_rc_6291">To help us avoid automated posts and misuse of our site, please enter the words below.</div><div class="x_close_row" id="hc_upper_right2_6291"><a href="javascript:void(0)" onmousedown="HidePopupContent('hc_6291', 'hc', '6291'); return true;">Close</a></div>
<div class="featured_meta"><div class="meta_article">24 May 2004 | <a href="/article/7680?print_version=1">Print <span class="shift_up"><img src="/images/printer_icon.gif" alt="Printer-Friendly Version of This Article" border="0" width="9" height="10"></span></a></div></div>
<H2>Explaining the URL-Based Mac OS X Vulnerability</H2>
<div id="article_box_6291"><P>Exactly what is it about Mac OS X that is responsible for the security vulnerability currently being discussed? The situation is a little confusing, and I may be muddling some of the details, but here's my current understanding of the situation.</P><P>As you know, when you double-click a document in the Finder, the application that "owns" that document starts up and opens the document. For example, if you double-click a Word document, Word starts up. This requires that your computer have a notion of "types of document," and that it draw an ownership association between a particular document type and a particular application. Before Mac OS X, this association was performed by means of four-letter creator codes hidden in the meta-information for a file (the "desktop database"). But on Mac OS X, it's done in a new way, by a part of the system called Launch Services. Apple documents the entire situation on this page of the developer documentation about Launch Services.</P><P><<A HREF="http://developer.apple.com/documentation/Carbon/Conceptual/LaunchServicesConcepts/LSCConcepts/chapter_2_section_4.html">http://developer.apple.com/documentation/Carbon /Conceptual/LaunchServicesConcepts/ LSCConcepts/chapter_2_section_4.html</A>></P><P>Here's what to notice about what that Web page is saying. In addition to the old system of four-letter codes, Apple, in an attempt to improve cross-platform compatibility, added to the mix the notion of the file extension, a several-character code at the end of every filename that provides the clue as to what sort of document the file is. At the same time, Apple also introduced yet a third way of signifying a "document" type, namely by means of a URL scheme. An application can specify that it responds to certain schemes; it is then eligible to be messaged by the system when such a scheme is encountered.</P><P>I don't quite know why Apple did this. Part of the reason may be that Apple seems to have a great deal of trouble making up its mind how to specify a file in general. In Cocoa, for example, a file may be specified either as a pathname or as a URL; on the whole, Mac OS X seems to be trying to break down the distinction between a file and a URL-in-general. This works nicely from one point of view, because it means that for the programmer the command to open a remote file via http is exactly the same as the command to open a text file on the same machine. In any case, though, the thing to understand is that under Mac OS X, a URL becomes a file specifier possessing the same status as a pathname.</P><P>There are various ways in which the system can become aware of an application, and of the fact that an application can respond to a scheme. As noted in the first paragraph of that document, this does <EM>not</EM> require that you launch the application; merely copying the file to your hard disk is sufficient. This seems like a sensible design decision, because after all, when you first receive a new application (Microsoft Word, for instance), you would not want there to be an arcane rule that says you must first open Word itself for the operating system to know what to do with the various .doc files included with the installation. You would prefer the user to be able to double-click a .doc file in the Finder and have Word open the file, even though Word has never run before on this machine.</P><P>So far, so good. But now, keeping all of that in mind, consider what happens when you're browsing the Web in Safari and you click on a link. For example, when you click a mailto URL in a Web page, something needs to happen. Therefore, something needs to associate the mailto URL scheme with your default email client. Way back in the bad old days, Apple had no solution to this problem. But eventually a third-party solution called Internet Config appeared, and Apple later adopted it and built it into the Mac OS.</P><P><<A HREF="http://db.tidbits.com/article/01718">http://db.tidbits.com/article/01718</A>></P><P>But a moment ago, you may recall, I said that any application can now simply declare that it "owns" a certain URL scheme, just as it can claim to "own" a certain document type. That point is reinforced by this page from Apple's developer documentation.</P><P><<A HREF="http://developer.apple.com/documentation/Carbon/Conceptual/LaunchServicesConcepts/LSCIntro/chapter_1_section_1.html">http://developer.apple.com/documentation/Carbon /Conceptual/LaunchServicesConcepts/ LSCIntro/chapter_1_section_1.html</A>></P><P>In other words, Apple has folded together in Mac OS X's Launch Services two very different mechanisms from the classic Mac OS: the Desktop Manager (which pairs documents with applications) and Internet Config (which pairs URL schemes with applications). All of that sounds reasonable enough, since in both cases we are using something (a document or a URL scheme) to launch an application, but the two notions are arguably not parallel. One does not expect the set of URL schemes to be infinitely extensible. It's one thing to click on an email address that's a mailto link and have Mail open; it's another to click on a link and have Help Viewer open, or to have Script Editor open, or to have a hidden application you've never heard of download and mount a disk image.</P><P>The upshot, if I'm an evildoer, is that if I can get you to download my evil application and make Mac OS X aware of it, then I may be able to get you, through a mere Web page, to send that application a message that causes it to launch and do its evil deed. My malicious application declares to the system that it responds to the "evil://" URL scheme, so if I can get you to click on an "evil://" link, my application will launch. Furthermore, as Adam explains in his article elsewhere in this issue, the real trickery comes about if I can manage to deliver a one-two punch without your realizing what has happened. Using a page containing a redirect or even frames, I can effectively make your browser visit two URLs one after the other: the first uses a technique like the disk URL scheme to download the application to your hard disk and to make the operating system aware of it, the second uses my "evil://" protocol to cause Mac OS X to launch it.</P><P>If the overall thrust of the above discussion is right, then the problem we're facing is rather deep-seated. Part of the trouble, of course, is that URL schemes (such as disk) can cause an application to appear on your machine before you know what is happening; but another part of the trouble is that a mere URL in a Web browser can be sufficient to launch that application. Therefore it is impossible to defend against this mode of attack merely by defeating certain individual schemes, because the number of possible schemes is infinite. That's why Unsanity's Paranoid Android is an effective patch: it warns the user about all unknown schemes that might have been registered by a malicious application, rather than focusing on any known schemes. But if I'm right in suggesting that the root of the trouble is the folding of Internet Config's functionality into Launch Services, then plugging this hole completely might require Apple to adjust the architecture of Mac OS X at a level so fundamental that doing so could break some capability to which we've become accustomed.</P><P><<A HREF="http://www.unsanity.com/haxies/pa/">http://www.unsanity.com/haxies/pa/</A>></P><!-- Explaining the URL-Based Mac OS X Vulnerability Matt Neuburg --></div>
<!-- end article text -->
<!-- PayBITS -->
<p> </p><div class="sponsorbox">
<div class="sponsortext"><A HREF="http://markspace.com/bits?source=tidbits"><IMG SRC="http://db.tidbits.com/images/badges/mark-space.gif" ALT="" HEIGHT="50" WIDTH="50" BORDER="0" ALIGN="left"></A>SYNC YOUR PHONE with The Missing Sync: Sync your calendar,<br />address book, music, photos and much more between your phone<br />and Mac. Supports ANDROID, BLACKBERRY, PALM PRE and many<br />other phones. <<a href="http://markspace.com/bits?source=tidbits">http://www.markspace.com/bits</a>></div>
