<div id="popup_box_thanks" style="display:none" onClick="close_popup_thanks('popup_box_thanks', 'ts')"><br>Thanks for submitting your tip! All submissions are moderated by an editor before appearing online. We've reset the form so you can enter another tip. Or you can close the tip submission box. <div class="x_close" id="thanks_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('popup_box_thanks', 'ts'); return true;">Close</a></div></div>
<div class="tbf_row"><div class="tbf_wide_extra_top not_bold">Please submit only technical tips that will help other TidBITS readers better use their Macs, iPhones, and related software and hardware. All product announcements should be sent to <a href="mailto:releases@tidbits.com">releases@tidbits.com</a>.</div></div>
<div class="tbf_left">URL</div><div class="tbf_right"><input type="text" value="" name="tip_link_url" tabindex="3"><span class="tip_description"><br>Enter the URL to a Web page that supports your tip.</span></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_left">Linked text</div><div class="tbf_right"><input type="text" value="" name="tip_link_label" tabindex="4"><span class="tip_description"><br>Enter the name of the page linked above.</span></div>
<div class="tbf_wide"><input type="submit" value="Preview Your Tip" name="preview_tip" onClick="fill_preview('tipbits_enclosure_preview', 'ts', this.form); return false;" tabindex="7"> <input type="submit" value="Send Us Your Tip!" name="submit_this_tip" onClick="handle_tip_submission('ts', '', this.form, 'tip'); return false;" tabindex="8"></div>
</div>
<div class="spacer"></div>
<div class="tbf_row">
<div class="tbf_wide"><span class="fine_print">When you submit a tip, you give us permission to use it. Read <a href="javascript:void(0)" onClick="generic_show_hide('tip_terms')">our terms</a> for more details. All submissions are reviewed before publication.</span></div>
<div class="tbf_wide"><span class="fine_print">Our terms: By submitting a tip, you agree to assign TidBITS Publishing Inc., a non-exclusive, worldwide, perpetual license to reproduce, publish, and distribute your tip in connection with the TidBITS Web site and associated products in any media. You agree that you created the content you submitted, and that you have the right to assign us this license. You give us permission to use your name, but your email address won't be publicly displayed or shared. We review all submissions before publication, and reserve the right to select which submissions we feel are appropriate for our readers and to edit those we publish.</span></div>
<div id="comment_thanks" style="display:none" onClick="close_popup_thanks('comment_thanks', 'comm')"><br>Thanks for submitting a comment! Please check your email for a link that, when clicked, will verify that you're a real person and cause your comment to appear immediately. <div class="x_close" id="comment_upper_right"><a href="javascript:void(0)" onmousedown="close_popup_thanks('comment_thanks', 'comm'); return true;">Close</a></div></div>
<div class="tbf_wide"><span class="fine_print">Our terms: We reserve the right to edit or delete any comment, so please post thoughtfully. We use your email address <i>only</i> to send you a one-time verification message confirming that you posted this comment. We also store your address to allow you to verify using other Web browsers in the future. For more info, see our <a href="http://db.tidbits.com/privacy.html">privacy policy</a>.</span></div>
<li><a href="/feeds/tidbits.rss" title="Subscribe via RSS" class="gettb">RSS <img src="/images/feed-icon-12x12.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe via RSS"></a></li>
<li><a href="http://itunes.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=276986548" title="Subscribe to the podcast" class="gettb">Podcast <img src="/images/feed-icon-12x12_podcast.gif" width="12" height="12" border="0" class="nav_img" alt="Subscribe to the postcast"></a></li>
<li><a href="http://www.twitter.com/TidBITS" title="Get Article Updates via Twitter" class="gettb">Twitter <img src="/images/feed_icon_12x12_twitter.png" width="12" height="12" border="0" class="nav_img" alt="Get Article Updates via Twitter"></a></li>
<li><a href="http://www.facebook.com/pages/TidBITS/195314925519" title="Go to the TidBITS Page at Facebook" class="gettb">Facebook <img src="/images/feed_icon_12x12_facebook.gif" width="12" height="12" border="0" class="nav_img" alt="Go to the TidBITS Page at Facebook"></a></li>
<li><a href="javascript:void(0)" title="Sections" class="tabhead" onClick="return showhide('articleslist')">Sections <span id="articleslist_triangle"><img src="/images/nav_triangle_open.gif" width="9" height="9" border="0" class="navtriangle" id="articleslist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('stafflist')" title="Staff" class="tabhead">Staff <span id="stafflist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="stafflist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" title="Issues" class="tabhead" onClick="return showhide('issuelist')">Weekly Issues <span id="issuelist_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="issuelist_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<li><a href="javascript:void(0)" onClick="return showhide('abouttidbits')" title="About TidBITS" class="tabhead">About TidBITS <span id="abouttidbits_triangle"><img src="/images/nav_triangle_closed.gif" width="9" height="9" border="0" class="navtriangle" id="abouttidbits_tri_image" alt="Click to show or hide the contents of this section."></span></a></li>
<div class="center_top">Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling <a href="http://www.takecontrolbooks.com/?pt=TB-TAGLINE" style="color:yellow">Take Control</a> ebooks.</div>
<!-- begin centercolumn -->
<div id="centercolumn">
<!-- begin rightcolumn_container -->
<div id="rightcolumn_container">
<!-- begin rightcolumn -->
<!-- rightcolumn is embedded within centercolumn so featured text wraps around it -->
</div><!-- end tearoffbox_wide_container for watchlist items -->
<!-- begin tearoff box wide -->
<div class="tearoffbox_wide_container">
<div class="tearoffbox_wide_tips">
<div class="tip_display">
<div class="tips_sponsor_logo">
</div>
<h6>Open Multiple Items from Stacks</h6>
<p><p>Want to open multiple items from a stack in the Dock? Hold down the Option key while clicking them to keep the stack visible while the documents open.</p></p>
<div class="tbf_wide_80" id="hc_rc_7040">To help us avoid automated posts and misuse of our site, please enter the words below.</div><div class="x_close_row" id="hc_upper_right2_7040"><a href="javascript:void(0)" onmousedown="HidePopupContent('hc_7040', 'hc', '7040'); return true;">Close</a></div>
<div class="featured_meta"><div class="meta_article">20 Feb 2006 | <a href="/article/8430?print_version=1">Print <span class="shift_up"><img src="/images/printer_icon.gif" alt="Printer-Friendly Version of This Article" border="0" width="9" height="10"></span></a></div></div>
<H2>Are Input Managers the Work of the Devil?</H2>
<div id="article_box_7040"><P>The recent flap over the Leap-A malware raises the question of whether Mac OS X is fulfilling its promise as a rock-solid system with a stable, unmodifiable base (see "Two Mac Malware Threats Sighted," elsewhere in this issue). The straw man here is Mac OS 9 and earlier systems, on back through System 6. In those days, you may recall, users could install third-party files called INITs (or extensions) which loaded during startup and modified the behavior of the System. A malicious or buggy INIT could easily destabilize the whole computer or make applications behave in unexpected ways; this could be troublesome both for users, who might find the computer behaving mysteriously, and for developers, whose applications might crash through no fault of their own. If you can't rely on the System to be the System and nothing but the System, what can you rely on? Unfortunately many third-party INITs were really cool and using them was irresistible. People used to manage the inevitable resulting problems through a mixture of guesswork and extension managers, but we all knew, as four rows of INITs marched proudly across the screen during startup, that we were lucky if the computer worked at all.</P><P><<A HREF="http://www.ambrosiasw.com/forums/index.php?showtopic=102379">http://www.ambrosiasw.com/forums/index.php? showtopic=102379</A>><BR><<A HREF="http://db.tidbits.com/article/05086">http://db.tidbits.com/article/05086</A>></P><P>In Mac OS X, on the other hand, there are no INITs, and the system files are protected by permissions. Thus, in theory, Mac OS X is much less susceptible to customization than earlier Apple systems. That may be disappointing (personally, I'd kill for a Mac OS X version of Menuette!), but the trade-off is the assurance that there is just one System - once I tell you what version of Mac OS X I'm running, you know exactly how it behaves in every fundamental respect.</P><P><<A HREF="http://db.tidbits.com/article/05545">http://db.tidbits.com/article/05545</A>></P><P>But do you? I sometimes get the feeling that Mac OS X is just as full of customization holes as earlier systems were. In fact, Mac OS X may be worse than earlier systems, because those customization holes are harder to track than INITs were, and because the feeling of security misleads the user into a misplaced confidence. In reality, no one has a pristine System, and keeping the System even somewhat pristine requires constant vigilance. In an earlier article I talked about the security concerns represented by the Launch Services architecture and URL schemes (see "Explaining the URL-Based Mac OS X Vulnerability" in <A HREF="http://www.tidbits.com/tb-issues/TidBITS-731.html">TidBITS-731</A>). The Leap-A malware exploits a more insidious and powerful device, the Input Manager.</P><P><<A HREF="http://db.tidbits.com/article/07680">http://db.tidbits.com/article/07680</A>></P><P>An Input Manager is, in theory, merely an aspect of text input. It is through an Input Manager, for example, that Japanese input is enabled on Mac OS X: effectively, the system watches as you type or work in the input palette, suspending judgment about the text being entered until you've supplied enough information, and thus you can enter characters from a repertoire vastly larger than the number of keys on a keyboard. Developers can create their own Input Servers, which embody the functionality of Input Managers and make themselves available to all applications.</P><P><<A HREF="http://developer.apple.com/documentation/Cocoa/Conceptual/InputManager/Tasks/InputServerDeployment.html">http://developer.apple.com/documentation/Cocoa/ Conceptual/InputManager/Tasks/ InputServerDeployment.html</A>></P><P>The trouble is that Input Managers "make themselves available to all applications" through being injected by the System into every application as it starts up. Thus an Input Manager is a general, legal method to modify application behavior. Naturally it didn't take long for the thought to occur to someone that such modification need have nothing to do inputting text! Thus, Input Managers - or, at least, bundles of code installed in a Library's InputManagers folder - are the basis of many popular hacks, including StuffIt Deluxe's MagicMenu feature, CocoaGestures, Smart Crash Reports, certain Growl Extras, PithHelmet (and SIMBL), Saft, Inquisitor, and many others (as those last examples show, this is a particularly popular way to hack Safari). And Input Managers lie at the heart of how Leap-A works.</P><P><<A HREF="http://www.stuffit.com/mac/deluxe/learnmore.html">http://www.stuffit.com/mac/deluxe/ learnmore.html</A>><BR><<A HREF="http://www.bitart.com/CocoaGestures.html">http://www.bitart.com/CocoaGestures.html</A>><BR><<A HREF="http://www.unsanity.com/smartcrashreports">http://www.unsanity.com/smartcrashreports</A>><BR><<A HREF="http://growl.info/documentation/growlsafari.php">http://growl.info/documentation/growlsafari.php</A>><BR><<A HREF="http://culater.net/software/PithHelmet/PithHelmet.php">http://culater.net/software/PithHelmet/ PithHelmet.php</A>><BR><<A HREF="http://haoli.dnsalias.com/Saft/">http://haoli.dnsalias.com/Saft/</A>><BR><<A HREF="http://www.inquisitorx.com/safari/">http://www.inquisitorx.com/safari/</A>></P><P>The reason this is such an easy vector for Leap-A to take advantage of is that no special permissions are required for an application to install an Input Manager into your ~/Library/InputManagers directory, nor (if your User is an admin, or if you give an admin password when requested) in the system-wide /Library/InputManagers. It can thus affect all subsequently launched applications, forever (or until you notice the unwanted Input Manager, delete it, and log out). It has been argued that this architecture represents no greater security hole than the maliciousness that any application might represent; after all, if I can get you to download and run my application, my application can delete everything in your User directory before you can say Jack Robinson. That's true, but it's also true that an Input Manager is code that you _don't_ consciously run. It blindsides you; it's just "there," invisibly, affecting everything you _do_ run, without your knowing what it does, where it is, or how it got there. Even in the absence of malice, a badly written Input Manager installed at a high enough level can render the computer completely unusable. Gosh, it's just like in the good old days of System 6, isn't it?</P><P>Unfortunately, it would require serious rethinking of the Mac OS X architecture to put this genie back in the bottle. Surely Apple has long known that Input Managers might be used maliciously; to do nothing about this possibility is to hope that they won't be so used, and hope, while it may spring eternal, is not an effective security technique. Indeed, something suspiciously similar to Leap-A was announced as a proof-of-concept for the malicious use of Input Managers back in July of 2005; one can hardly be surprised at its present reification. (Even more suspiciously, the original article has been taken down.)</P><P><<A HREF="http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-06/0024.html">http://www.derkeiler.com/Mailing-Lists/ securityfocus/bugtraq/2005-06/0024.html</A>></P><P>Before the identification of Leap-A, a discussion of Input Managers caught my attention because, embarrassingly, silent installation of an Input Manager is performed by Path Finder, an application that I had previously recommended. This discussion included various suggestions for coping with unwanted Input Managers, including simply locking down the InputManagers directories by assigning them prohibitive permissions. (Already there's an "OompaLocker" AppleScript available to do exactly that.) Such measures seem extreme, but the chances that Apple will do anything to stem the spread of such unwanted silent installations are vanishingly small. So what's a user to do? What I would ideally like is an application that would occasionally comb certain key folders (InputManagers, StartupItems, Extensions - any others?) to see whether anything has been recently installed there, and perhaps something that I could run before and after installing any new piece of software to learn what was installed where. (Yank is said to be an application of the second type, but I haven't tried it.) Apart from that, I suppose we'll all just have to keep muddling along as usual, hoping that Mac OS X is reasonably safe under most circumstances.</P><P><<A HREF="http://daringfireball.net/2006/01/smart_crash_reports">http://daringfireball.net/2006/01/smart_crash_ reports</A>><BR><<A HREF="http://www.friday.com/bbum/2006/01/20/sandvox-hidden-feature/">http://www.friday.com/bbum/2006/01/20/sandvox- hidden-feature/</A>><BR><<A HREF="http://toxicsoftware.com/blog/index.php/weblog/entry/us_vs_them/">http://toxicsoftware.com/blog/index.php/weblog/ entry/us_vs_them/</A>><BR><<A HREF="http://www.matterform.com/index.php?page=/yank/">http://www.matterform.com/index.php?page=/yank/</A>><BR><<A HREF="http://www.springboardsoftware.com/">http://www.springboardsoftware.com/</A>><BR><<A HREF="http://db.tidbits.com/article/08411">http://db.tidbits.com/article/08411</A>></P><!-- Are Input Managers the Work of the Devil? Matt Neuburg --></div>
<!-- end article text -->
<!-- PayBITS -->
<p> </p><div class="sponsorbox">
<div class="sponsortext"><A HREF="http://markspace.com/bits?source=tidbits"><IMG SRC="http://db.tidbits.com/images/badges/mark-space.gif" ALT="" HEIGHT="50" WIDTH="50" BORDER="0" ALIGN="left"></A>SYNC YOUR PHONE with The Missing Sync: Sync your calendar,<br />address book, music, photos and much more between your phone<br />and Mac. Supports ANDROID, BLACKBERRY, PALM PRE and many<br />other phones. <<a href="http://markspace.com/bits?source=tidbits">http://www.markspace.com/bits</a>></div>
