记录不准确

Never one to let actual research or reporting get in the way of a good story, The Register’s Tony Smith published anarticle about yesterday’s security update, in which he alleges that the update does阻止利用例子published by Unsanity:

我们安装了更新在Mac OS X 10.3.4机器After restarting the machine, we went straight to Unsanity’s web site, thelocation of a pair of web pages that test the URI vulnerabilityNeither tests was blocked by the update, details of which can be found在这里

[…]

Unlike Paranoid Android, the code contained in the update remembers applications the user has permitted other applications to open, or those that the user has opened themselvesSo it’s possible that the system is allowing access to the test site apps because they have already been run prior to the installation of the update.

事实上,这是到底是什么The new confirmation dialog that Launch Services presents to prevent unknown applications from being launched automatically will only be presented for, well,未知应用程序。

In other words, any application that you’ve previously launched is implicitly trusted by Launch ServicesThis includes the example exploit applications at Unsanity andhttp://test.doit.wisc.edu/. So if you previously tried these example exploits without disabling the URI protocols they take advantage of, then these examples will仍然工作在安装安全更新2004-06-07。

To be clear: Security Update 2004-06-07 blocks these example exploits in exactly the way it is supposed to.

The inner workings of Launch Services are not documented publicly. However, it’s clear that Launch Services has always kept track of applications that have been launchedThe tracking of previously-launched apps is not new; what’s new is that Launch Services will no longer automatically launch never-before-launched apps without confirmation.

下面是我测试这个I have three Macs here, one of which is an older iMac used for testingThat’s the machine I previously used to test example exploits at the aforelinked sitesAfter installing Security Update 2004-06-07 on this iMac, the example exploits still worked.

I immediately suspected that the problem was that Launch Services “remembered” those appsApple does not document where the Launch Services database is stored on disk, but I deleted the following files:

  • /图书馆/缓存/ com.apple.LaunchServices.6B.csstore
  • /用户/格鲁伯/图书馆/缓存/ com.apple.LaunchServices.UserCache.csstore

然后我重新启动机器(I believe, but am not sure, that you can’t just log out/in; you need to restart to nuke these filesAnd, sometimes, the cache file gets written back to the disk after you delete it but before the Mac restartsI think this is because the “live” Launch Services database is not stored on disk, but rather in memory, and the above files are, as their pathnames indicate, merely高速缓存这个信息的即sometimes the old Launch Services database will get rewritten to the cache file before you restart. Sorry for all the wavering vagueness here in this parenthetical; suffice it to say that Launch Services is more or less a black box, but you可以delete your existing LS database by deleting these files and restarting, it’s just that sometimes, in my experience, it doesn’t take.)

At this point, after deleting the LS caches and restarting, the example exploits no longer worked on the iMacOn the other two Macs here, neither of which had ever executed the example exploit apps, Security Update 2004-06-07 blocked the exploits as advertised.

Note:我是advising you to delete your Launch Services cache filesDoing so will almost certainly do you no good whatsoever.

史密斯继续:

The same site provides Paranoid Android, a utility that halts attempts to open apps from URIs and offers the user the choice of proceeding with the attempt or to cancel it.

That’s not what Paranoid Android doesParanoid Android prevents all “untrusted” URI protocols from working without confirmation, including protocols which have nothing to do with the launching of applications.

Security Update 2004-06-07 does the same thing, but on our system it failed to do so.

Security Update 2004-06-07 is not at all like Paranoid Android. Paranoid Android takes sweeping measures, by default, blocking all URIs other than ‘http’, ‘https’, and ‘mailto’Security Update 2004-06-07, on the other hand, makes a surgically precise modification to the previous (vulnerable) behavior of Launch Services: it只有kicks in when Launch Services has been asked to automatically launch a never-before-launched application.

Users who prefer a ‘belts and braces’ approach to security may wish to stick with Paranoid Android, but we’d certainly recommend installing the new update in any case.

糟糕的建议甚至Unsanity也同意这一点Paranoid Android is obsoleted被安全更新2004-06-07:

UPDATE: Security Update 2004-06-07 fixes the issues Paranoid Android was created to addressAfter installing the Security Update, you can safely uninstall Paranoid Android.

当然,Unsanity不告诉你如何to uninstall Paranoid Android(The Uninstall button in their installer only removes the Paranoid Android haxie module; it doesn’t remove any of the Application Enhancer detritus spread across your top-level/库/系统folders (you did know that Application Enhancer installs a bundle within your/系统folder, right?). Anyway, after running the uninstall command in the Paranoid Android installer, you can uninstall the rest of the Application Enhancer software using the Uninstall button in the Information tab of the APE Manager panel in System Prefs)But you shouldn’t have to worry about that, because you没有安装偏执的Android系统

前一: 安全更新
下一个: 所以诙谐