Somehow I'm not surprised

twyg

twyg

Back to Mac Baby!
http://securitytracker.com/alerts/2002/Jan/1003326.html

Looks like our friends at Microsoft have as usual made their product so sprawling that it was easy that something like this could pass through the cracks. I would imagine that if AppleScripts could be started, why not other things? (With a little tweaking of course)

I realize the work and complexities of programming something the size, and capability of Internet Explorer. I also know that when a program and it's developers are managed well, and QA is heavily monitored things like this don't happen. Why on earth would someone want to run a file on a users machine. Mind you, the question is not "why would you" but definitely should be "why can they?" Privacy buffs, have at it... :D

Imagine the damage that could be caused. Let's now rejoice in the fact that 99.9% of the mac users we know aren't malicious enough to do real damage, just for the simple reason that it isn't a nice thing to do.

Most PC hackers wouldn't be able to do much damage either. You know why? AppleScript is far to simple, they would get thrown off by looking for "the real code". ;)

note: This all applies to the OS 9 version, as stated in the link text. But if it's in the 9 version, then what was missed in 10?
 
it's almost as frightening to think that this post has been up for 2 days with no response.

but this is just another example of how we can't trust m$. and yet mac users keep buying their products day after day.

this is far too easy a target to get me going so i will exercise some self control and see if anybody has anything to add the second time thru the thread lists.;)
 
I would point out that if you have a configuration that is any different from the address given in the example it is not going to work. Like the fact that many of us don't leave our hard drives named "Macintosh HD". And others may not even have their System Folder on the root leave of their drive. What you end up with is a error message.

So let review what we have, all the paths and AppleScripts must be know by the person trying to do this (AppleScripts can't be placed on your system by someone trying to do this). This makes it very lose in the risk area (and rates at best mild in the annoying category).

Interesting though.
 
Actually, AppleScript is very powerful. You can use a line like:

delete folder "System Folder" of startup disk

and you can evade the problem of having to know the name of the startup disk in both OS X and OS 9. Similarly, OS X MUST have (in it's current incarnation -- I'm still hoping that Apple will be able to consolidate everything into one folder and allow it to be movable) the System, Library, and Users folders at the root folder of the hard drive. In OS 9, no matter where the system folder is, there is a function that can tell you the path to the system folder or extensions folder or something like that. I think the line get (path to system folder) as string will allow you to put the path into a variable, and again you can evade the problem of having the system folder not in the root folder of the hard drive AND you can evade the problem of the renamed hard drive.

I'm sure you could make a TON of programs with just AppleScript, it is such a powerful language. So what's the best security precaution? Use OmniWeb or Netscape 4.79, use AppleWorks instead of Office, use Quicktime Player instead of Windows Media Player, and use Mail.app instead of Entourage or Outlook Express (I have to say I use Outlook Express all the time, though -- WHERE IS OS X 10.1.3?? grr). Simple as that.

Just thought you'd all like to know these little factoids about AppleScript.
 
In this bug though, the AppleScript would already have to reside on the end user's hard drive. In SimX's scenario, someone would already have to have an Applescript on their machine that said to delete the System Folder - then they'd have to go to a URL that called that AppleScript by name specifically. Such an Applescript doesn't exist by default. Also, you can't delete the active System Folder in Mac OS. The computer would just bring up a dialogue box saying you couldn't do it if an AppleScript tried.
 
Well assuming that you were using Internet Explorer for OS 9 or maybe Outlook Express, a user could transmit the AppleScript via e-mail and have OE unwittingly place it on the hard drive, and then have them go to the website and have it be executed. Plus, in OS X anyway, AppleScript COULD potentially erase the hard drive by issuing a "sudo rm -Rf /System" command to the command line which it can do either by going via the Terminal or going directly to the command line without the user seeing it being activated, provided that the user gave his password to the little authentication dialog box.

(I have to give a little side note here, because of some of the skepticism that may come up. But it certainly is possible to delete all of the system resources even though it is in use, since OS X pages them all to memory. I learned this the hard way once.... I issued a "sudo rm -Rf System Folder" command through the terminal and gave my password. Guess what I did wrong? I forgot to add little single quotes around 'System Folder'. I was really trying to delete the Classic OS 9 system folder that I had accidentally copied over onto my OS X startup disk into the root folder. So UNIX interpreted my command to delete the whole folder "System" and to delete the whole folder "Folder". Needless to say, I had to reinstall OS X once I realized what I did when UNIX complained to me saying there was no folder called "Folder". The system was working fine, still, but I realized that once I restarted, I wouldn't be able to start up -- lesson learned the hard way.)

Of course, all this still is very hard to do, but I'm just saying that it's not because of AppleScript. AppleScript is VERY capable in OS X to do just about anything you wanted to do, especially now that you can have it issue a command to UNIX. In OS 9 it still isn't hampered that much either -- it IS true that the system folder couldn't be deleted if active, but you could delete preferences or extensions or other personal documents via AppleScript.

AppleScript is very capable of doing these malicious things, so what I'm trying to say is that you need to make sure that you don't have any security compromises like the one that twyg has mentioned in this thread. And hackers are very persistent at finding ways of executing little programs on your computer, so make sure you don't unwittingly open any back doors.
 
You know that is very interesting (and yes I have been quite aware of what AppleScript could do), but as Jadey pointed out (and I made it a point to point out in my post), this is HTML that requires that the path and script both be known.

And though imaginative, currently most e-mail clients aren't scriptable in the same way that Outlook is in Visual Basic Scripting in Windows. The idea of using e-mail or a web address means that you also have a direct path back to the person using the scripts, and from what I've heard getting caught takes all the fun out of it.
 
You must log in or register to reply here.
Back
Top