Strange - I just loaded this and logged out and back in, but it isn't being loaded for any application.

Is there something I need to do to "activate" this? Or should it be loading like other APE modules?

Jason, you say that "a malware author could write an exploit that would delete your home directory" but wouldn't that type of exploit still require you to authenticate? Or can you delete your home directory without authenticating? I've seen a few of the proof-of-concepts that are currently available online and at first I thought, holy crap these things can nuke my system...but then I realized that ultimately anything they do (whether it be in the terminal or elsewhere) will require authentication before it can proceed. Or am I wrong here? I thought that was one of the strong points of Mac OS X? I thought only if you were running as root would you be able to delete your home directory.

Could you clarify this for me?

You are mistaken mark. Authentication is ONLY needed to modify folders/files or other stuff that the current user does not own and cannot do. Since the current user owns the home folder, the current user can delete it (try it, move the home folder to the trash or something).

malware could not delete the entire HD. Unless you log in as root, of course which is a rather silly thing to do.

And it is active. Try typing evilthing:blah in safari and hit return. Just because it has no effected applications does not mean it isn't loaded.

I work for a school district that is all OS X. I saw this haxie, downloaded it, but like nell above there are no applications listed in the Enhanced Applications list. How do we add Safari, IE or any other browser that we might use.....or are we automatically protected with it???? Please let us know!!!!

CLarson - did you restart the computer after installing it (or just log out and back in)? That's required.

Alternately, a while ago none of my Haxies were working at all after moving HDs (after my original one crashed and I spent 2 days running Data Rescue on it to get my databack). The solution? Reinstall Application Enhancer and reboot.

If you alll would like to see screenshots of Paranoid Android in action, go here:

http://www.marihart.org/leo/tao/hole_filling/

I'm a bit rushed today, but I wrote it up for some friends who were also saying 'Wha...?' about this issue.

Go Jason! Thanks guys.

Do you plans to release a Jaguar version?

Larry

Works like a charm, guys! Simple and elegant. Great job.

Larry: Jaguar isn't affected by the exploit (actually, i think help:// may be, but not the second one).

mark/Rosyna: well, it's semi-easy to make the exploit app to pop up an authentication dialog. Most users will blindly enter the admin password without much thinking -- and bingo, you got full root access.

Scary.

Oh, about PA not showing up in the Affected Applications -- I think Jason forgot to put APEBundleMessage() call in, so the module *does* loads, but won't show up in the affected apps list (we don't register ape modules without APEBundleMessage() callback for speed/rationality purposes). We'll fix this in the next update, if it will be needed (read: Apple won't act fast).

I'm thinking of installing PA, but I've not used haxies before. I was going to be upgrading from 10.3 to 10.3.3 soon and wonder if I would need to uninstall PA before doing so. Also, how DO you uninstall PA exactly?
Thanks

I noticed that PA doesn't say anything when I click (in Safari) on a link on a website that leads to the iTunes music store.

I would have assumed I'd get a warning about "daap:" in use, but it just went right through. I know there is no vulnerability involving daap right now, but I thought PA was supposed to catch everything? Or is Safari/iTunes using a different method that bypasses PA?

Latest versions of Safari, iTunes, and OS X were used.

iTMS uses the itms:protocol, not daap:

daap: is used for the rendezvous sharing.

Unless it was fixed in iTunes 4.5, daap: is actually treated as a streaming URL (which is wrong).

having problems w/ PA and Entourage (yah, i know). mailto: links in web pages will bring E forward, but not instigate a new message w/ recipient entered. also, html emails with certain images will launch the PA warning, accepting will allow images to be loaded, but trying to delete the message afterwards results in an empty message dialog.

If you're interested in more fully understanding the exploit that PA protects you from, this is a good description:

http://www.euronet.nl/~tekelenb/playground/security/diskURLscheme/

Yes I restated the computer and received the same results. I just installed it on a new computer - loged out = restarted= logged back in and no applications show under enhanced applciations

clarson, Paranoid Android 1.0 doesn't show which apps are enhanced in the APE Manager preference pane, but it's working fine.

Pardon me for indicating the wrong URI (daap) when I should have indicated (itms). My point was that no warning at all came from Paranoid Android, and I thought it should have given me a warning for *something*, since a protocol helper was indeed being called. That's all. I had been up a long time, and was about to go to bed when I posted that. I just used the protocol that came to mind when I thought of iTunes. If PA had given me a warning, then I would have known the proper protocol, but then, I wouldn't have had anything to post about.

Lest I be taken the wrong way, I do certainly appreciate your efforts in this matter, as your solution certainly does seem more comprehensive and appropriate than what Apple has provided thus far.

Well, PA doesn't warn about itms because itms is considered safe. As are http, ftp, https, and some others.

How do I uninstall PA? It is driving me crazy with incessent warnings (twice) for each html email.

Paul McKlendin - umm, you don't need to install, just put the scheme you're using into the PA list. Just go to the APE Manager prefpane, select Paranoid Android, hit the + button and type the scheme in (the scheme being, for example, 'http' or 'ftp').

If you really want to get rid of it the easiest way is it just uncheck it in the APE Manager and relaunch the applications you want to be free of PA. This doesn't uninstall it, it just disables it. If you want to uninstall go to ~/Library/Application Enhancers/ (or /Library/Application Enhancers/) and delete Paranoid Android.ape

You may find it interesting to check out some helpful info in the field of http://www.cleannbright.co.uk/ x http://www.training-one.co.uk/ x http://www.arcsecurity.co.uk/ x http://www.garthfans.co.uk x http://www.electromark-uk.co.uk/ x http://www.orlandodominguez.com/ x http://www.gdgc.org/ x http://www.simpsonowen.co.uk/ x http://www.keithandrew.co.uk/ x http://www.clophillac.org.uk/ x http://www.thesoftwaregarage.co.uk/ x http://www.luffassociates.co.uk/ x http://www.dressagehorseinternational.co.uk/ x http://www.rydoncycles.co.uk/ x http://www.whizzkidsuk.co.uk/ x http://www.shannon-e.co.uk/ x http://www.unccd.ch/ x http://www.cantwell2000.com/ x http://www.waldner-msa.co.uk/ x http://www.marshallsupersoft.com/ x http://www.the1930shome.co.uk/ x http://www.acornwebdesign.co.uk/ x http://www.salcia.co.uk/ x http://www.milesscaffolding.co.uk/ x http://www.triadindustries.co.uk/ x http://www.cambridgetherapynotebook.co.uk/ x http://www.tapbuster.co.uk/ x http://www.chrislaker.co.uk/ x http://www.thehadhams.net/ x http://www.yourowncolours.co.uk/ x http://www.neurogenics.co.uk/ x http://www.irianjaya.co.uk/ x http://www.steelstockholder.co.uk/ x http://www.tanganyikan-cichlids.co.uk/ x http://www.lynskey-admiration.org.uk/ x http://www.novacspacetravel.com/ x http://www.touchwoodmagazine.org.uk/ x http://www.gemtienda.co.uk/ x http://www.wincrestal.com/ x http://www.ecologix.co.uk/ x http://www.karibubaskets.com/ x http://www.newgallery.co.uk/ x http://www.weareconfused.org.uk/ x http://www.rebjorn.co.uk/ x http://www.byronbayinternet.com/ x http://www.mallorycoatings.co.uk/ x http://www.eggesfordhotel.co.uk/ x http://www.cyclo-cross.co.uk/ x http://www.int-fed-aromatherapy.co.uk/ x http://www.b-witchedcentral.co.uk/ x ...

You may find it interesting to check out some helpful info in the field of http://www.cleannbright.co.uk/ x http://www.training-one.co.uk/ x http://www.arcsecurity.co.uk/ x http://www.garthfans.co.uk x http://www.electromark-uk.co.uk/ x http://www.orlandodominguez.com/ x http://www.gdgc.org/ x http://www.simpsonowen.co.uk/ x http://www.keithandrew.co.uk/ x http://www.clophillac.org.uk/ x http://www.thesoftwaregarage.co.uk/ x http://www.luffassociates.co.uk/ x http://www.dressagehorseinternational.co.uk/ x http://www.rydoncycles.co.uk/ x http://www.whizzkidsuk.co.uk/ x http://www.shannon-e.co.uk/ x http://www.unccd.ch/ x http://www.cantwell2000.com/ x http://www.waldner-msa.co.uk/ x http://www.marshallsupersoft.com/ x http://www.the1930shome.co.uk/ x http://www.acornwebdesign.co.uk/ x http://www.salcia.co.uk/ x http://www.milesscaffolding.co.uk/ x http://www.triadindustries.co.uk/ x http://www.cambridgetherapynotebook.co.uk/ x http://www.tapbuster.co.uk/ x http://www.chrislaker.co.uk/ x http://www.thehadhams.net/ x http://www.yourowncolours.co.uk/ x http://www.neurogenics.co.uk/ x http://www.irianjaya.co.uk/ x http://www.steelstockholder.co.uk/ x http://www.tanganyikan-cichlids.co.uk/ x http://www.lynskey-admiration.org.uk/ x http://www.novacspacetravel.com/ x http://www.touchwoodmagazine.org.uk/ x http://www.gemtienda.co.uk/ x http://www.wincrestal.com/ x http://www.ecologix.co.uk/ x http://www.karibubaskets.com/ x http://www.newgallery.co.uk/ x http://www.weareconfused.org.uk/ x http://www.rebjorn.co.uk/ x http://www.byronbayinternet.com/ x http://www.mallorycoatings.co.uk/ x http://www.eggesfordhotel.co.uk/ x http://www.cyclo-cross.co.uk/ x http://www.int-fed-aromatherapy.co.uk/ x http://www.b-witchedcentral.co.uk/ x ...

You may find it interesting to check out some helpful info in the field of http://www.cleannbright.co.uk/ x http://www.training-one.co.uk/ x http://www.arcsecurity.co.uk/ x http://www.garthfans.co.uk x http://www.electromark-uk.co.uk/ x http://www.orlandodominguez.com/ x http://www.gdgc.org/ x http://www.simpsonowen.co.uk/ x http://www.keithandrew.co.uk/ x http://www.clophillac.org.uk/ x http://www.thesoftwaregarage.co.uk/ x http://www.luffassociates.co.uk/ x http://www.dressagehorseinternational.co.uk/ x http://www.rydoncycles.co.uk/ x http://www.whizzkidsuk.co.uk/ x http://www.shannon-e.co.uk/ x http://www.unccd.ch/ x http://www.cantwell2000.com/ x http://www.waldner-msa.co.uk/ x http://www.marshallsupersoft.com/ x http://www.the1930shome.co.uk/ x http://www.acornwebdesign.co.uk/ x http://www.salcia.co.uk/ x http://www.milesscaffolding.co.uk/ x http://www.triadindustries.co.uk/ x http://www.cambridgetherapynotebook.co.uk/ x http://www.tapbuster.co.uk/ x http://www.chrislaker.co.uk/ x http://www.thehadhams.net/ x http://www.yourowncolours.co.uk/ x http://www.neurogenics.co.uk/ x http://www.irianjaya.co.uk/ x http://www.steelstockholder.co.uk/ x http://www.tanganyikan-cichlids.co.uk/ x http://www.lynskey-admiration.org.uk/ x http://www.novacspacetravel.com/ x http://www.touchwoodmagazine.org.uk/ x http://www.gemtienda.co.uk/ x http://www.wincrestal.com/ x http://www.ecologix.co.uk/ x http://www.karibubaskets.com/ x http://www.newgallery.co.uk/ x http://www.weareconfused.org.uk/ x http://www.rebjorn.co.uk/ x http://www.byronbayinternet.com/ x http://www.mallorycoatings.co.uk/ x http://www.eggesfordhotel.co.uk/ x http://www.cyclo-cross.co.uk/ x http://www.int-fed-aromatherapy.co.uk/ x http://www.b-witchedcentral.co.uk/ x ...