Unsanity.org: Paranoid Android Updated

February 21, 2006

Paranoid Android Updated

Looks like it's OS X security vulnerability season! I've updated Paranoid Android to handle the class of exploit described here.

Basically, what's going on with that type of exploit is that somebody created a shell script, gave it a filename extension and type/creator to make it look like a Quicktime movie, but used the Finder's Get Info command to specify that it should be opened in Terminal.

That's rather nasty, but it also turns out that if you make the shell script slightly non-standard (no details here, check the above Secunia link), it will auto-execute if you download it in Safari and you've got the open safe files preference turned on. Kinda nasty just turned into very nasty.

Rosyna has a fix for the Safari thing here, but it seems that there might be other vectors besides Safari, so I figured it was time to dust off Paranoid Android.

So, without further ado, Paranoid Android 1.3 adds a new checkbox marked "Watch non-default application launches". If you install PA and then log out and in, you'll be protected from any application trying to launch any file using an application other than the default.

Now, I personally won't be using this - I'll wait for a fix from Apple. But, if you're paranoid, try the Android.

Download Paranoid Android 1.3

Or, for the uber-paranoid or terminally curious, download the source code.

Posted by jason at February 21, 2006 02:43 PM

Trackback Pings:

TrackBack URL for this entry:
http://www.unsanity.org/mt-tb.cgi/360.

Related:

Leopard! - Oct 27, 2007
Smart Crash Reports: 300! - Jul 16, 2007
FontCard 1.5b2: FAP, FEX, and Suitcase Fusion - May 24, 2007
My DMG is Bwoken After Download! - May 17, 2007
Label My Recent Items, Ye Olde Skool Style - Apr 20, 2007

Comments

On 10.3.9, every app that loads logs a message in the console:
"ParanoidAndroid could not load due to an unknown error"

I've gone back to 1.2 and APE 1.4.2 for now.

Posted by: DaveH on February 22, 2006 3:58 AM

Hi,

I am a versiontracker pro user and I know them and macupdate, they will hesitate when a security product changes its download URL etc.

Please update your listing at Macupdate/Versiontracker/Apple Downloads (three enough I guess!).

Funny, even your Slashdot comment is at +2 right now. I know +5 funny will hit number 1 but it is now at bottom of page. :)

Posted by: Ilgaz on February 22, 2006 7:47 AM

Oh sorry, forgot. On 10.4.5, there are no warnings at Console.

Posted by: Ilgaz on February 22, 2006 7:48 AM

the link forParanoid Android 1.3 does not work sorry

where can i get version 1.3?

Posted by: markus Bischoff on February 22, 2006 8:40 AM

We've updated the download link and the Paranoid Android page, Markus, and I've verified that they work. SourceForge requires you to pick a download mirror.

I got this release out fast-fast-fast, so I didn't look at maintaining 10.3.x compatibility. I'll take a look at it, it's probably something minor.

Posted by: Jason Harris on February 22, 2006 10:52 AM

I can't believe I completely forgot how paranoid Paranoid Android actually was. I think he could constitute some sort of animated series:

(insert over caution warnings over basic user actions here)

Posted by: Saint on February 23, 2006 10:03 AM

I like it a lot, this should protect you against a whole lot of trojan-style malware.

One small point, I always get two dialogue boxes. Is this by design or can it be fixed.

Posted by: fire on February 23, 2006 11:12 PM

Any chance of 10.3.9 compatibility ?

Posted by: on February 24, 2006 10:33 AM

Program does not allow repair permissions after installing ?
I'm not sure.

Posted by: Bill on February 24, 2006 7:55 PM

OS 10.4.4, Safari 2.0.3

Since I have RSS turned on to automatically check for new articles every hour, Paranoid Android warns me of SyndicationAgent.app activity every hour. I've put SyndicationAgent.app on the exclude list, and restarted Safari, logged out and logging back in, and even restarted the computer, but that warning still comes up everytime.

Do I need to exclude Safari itself? Does that defeat the purpose of PA, since Safari is one of the main conduits? I know Safari doesn't actually launch the executables.

Posted by: Steve on February 26, 2006 7:52 AM

Steve, just add the file URL scheme to the list of approved URL schemes in the Paranoid Android mini prefpane inside the Application Enhancer prefpane.

Posted by: Rosyna on February 26, 2006 9:21 AM

Ah, got it. Thanks.

Posted by: Steve on February 26, 2006 10:32 AM

I recommend turning off "Watch URI Schemes" in Paranoid Android's configuration (System Prefs -> Application Enhancer -> Paranoid Android). "Watch URI Schemes" deals with an older vulnerability that has been fixed for a long time now.

Posted by: Jason Harris on February 27, 2006 10:11 AM

A quick note: It goes nuts when user is using Quicksilver. (the application)

Posted by: Ilgaz on February 28, 2006 8:36 AM

Post a comment