URI Security Exploit: Multi-user issues

Over the past week we've been covering the Mac OS X security issue relating to the help, disk, telnet, and other URIs (Uniform Resource Identifiers). Yesterday we noted the excellent Daring Fireball summary that describes how you can easily protect yourself from these vulnerabilities using a free utility like RCDefaultApp. These procedures also allow you to avoid installing a "haxie" such as Paranoid Android to fix the problem.

However, MacFixIt reader Mike Barron raises the issue of multi-user sites with respect to using a tool such as RCDefaultApp:

"The major problem with using an application or pref pane like RCDefaultApp or More Internet is that these solutions fail to consider the possibility of multiple users. I run a lab of computers with centralized home accounts on a Mac Server. I was a bit disappointed to find that, after applying the RCDefault App solution posted on many sites, the only user that was affected by the changes made in the pref pane was the user who made the changes. Even though RCDefault App was installed 'for all users,' the preference it set was not a global one, but rather, was specific to the user. This simply will not do for my 150 users. So far, the only solution I have seen that works across users is the Paranoid Android solution. While I'm not crazy about installing APE (which Paranoid Android requires) on my fresh clean systems, I'm not seeing any alternative at this point. If someone has a better global solution (i.e. one that works for multiple users) I would love to hear it. Until then, I guess I'm going to be installing Paranoid Android for the time being."

We should note that, as Mike points out, utilities such as RCDefaultApp and More Internet change user-level preferences, not system-level settings.

Resources