I filed this as radar #5574036, but it seems significant to share:
Imagine that you trash an application because of a security flaw. Say, it handles the URL type foofoo, and is proven to be a security risk. But the developer won’t fix it (or hasn’t fixed it yet), so you’ve removed the application from your hard drive to keep yourself safe.
It doesn’t work that way — you’re not safe. Time machine has made a copy in your time machine backup that Mac OS X will cheerfully launch without a warning.
Steps to reproduce:
- Have existing, up-to-date Time Machine backups.
- Delete a protocol handler.
- Visit a web site that uses that protocol.
Expected results:
- Mac OS X will respect that the application has been removed.
Actual results:
- Mac OS X will hand it off to the application on the Time Machine backup volume.
Update: This seems to also be true of standard Finder document bindings. I tried double clicking a TextWrangler document after deleting TextWrangler and it cheerfully launched out of the Time Machine backup. Not that I think there’s anything wrong with TextWrangler; it was just a program I knew I could delete safely (and restore after).
Update #2: It was pointed out to me on the Macworld Forums by Rob Griffiths that there is a way to permanently delete a file from all backups. You need to use the context menu within time machine to delete all backups of a file. This means there’s a workaround, but it’s still a problem that Mac OS X launches applications from the backup folder without even a warning.
Update #3: Apparently, some don’t understand why this is a bug. Let me give you a simple example: You find out Adium (for example) has an available exploit that the developers haven’t patched yet. You remove Adium, but it continues to exist in your backup. You visit a web page that activates the Adium bug, and Adium is launched from your backup. That you can launch Adium from your backup is not a bug. That Mac OS X will do so automatically without confirmation is a bug. The backup should be considered a vault for the user, not Launch Services.
November 1st, 2007 at 2:55 pm
This is both cool and not. It’s a great idea- but certainly, should be disabled by default. Even when enabled via the preference panes, a warning should be raised.
I know Apple wanted Time Machine to be simple- minimum preferences and all that, but this is a pretty big exposure. It’s also a great way for malware to sit on your system- sit, make itself the default app for as many file types as possible (but nothing too obvious) and you can’t ever delete it- without special intervention, anyway.
November 1st, 2007 at 3:05 pm
This flaw also has impacts on general usability: I do not want Spotlight to find obsolete documents I deleted for a reason. If I really need an old file, I want to choose specifically to search in my backups, e.g. by activating Time Machine and then triggering Spotlight. Apple’s approach seems to be contra intuitive to me. Don’t get me wrong: I like the ease of use of Time Machine a lot but it should keep the backups away from you unless you need them.
November 1st, 2007 at 4:38 pm
[...] Daring Fireball leo una entrada del blog Pyile en la que afirma que leopard puede jecutar programas borrados del sistema desde su copia de [...]
November 1st, 2007 at 4:47 pm
Could also be messy if you have multiple versions of the app on your TM volume. Which one will it run?
November 1st, 2007 at 5:10 pm
I think it will favor the startup disk and the latest version, but I’m not sure what it will do if the startup disk doesn’t contain the latest version. That’d be an interesting test.
November 1st, 2007 at 5:15 pm
I have been noticing this with Spotlight. When I search I see several copies of each document: the current one on my main drive, plus all the copies on the Time Machine drive. I’d love to have Spotlight ignore everything in the Time Machine folder unless I was actually in Time Machine.
November 1st, 2007 at 5:56 pm
Check out your Services menu: services from deleted applications will appear. Check out your “Open With…” menus: deleted applications appear there too. Really annoying.
November 1st, 2007 at 6:59 pm
If you don’t want the Time Machine to show results in spotlight just add the Time Machine disk to the privacy list.
November 1st, 2007 at 8:54 pm
Did you submit feedback to Apple about this yet? I don’t have Leopard yet, so I wouldn’t be one to test this yet, or submit a report.
November 1st, 2007 at 9:20 pm
Morgenthau, I think that’s always been the case.
November 1st, 2007 at 10:01 pm
Yes, I’ve filed it with Apple’s bug reporter. No response yet, but it’s in their system…
November 1st, 2007 at 11:10 pm
[...] Steven Fisher, en su blog Pyile, nos presenta una interesante observación sobre uno de los programas más alabados en el lanzamiento del Leopard: Time Machine. Según confirma Fisher, Time Machine te deja ejecutar cualquier programa desde Time Machine, incluso si lo tirastes a la basura por tener problemas de seguridad, por ejemplo. Incluso si un documento se encuentra asociado a una aplicación que has eliminado hace unos meses, Time Machine, sin preguntarte nada, lo ejecuta desde su espacio. [...]
November 1st, 2007 at 11:15 pm
@ Drew Thaler - Could also be messy if you have multiple versions of the app on your TM volume. Which one will it run?
–
As odd as it may sound, there’ll actually only be one version of the App no matter how many times it appears to have been backed up. Unless the internals of the App itself have been changed between TM backups, then things get REALLY freaky!. It’s all to do with Hard Links to files.
Have a read of this article if you want to know more:
http://www.appleinsider.com/articles/07/10/12/road_to_mac_os_x_leopard_time_machine.html&page=1
November 1st, 2007 at 11:52 pm
[...] Pyile Tags: backups, bug, macosx, Softwares, time-machine No Comments, Comment or [...]
November 2nd, 2007 at 1:21 am
In Script Editor’s “Open Dictionary” dialog, each Time Machine-backup-copy of an app is listed. Filed that as a bug.
November 2nd, 2007 at 2:35 am
It’s not a bug. Suppose you update an application, and the update doesn’t work properly– say, in the worst case, that it corrupts your data. Then Time Machine’s behavior is absolutely correct– it goes back to the old version (including old preferences) -and- the old data that was corrupted by the updated application. And this has to be the default because it’s exactly the type of catastrophe that backups are supposed to protect you from.
November 2nd, 2007 at 2:40 am
Yes, this is a surprise, but there is a solution: make sure the Applications (and for that matter, the Library and System) folders are marked for exclusion from your Time Machine backup. Then, all it’ll back up is YOUR stuff, not the system’s.
November 2nd, 2007 at 5:17 am
One obvious solution: exclude the Applications folder from Time Machine backups altogether. I don’t see any reason why it should be backed up at all; the executables can always be reacquired, it’s the data and the preferences that matter.
November 2nd, 2007 at 7:36 am
Sorry Matt, but it’s a bug. It’s not a bug because you can run the deleted application. That’s fine. It’s a bug because the deleted application can be launched automatically, without warning, by something as simple as visiting a web page.
As for those suggesting not backing up the Applications folder: Sure, that’ll solve the problem. But part of backing up is the ability to use things from the backup. Maybe an application has a security problem, so you delete it. But a month later you realize you have some data in it that you need to get out. That’s what the backup is for.
November 2nd, 2007 at 10:16 am
That’s not a bug. That’s a BACKUP SYSTEM.
Sheesh.
November 2nd, 2007 at 10:24 am
I’ve clarified this in the main article for people unwilling or unable to read the comments. I hope that helps.
November 2nd, 2007 at 12:39 pm
Hmm, yeah, that’s pretty bad.
What *would* be cool is if OS X was smart enough to pop up a dialog like “Hi, it looks like you’re trying to run an application that was deleted recently, would you like to restore it?”
November 2nd, 2007 at 4:09 pm
Danno, that’s a good idea, but I think it might still be too easy to launch an old program. Plus it takes out some of the continuity of the Time Machine experience.
A better idea would probably be for the OS to offer to open Time Machine and select the application. The user would have to click Restore inside it.
But the reason this bug probably exists is that Launch Services doesn’t understand Time Machine backups. Apple will probably fix it by making the backups a blind spot of Launch Services. A more elaborate fix will probably have to wait for 10.6 or even later than that.
November 2nd, 2007 at 7:28 pm
“Unless the internals of the App itself have been changed between TM backups, then things get REALLY freaky!.”
And some badly behaved apps do change their “internals” (the contents of the package) when you, e.g., install plugins. So you could wind up with multiple copies of apps quite easily. Also, older versions will persist.
“One obvious solution: exclude the Applications folder from Time Machine backups altogether.”
Personally, I’d do that, but one of the premises of Time Machine is that you get a bootable backup, system, apps and all.
November 3rd, 2007 at 1:14 am
Robert - of course it’s a bug:
Consider if you want to recover your user data from Time Machine - you don’t use the data DIRECTLY FROM your Time Machine disk - you have to RESTORE it first. Imagine the mess you’d get in if (through the *normal* Time Machine interface) you could open and save files directly on your TM disk?
The same philosophy should apply to applications - Leopard should not be able to run them directly from the TM disk - only restore them to /Applications (or wherever they were).
As Steven Fisher said “The backup should be considered a vault for the user, not Launch Services”
November 3rd, 2007 at 12:10 pm
I’m glad it’s not just me with this problem. You may not have noticed it yet but it also affects the open with menu, giving you a choice to open in all deleted (upgraded too) versions of associated apps - in finder there’s enough detail to see which might be the latest version - in mail.app, it just shows the name (e.g i have a choice of four Firefox revisions, but no way of being sure which one is the latest) this *will* become a major problem…
Back ups should not be used to launch files - imagine I delete an application that crashed my machine every time it launched a file, yet the back up copy still gets used to launch it…
no, no, no… very bad idea…
;(
November 3rd, 2007 at 1:52 pm
[...] And finally a problem with Time Machine. Apparently you can launch an application you’ve deleted from Time Machine. More about that here [...]
November 3rd, 2007 at 8:05 pm
Lacking a spare disk of sufficient capacity, I haven’t seen Time Machine in action yet. But I believe I read that one Time Machine drive can be used to back up multiple Macs. If that’s true, and if Launch Services will happily launch any app it finds on the TM drive, then you are also subject to the whims of other Mac users sharing the TM drive. If you exclude Applications, and another user doesn’t, you’d still be subject to the unexpected launches.
Seems to me that Leopard should never launch an app from a TM volume. You should restore it first, then you can launch it. Just like you restore docs first, then you can edit them. Principle of least surprise.
November 4th, 2007 at 7:01 am
I think Time Machine is a good idea for a lot of people but those for whom it is a great idea will be least likely to buy that external hard drive. This bug makes no difference to me. I doubt I’ll use Time Machine at all. I move gigs of data on and off my machine and have over a TB of data. Time Machine just won’t work for me. Those that don’t think the OP has described a bug are whacked. Anything that treats a deleted app as if it’s not deleted is buggy for the reasons already explained. It would seem to be an easy bug to fix so I’d give Apple direct feedback on it.
November 4th, 2007 at 7:10 pm
Hi -
I wonder if this is a similar bug:
I’ve noticed that even if you delete accounts from within the Mail preferences, that Mail continues to query the mailservers for those apps.
I noticed this because I have little snitch running, and when I launch Mail it’s contacting the mailservers of 4 accounts that I deleted after I had made a Time Machine back-up.
I honestly have no idea if it’s related, but it sounds like some resources in the Time Machine backup folder are available for applications such as web browsers and Mail app.
-Michael
November 4th, 2007 at 9:37 pm
[...] of every single one of your files on hand at the time of its installation. Unfortunately, as Steven Fisher recently discovered, this comes with an ugly side effect: Even executable code can get run from Time Machine. Cool as [...]
November 4th, 2007 at 10:07 pm
[...] of every single one of your files on hand at the time of its installation. Unfortunately, as Steven Fisher recently discovered, this comes with an ugly side effect: Even executable code can get run from Time Machine. Cool as [...]
November 4th, 2007 at 10:27 pm
@Michael, comment #30: That doesn’t sound related, but it is extraordinarily weird. I’d strongly encourage you to report that to Apple.
November 4th, 2007 at 10:48 pm
[...] of every single one of your files on hand at the time of its installation. Unfortunately, as Steven Fisher recently discovered, this comes with an ugly side effect: Even executable code can get run from Time Machine. Cool as [...]
November 5th, 2007 at 7:02 am
I’ve also just noticed that the Open with… menu seems to try and run all apps present on it from the TM backup disk. As Scott above suggested, this must be a bug in LaunchServices.
November 8th, 2007 at 9:10 am
Some people want to launch applications off of a backup. That’s been a reasonable possibility since there have been firewire external drives.
If you have an application with a serious security risk attached to running it, why not make it a housekeeping habit to delete it from your Time Machine backup at the same time you delete it from your hard drive? That can’t happen that often, so it shouldn’t ruin your entire day to take care of it.
I agree about not launching, but if an app has a serious problem, malicious or not … why even consider keeping its backup, especially when it is so easy to delete? Of course getting vapors is more fun …
November 8th, 2007 at 9:49 am
Tadd: The purpose of a backup is to keep things available in case they’re needed later.
Why would I keep a backup? Imagine I discover later some data that I need that application to access.
Of course, it’s easier to accuse other people of “getting vapors” than to think things through.
November 10th, 2007 at 12:47 pm
What context menu? There are no context menus in time machine. Where the hell is Remove All Backups?
November 10th, 2007 at 8:21 pm
Gear menu.
November 12th, 2007 at 2:30 am
[...] come un tale Steven Fisher segnala nel suo blog, tutti questi simili vantaggi possono rivelarsi rischiosi quando Time Machine recupera anche [...]
November 14th, 2007 at 8:20 am
i just tried manually deleting a app from my Time Machine HD in teh applications folder.
it wont let you .
Now that i deleted an app i dont want, it still launches it from TM and thats wrong.
November 14th, 2007 at 8:34 am
I launch Time Machine and i dont see the app i want to delete.
But if i manually open up the TM backup folder, i see the app i want removed but cant delete it.
November 14th, 2007 at 10:59 am
You can delete it from inside Time Machine. Select the file and click the gear menu; in there, you’ll find the delete options.
(I don’t know why this menu doesn’t appear when you right click.)
November 16th, 2007 at 1:49 pm
Thanks! that helped. A little bit annoying tho, to go and delete all backups, every time there is VLC or Quicktime update…
Downloaded today Apples system update to 10.5.1 - this issue still not touched.
November 16th, 2007 at 3:27 pm
You’re probably okay with not deleting IF you’re updating to a newer version and don’t plan on removing the newer version. All things being equal, Launch Services will prefer a newer version of an application if one is available.
November 26th, 2007 at 3:04 am
yeah, but still - if i do not delete all backups of updatet app, they still show up in ” open with..” menu. In case when say, i have a new app, which do not know yet - what app to use to open file, I have to use “open with..” and face 5 identical versions of QuickTime player
November 26th, 2007 at 3:07 pm
[...] is neat but also kind of stupid” bug I’ve come across. The other one is the “Time Machine resurrects apps you deleted” [...]
December 2nd, 2007 at 1:50 pm
I find this particularly annoying because since installing Leopard, I have run two versions of TextMate at different times. I couldnt figure out why I then had two instances of textmate in my dock one day. Turns out an old ruby document I had opened launched the old version of TextMate sitting on my backup drive from a backup that ran a few weeks earlier. Pain in my ass.
December 13th, 2007 at 7:51 pm
Is there a similar thing going on with fonts?
I’ve got dozens of fonts turned off in Font Book, but my applications are seeing everthing that’s installed, even the ones that are turned off.
February 11th, 2008 at 2:02 pm
Heh! Finally - one of the ’security’ fixes in 10.5.2 is for Launch Services:
“Description: Launch Services is an API to open applications or their document files or URLs in a way similar to the Finder or the Dock. Users expect that uninstalling an application from their system will prevent it from being launched. However, when an application has been uninstalled from the system, Launch Services may allow it to be launched if it is present in a Time Machine backup. This update addresses the issue by not allowing applications to be launched directly from a Time Machine backup. This issue does not affect systems prior to Mac OS X v10.5. Credit to Steven Fisher of Discovery Software Ltd. and Ian Coutier for reporting this issue.”
Sounds like they listened to you!
February 11th, 2008 at 2:34 pm
Sweeeeeeet! My first CVE.
February 11th, 2008 at 2:53 pm
[...] claims to have fixed the issue where applications could run automatically out of a Time Machine backup. Look for CVE-2008-0038 in Apple’s About the security content of Mac OS X 10.5.2 and Security [...]
May 14th, 2008 at 2:21 pm
[...] world. But it still has it’s problems. BTW, make sure Leopard is upgraded to 10.5.2, some major security flaws were [...]