Slashdot Log In
Mac OS X Struck By Severe Security Hole
Posted by
CmdrTaco
on Tue Feb 21, 2006 11:25 AM
from the bend-over-everyone dept.
from the bend-over-everyone dept.
An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
I guess the H4x0rs (Score:5, Funny)
Re:Seriously (Score:5, Insightful)
I think your analogy doesn't really support your point and in fact supports the GP. Reformed bank robbers are not really security experts who can design new security systems, I think you your opinion is based more on movies than on reality. Similarly, hackers are romanticized, their skills exaggerated, in movies and in ill informed nerd mythology spread by sites like slashdot.
It really is that hackers outnumber developers and that developers have to be perfect all the time and one of the hackers just needs to get lucky once. Hackers are often more like specialized technicians that are skilled in a narrow range, not a skilled engineer that can design a system from scratch. And then there are the kiddies.
Parent
Also works in Mail.app (Score:5, Informative)
You can test this by downloading this harmless exmaple:
http://www.heise.de/security/dienste/browsercheck
...and sending the resulting JPG to yourself in Mail.app.
This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.
I'd expect a security update that addresses this *very* soon. This is a bad one.
This IS a bad one (Score:5, Insightful)
(Usual disclaimer: I use a unix>windows mix at work, mac at home, and use primarily firefox on all three).
People need to learn techniques to lock down their boxes - different OS are not all equally vulnerable, but are all vulnerable.
Parent
Re:This IS a bad one (Score:5, Insightful)
Parent
Re:Also works in Mail.app (Score:5, Informative)
I then unzipped the file and had a look at it in the Column view of the Finder, at this stage a normal jpeg would have been previewed, but the Finder had the file listed as "Terminal Application", but I think that most Mac users tend to use List or Icon view though, which would force them to open the file, activating it.
I then emailed myself the file with Mail.app 1.3.11 (In 10.3.9) and after the receiving the email I was warned that "Heise.jpg is an Application and could contain viruses, etc". after I attempted to save the attachment - It also did not preview in the mail message (Obviously)
Seems that this type of vulnerability is most likely to affect mid-level users who are somewhat reckless with their clicking and think they know better than new users who read and "cancel" every message box for fear of breaking their computers or advanced users who realize at a glance that the
Parent
Re:Security fix out allready! (Score:5, Insightful)
Granted, if I try to change firewall settings or affect anything outside of your account's permissions you will be prompted for a password. But I could still delete or corrupt all your files, change your bookmarks, send email to your friends and family with an exploit and try to IM your buddies with it - I just have to choose a well-crafted malware.
I'd say this is a potentially evil hole. I just had my wife and kids change their default settings (I'd always had mine disabled - never thought to change my family's). I think, though that this one will also be quickly and simply patched. And really, the more "benign" wake-up calls Mac users get the better protected they will be and the more difficult it will be for any malware to gain traction.
Parent
Re:Security fix out allready! (Score:5, Insightful)
Since we've gone through the whole "download safe files" business a year ago, and Apple provided a prompt fix, and, additionally, since this is just Safari's executable-recognition code missing this because the shell script is malformed (i.e., missing the shebang), I expect a fix soon.
I was speaking to the social engineering aspect of this, since the automated aspect of this is so easy to mitigate, has already been addressed in one form a year ago, and I'm assuming will be quickly patched, leaving only the social engineering aspect to deal with. Which, once again, is no more or less serious than any social engineering exploit on any other platform.
Also, in case you hadn't noticed, getting a user to visit a web site is still a social engineering principle. Whether it's double clicking a file or tricking a user to view a web site, it's still "social engineering". What makes this unique is that Safari, in its default state, could potentially download a file and execute a shell script without user interaction. That's a Bad Thing. But since we've already dealt with this a year ago and missing malformed shell scripts was apparently an oversight, I expect this to be fixed soon.
Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something.
And as we all know, that can happen on any platform.
In other words, this isn't a flaw that is endemic or inherent to any fundamental functionality; by all rights this whole issue was intended to be "fixed" a year ago, but it appears Apple missed malformed shell scripts marked as executable. Oops. So, that will be fixed, and everything else left is social engineering.
This isn't the first time a "view a webpage and something will download that can run without user interaction" exploit has happened on Mac OS X. But I'm sure the press will make a HUGE deal of this one, even though the previous two "viruses" discovered this week are *pure* social engineering, utterly useless, and the vulnerability that one used had even been patched since June 2005 and only affected Mac OS X 10.4.0.
I fully expect this to be the beginning of attacks on Mac OS X as "just as insecure as Windows" in earnest in the mainstream press, and also for people to completely misunderstand and believe it's related to the x86 transition. Yay.
Parent
Workaround: Camino (Score:5, Informative)
Get Camino here [caminobrowser.org]. Camino is an OS X native browser using the gecko rendering engine. Looks better than Safari, is faster than Safari, and apparently is more secure than Safari. Plus the security is more easily tunable.
Most Mac users have heard of it by now, but I'm just giving them another plug because it kicks ass.
Just disable auto-opening files... (Score:5, Informative)
So just live without automatic file opening for the time being, and you're safe.
Protect yourself in one click (Score:5, Informative)
Re:Protect yourself in one click (Score:5, Interesting)
I did this years ago.
Can someone remind me what is the point of a browser allowing "driveby downloads" and automatically launching the content of the download?
Safari has a nice download manager that lists the most recent downloads, and by simply double clicking on the one you trust and want to view is up to you.
This is at least over a 1 year old issue: http://www.net-security.org/vuln.php?id=3461 [net-security.org]
Is it too much to ask for normal users to double click on a file to launch it? This is what we used to do, and still do with email, ftp, removable media, networked drives, everything. What is the point of a driveby download and launch?
Parent
Seems to work with any browser (Score:5, Informative)
The only difference is that the default behavior in Safari is to automatically open downloaded files of certain trusted types.
Who wouldn't try clicking on a movie icon? I would think that most people would.
Mac users: welcome to 2001 (Score:5, Funny)
This is just like a .jpg.exe (Score:5, Interesting)
So the guys in apple who had the __MACOSX part to zip files didn't communicate that to the Safari folks. Communication gaps happen, but this is gross oversight in a company which claims to sell their software for a premium because it is cool (and well-tested UNIX background).
Shell vulnerabilities seem to be the entry point usually, seeing the firefox shell:// that was recently discovered... Integration comes with its own sweet price.
System should be safe (Score:5, Informative)
Someone correct me if I'm wrong, but this exploit can only affect items that the user has rights to. If a script were written to make changes to the system, OSX should prompt you for your password, right?
Re:System should be safe (Score:5, Insightful)
Like ~/Documents/ where you're encouraged to store pretty much everything you make with your machine.
Or ~/Pictures/ where iPhoto keeps everything it loads up.
Or ~/Music/ where iTunes puts all your music.
Or wherever the hell iMovie keeps what you build with it - probably either ~/Movies/ or ~/Documents/
Or wherever the hell GarageBand keeps its work.
Sure, the machine still boots. But if a script does rm -rf ~*.* you're kinda fucked. Why is it that Slashdotters always say 'oh, this exploit just affects userland, no big deal'?
Parent
Interesting (Score:5, Funny)
Yep, this is a genuinely bad bug (Score:5, Informative)
Explanation: Apple recognizes a particular folder within a zip archive as resource forks. This way you can correctly upload/download old-style apps and/or OSX metadata. The latter feature is where the problem occurs.
If you take a shell script, rename it to a "safe" file extension (such as mov, jpg, etc), then change its metadata (aka the "Open With..." setting) to Terminal.app instead of the expected default application, you now have a shell script that looks like an ordinary media file.
If you then use OSX built-in BOMarchive command, you have a zipped shell script that looks like a "safe" download.
End result: arbitrary shell script execution (under OSX default settings) upon visiting a malicious URL.
Conclusion: remote metadata should not be trusted. This bug would not occur if downloaded files could only belong to their default app.
Why isn't Secunia Being Flamed Here (Score:5, Interesting)
My credit card was "compromised" while using Safar (Score:5, Funny)
Most recently, a $300 charge appeared on my statement after visiting this page. [apple.com]
Re:Safe default settings (Score:5, Interesting)
Parent
Re:Odd... (Score:5, Funny)
Parent
Re:how bad is it really? (Score:5, Informative)
Parent
Re:OS X 10.4.5 (Score:5, Funny)
Parent