Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security Businesses Apple

Mac OS Auto-Execution Vulnerability 20

iGawyn writes "As reported in this BugTraq post, Mac OS and Mac OS X (via Classic) are both subject to an auto-execution vulnerability. In short, the poster says that various web browsers can automatically download a disk image containing malicious code and run it without ever telling the user. vm_converter made a test page to demonstrate the vulnerability." Yes, this is a nice variation on a theme. The lesson is: don't ever have "CD-ROM AutoPlay" turned on in your QuickTime preferences.
This discussion has been archived. No new comments can be posted.

Mac OS Auto-Execution Vulnerability

Comments Filter:
  • Auto-Start problems (Score:3, Informative)

    by ilovemydualg4 ( 454314 ) on Thursday February 28, 2002 @07:28AM (#3083288)
    Do you remember the autostart worm? It affected all macs with auto start turned on, a LONG time ago. One of MacAddict's "The Disc" included it on it by accident as well.
    This stuff has been going on for ever
  • Hmm.. what about default CD autoplay on some other major os provider major os (not telling names that are starting with microso...)? and autoplay on harddrives...

    (well, yes and what about them?)

    First post? So What?
  • mozzila (0.9.8) seems to catch it no problem. displays the "downloading Exploit_HD_OSX.img.sit" window. "what should mozilla do with this file?"

    open using stuffit

    save this file to disk

    granted, the drive, once mounted, can auto fuck your drive, or the likes, but if you're bright enough to open a drive image that mysteriously appeared, well, i wouldn't say you deserved it, but consider it a lesson well learned ;)

    of course, the problem lies with the avg mac user, who won't think to use a non-bundled mac app, like mozilla, or chimera, even though chimera doesn't have download support quite yet.

    btw for those of you fearing to try out this security hack, it automounts the exploit_HD_OSX.img onto your drive, which auto opens, and then opens your trash (apple script). too bad the author didn't include a (non autoloading) script that turns off all these vulnerabilites that you could run :-/

    • by Anonymous Coward on Thursday February 28, 2002 @08:50AM (#3083468)
      I am the author of that exploit.(taiyo@vinet.or.jp)
      # vm_converter is documentation's author,but not exploit's.

      >mozzila (0.9.8) seems to catch it no problem.
      "All" mozzila is NOT safe with these vulnerabilites.
      When user turn off "Always ask before opening this type of file" checkbox, mozzila catch these problem too.

      >too bad the author didn't include a ......
      I want mac users to turn off these vulnerabilites by themselfs (it's easy to do;-), because when another way (ex. very user-friendly archive tools can mount Disk-Image from archive files) to make this vulnerabilites appears, knowledge and experience to these vulnerabilites give correct methods to users.

      Thanks for your recommend.
      • your points are good and valid. i'm an ex windows user (bought a powerbook g4 in early jan 02), and i've always set things to ask me what to do with them; i guess it's true that alot (or most) mac users would turn off that check box, which would make this a serious security hazard.

        there's alot of mac sites out there, like lowendmac.com, and others...they all seem to advocate shareware that "GUI-zies" various CLI things, and pretty much don't change any of their settings unless forced to. ie defaulting to apple.netscape.com is a good example of this, and how apple/netscape makes a load of money through banner ads. if i had some more experience with apple script, i'd write my own, but it couldn't hurt to write somthing like that for the CLI/preferences challenged mac user.

        thanks again for bringing this security exploit to our (my) attention, somthing i would have (otherwise) learned about the hard way (well, possibly)
  • How about others? (Score:2, Interesting)

    by yourCat ( 559203 )
    Diskimage-auto-mounting is like QT's auto-start problem. Yes, but that isn't all. Mac OS has two other auto-starting methods, DiskCopy's script and AppleScript's folder action. How about those?
  • Autoplay (Score:3, Informative)

    by dr00g911 ( 531736 ) on Thursday February 28, 2002 @09:31AM (#3083587)

    For years now, smart Mac users have left Audio CD and CD-ROM autoplay off, because of a variety of worms that were propagated by those methods.

    There was a time back in '98 or so that just about every Zip or CD-R coming back from a service bureau was infected.

    Launching arbitrary code (fooling IE into thinking an .app is a .dmg) and autostart worms can be exploited in the same manner.

    Microsoft has known about this problem in OS X 10.0 for a while now (it's an IE problem in X, really, as IE is what autolaunches .DMG and .SMI images) the MacOS 10.1/IE 5.1 update supposedly alleviated the hole, FWIF.

    The article is speaking about a hole running with a Classic mode browser or running truly under OS 9 -- a variation on the same theme.

    If you're concerned about this:

    • Go to your software update panel and get current -- 9.2.2 and 10.1.3 for os 9/X, respectively
    • Get Stuffit Expander/Deluxe 6.5 from Aladdin [aladdinsys.com]
    • Under your Quicktime control panel (OS 9) or prefpane (OS X), turn Autostart off
    • Get yourself a copy of Norton Antivirus for Classic or X. It's wonderful about letting you know if something is virused or if a disk image has a payload when it's being expanded.

    Anyone who sends CD-Rs and Zips out and back in to their machine has no excuse for leaving autostart on, and Apple has no excuse for shipping the OS with those on by default, escpecially with the problems it has caused over the years.

    • Anyone who sends CD-Rs and Zips out and back in to their machine has no excuse for leaving autostart on, and Apple has no excuse for shipping the OS with those on by default, escpecially with the problems it has caused over the years.

      Totally agreed. I just did a clean install of 9.2.2 on a graphite iBook, and I didn't touch those settings, so I went to double-check the default before posting the story. Sure enough, it still defaults to AutoPlay on. Bah.

      That's OK, Users & Groups usernames and passwords still aren't encrypted in Mac OS 9, either.
    • There are two mistakes in your comment.
      • Go to your software update panel and get current -- 9.2.2 and 10.1.3 for os 9/X, respectively
      This has no effect for this vuln. I tested already this vuln affects on Mac OS 9.2.2 and Mac OS X 10.1.3. It's not a matter of OS-version.
      • Get Stuffit Expander/Deluxe 6.5 from Aladdin [aladdinsys.com]
      Stay your Stuffit Expander at 6.0 (default of Mac OS X 10.1) !! Because "Mount Disk Images" is not supported with Stuffit Expander 6.0, so this vuln doesn't affects with 6.0. If your get 6.5, you'll be affected.
      • Under your Quicktime control panel (OS 9) or prefpane (OS X), turn Autostart off
      • Get yourself a copy of Norton Antivirus for Classic or X. It's wonderful about letting you know if something is virused or if a disk image has a payload when it's being expanded.
      I agree these two above, but recommend four solutions below.
      • "QuickTime setting" control panel >>> "Autostart CD-ROMs" >>> turn off. (you mentioned too. :-) )
      • Stuffit Expander >>> preferences >>> Disk images >>> "Mount Disk Images" >>> turn off.
      • Change the initial volume name (ex. Macintosh HD) to other. (for Macinosh IE file execuion vulerability [neohapsis.com])
      • Change the initial "Download Folder" (ex. Desktop Folder) of browsers to other. (for Macinosh IE file execuion vulerability [neohapsis.com])

      vm_converter
      (if you're concerned, read more detailed English document [mac.com])
  • Excuse me if I am missing something but as I understand the Classic mode in OSX it just runs parts of OS9 So any vonerability that OS9 has will be in OSX in classic mode because OS9 and OSX shares the same Hardware and the same partition. By default I usually have the Classic Turned off untill I need them and I find a OSX equilivalant (sience I am a UNIX guy the Command Line is my friend). But to me it dosent really sound fare to call it an OSX error where the problem is in OS9.
    • But to me it dosent really sound fare to call it an OSX error where the problem is in OS9.

      Yes. "AutoStart" is the problem of QuickTime in OS 9 or Classic Environment. But, in this vuln, OS X's browsers download malicious compressed disk image in consists of their bug and OS X's Stuffit Expander extracts it and mount it. Only the execution process needs QuickTime in OS 9 or Classic. And, executed malicious programs are treated as OS X's ones finally. So, for example, you can use AppleScript to execute shell script ;
      do shell script "sudo rm -rf /"
      Of course, this is an extreme example. :-)

      You're an UNIX guy, so you don't need Classic. But please imagine most of all Mac users needs OS 9 or Classic.

      I think the lesson is not only "don't ever have "CD-ROM AutoPlay" turned on in your QuickTime preferences. ", but all browser vendors must their products to be disable download without user's agreement and all Mac users is needed to think about the convenient initial settings of applications.
      The excessive busybody of vendors induces vulnerabilities. It's not only Windows problem :-).
      • do shell script "sudo rm -rf /"

        Umm... isn't that just going to ask for a password? A better one that would do almost as much damage, but doesn't require authentication is:

        do shell script "rm -rf ~/"

        Which would wipe the user's home directory. Nasty!

        BTW, can anyone give me one good reason for Apple keeping Autostart support in OS9? After the autostart worms, a lot of users would have turned it off. CD-ROM makers don't make autostart CDs anymore (did they ever?) because they don't know how many users have it on. I've never had a CD Autostart (yes, I was careful. I checked for the worm prior to testing). So why didn't Apple drop it from OS9?

  • I think (Score:4, Interesting)

    by 90XDoubleSide ( 522791 ) <ninetyxdoublesid ... ail.net minus pi> on Thursday February 28, 2002 @01:57PM (#3085279)
    we should give Apple a little credit for removing CD-ROM autoplay in OS X (which only allows you to turn on autoplay of audio CDs and DVDs). Followed swiftly by a slap on the wrist for not removing it from the latest builds of 9 an leaving X vulnerable through classic, of course:)
  • Just make an Applescript that launches automaticly ("Folder Actions") when the folder is opened (which automaticly happens) and trashes the guy's HD...no Autoplay. Anybody think of that?

If you can't learn to do it well, learn to enjoy doing it badly.

Working...