Slashdot Mirror
Huge security hole in Internet Explorer for MacOS
Brad Lucier writes "Macintouch
is reporting
(go down the page a bit)
that Internet Explorer 5.1, which comes preinstalled on MacOS X 10.1,
has a huge security hole---when it downloads arbitrary programs encoded
in the Macintosh's standard BinHex (.hqx) format, it automatically
executes them. " Well I guess thats one way to make Unix insecure. Can anyone actually confirm this since it looks kinda sketchy. I wonder what someone's rationale would be for that:"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!".
You can turn off the automatic decoding of bin.hex files in the prefences panel under "downloading options". This allows people to have some control.
"Date: Sat, 29 Sep 2001 17:02:59 -0400
From: [MacInTouch reader]
Subject: Security Alert for Explorer 5.1 (MacOS X 10.1)
I am shocked to report a huge security hole in the latest Internet Explorer version 5.1 that comes preinstalled on MacOS X 10.1
Every .hqx encoded classic application is decoded by explorer itself (that's the default, stuffit expander isn't used) and then AUTOMATICALLY STARTED!
This is totally unacceptable. You can test this simply by pointing your browser to
http://www.pardeike.net/danger.hqx
where I put a very small C program that just displays a message (trust me, it *only* does that message, nothing more)"
Can't you see that everyone is buying station wagons?
I do occasionally use IE, when hitting one of those pages designed by MS only shops, but most of my browsing time is in OmniWeb (www.omnigroup.com). Problem solved.
As an added benefit, OmniWeb has options to disable banner ads (sorry VA), kill javascript popup windows, and it's just a generally nicer browser with more intelligent design decisions. And it keeps web pages from looking like NASCAR with all the bloody ads and popups. Did I mention how it kills ads and popups? Although I will admit IE is wicked fast under 10.1, OmniWeb is plenty fast enough.
ehintz
No, it's not. IE for the Mac is developed and published by Microsoft. Apple just pre-loads it and ships it with its OS. You can download IE from Microsoft's website, not from Apple's.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
That's total horseshit. Internet Explorer for Mac OS is developed and published by Microsoft, NOT Apple. And by the way, for those of you who after nearly two decades can't get it through your heads, "Mac" is not an acronym, it's an abbreviation (actually more like a nickname). Therefore, capitalization is completely unnecessary and really just goes to show how uninformed and idiot you really are in these matters.
After decoding, it tries to run the application contained within. THAT is the security concern. There is an important difference.
Its been standard in Mac OS for Stuffit Expander to automatically extract archives once downloaded. Isn't this issue related more to Stuffit Expander than IE?"
We all know how hard it is to click on a link and read the article, so I did it for you.
From the MacInTouch web site: "Every .hqx encoded classic application is decoded by Explorer itself (that's the default, Stuffit Expander isn't used) and then AUTOMATICALLY STARTED!"
I suggest that in the future you read the article in question before posting.
Steve M
I tried it with my 10.1 system. The .hqx file is decoded into an application, but doesnt get executed unless you double click on it. Seems Ok to me.
Internet Explorer on the MAC has nothing to do with Microsoft. It's developed, published, and installed by Apple.
Not. It's developed and published by the Microsoft Macintosh Business unit, which is a somewhat independent MS arm out in the SF Bay Area. Apple's only involvement is bundling IE with the OS. About the only way your statement is accurate is if you're trying to stipulate that IE for Mac has little to do with IE for windows, which is correct. In fact, it's not uncommon for IE/Windoze to inherit good ideas from IE/Mac.
And not to be picky, but it's Mac. Short for Macintosh. Not MAC, short for Media Access Control address, as in your NIC card.
ehintz
IE Exploits:
q279328 - allows execution of code through print templates or web forms
q286045 - allows someone to execute files and read files on your machine (using a combination of both exploits that patch fixed)
q286043 - allows someone to begin a telnet session and send data to your machine (as well as execute it) if you've installed Services for Unix
q273868 - sends your authentication information on every query as long as they're on the same hostname
Four major exploits in the last twelve months. Certainly, those aren't all of the exploits, erm, extra features that IE has had bundled with it lately, but they are a few that have readily accessible information from Microsoft.
One could imagine eternally why Microsoft designs such insecure products, but look at it this way:
Have you ever coded a product that was efficient and secure after being pushed for three days to meet a deadline? Don't you become somewhat exhausted and lazy, primarily because you want to sleep, no matter how much money you're going to be paid? There comes a point where caffeine just won't help you operate anymore and your health becomes more of a priority than a "higher-up"'s regime.
Microsoft developers (in the words of Ballmer) are only human as well -- and I'm sure they work just as hard as we do.
Do you like German cars?
For what it's worth (not much), the behavior of IE under Mac OS 9 (if I remember right) is to download the file, then throw an apple event to the decoder (usually Stuffit Expander). Something like "hey Stuffit, open the file HD:Desktop Folder:foo.hqx". That's as opposed to sending the Finder a command to open foo.hqx and letting file type/creator code determine which app to use. I don't know how it works under OS X.
However, I installed OS X and the 10.1 upgrade the other day, and I don't have the problem described.
---------
get your war on
Launch IE 5.1, go to the Explorer menu, then to Preferences.
Go to the "Receiving Files" options and DISABLE "Automatically decode MacBinary files" and "Automatically decode BinHex files".
Easy as that.
Using a regular user account is all well and good, but the vast majority of OS X users will be using an admin account, since the OS setup process creates an admin account for the main user. Most people won't think to create another account.
BTW, I tested this hole, and it is as bad as it sounds. Macslash.com has a nice little demo that you can try yourself if you're running 10.1.
--
I am the hub of jack's digital universe.
I am the hub of Jack's digital lifestyle.
I believe that Stuffit expander doesn't "execute" the hqx files it downloads, as much as it "processes" them.
Example: When you download a copy of a program through IE and Stuffit Expander automatically runs after the download completes, the program you downloaded doesn't automatically run after Stuffit quits. You have to double click or open the uncompressed program for it to execute. Therein lies the problem with this version of IE--it executes programs after they are downloaded. See the difference?
That actually makes sense.
Solution: Check to see what the .hqx decoded to. If its filetype is APPL, do not launch it.
Time for a patch... :)
my old sig used to be funny, but then slashcode ate it and now it's not funny anymore
It is not Stuffit. It's Internet Explorer de-binhexing and executing the coded app all on it's own. Since you mention Stuffit, I'm not sure you understand what is going on as Stuffit does not have this behavior (nor is it involved).
It's not a feature of OS X (or the OS's fault in any way). I never noticed the beta-IE (used in OS 10.0[0-4] doing this, and I used it throughout. I rarely booted into OS 9 when OS X came out, and I used the beta fairly extensively as well.
IE is auto-decoding a binhex, then if it's an application, automatically executing it. No other version of IE does this. No other mac internet app does either. Others will auto-decode files for you, but leave it to you to launch them.
Sure, you can turn off the binhex pref, but without the added "feature" it is not a security risk to simply de-binhex a file (probably less dangerous than uu-decoding). Even a savvy user who perused every setting wouldn't know to uncheck "automatically decode binhex" to turn off a feature that's so stupid one wonders why someone would bother coding it (automatically running dl'd apps).
Now Stuffit has it's own security risk. By default, it will auto-mount any disk image it decodes. A disk image can be set to automatically launch an app when loaded. Hence, Stuffit can be made to do what IE is doing in a roundabout way. Personally, I think this "feature" should be turned off for disk images as well.
I use the slowest G4, and I've not noticed Stuffit being a hog, though it is annoying. It ripped through the 189 MB dev tool installer in a few seconds.
IE has other problems as well. It will reset my Internet prefs (usually just the dl folder, but sometimes it will set itself as the default web app). Just use Omniweb, and you get a nice spell checker to spell check your posts (I know I need it).
Classic is not run as root, it's run as the user who is logged in. Classic can freely write to "System Folder", where the classic system lives, but it cannot write to anywhere inside /System, where all the important things live. Classic user would not be able to add itself to the X startup
..
But, you could easily add to the Classic system startup, and cause lots of havoc there
Apple does work on non-MS office suites! AppleWorks! It's non-MS and it's actually a very good product...one of the first OSX native applications. I ran it all the way back on the public beta...Also, Apple worked on Mail, which competes with OE.
launched automatically for me, but only when Classic was running ... sounds like Classic MacOS is the weak link
True, but since win2k doesn't have the equivalent of sudo or su, it can be a serious pain in the ass, especially for some luser who can't figure out why they can't do something unless they log out and log back in as admin, not a quick operation.
I would say that windows security (I know, an oxymoron) has improved since the bad old days of DOS, but it leaves much to be desired.
Elen sila lumenn' omentielvo...a star shines on the hour of our meeting
This is why anybody using Mac OS X should comment out the line:
/etc/sudoers file. The vast majority of Mac users won't miss sudo, and those who do need root privileges can enable the root account through NetInfo, add their account to the "wheel" group, and use su instead of sudo.
%admin ALL=(ALL) ALL
in their
...or you should live with it, but ensure that your main account is a non-administrator account.
- j
www.mozilla.org is the way to go. 0.9.4 absolutley screams compared to some of the older builds, and the mail client works too :)
[localhost:Classic Startup.app/Contents/Resources] login% pwd
/System/Library/CoreServices/Classic Startup.app/Contents/Resources
[localhost:Classic Startup.app/Contents/Resources] login% ls -la TruBlueEnvironment
-rwsr-xr-x 1 root wheel 476740 Sep 26 20:04 TruBlueEnvironment
Sure looks like it's setuid root to me.
Burn Hollywood Burn
On MacOS 10.1 build 5G27 with the new
IE 5.1.2 (3707) this is not reproducable.
DW.
hate how stuffit mangles your downloads? try openup for everthing except your .sit downloads.
.tgz etc. files (via the information panel--apple+I), but once you do that, your set.
you have to change the application to launch your
Finally, Mac OS X takes a different tack. From what I understand, all created accounts are user level accounts in the Unix sense. To access the admin-level account, you have to explicitly enable root.
Yes, root must explicitly be enabled. There's an added layer of security in that when various admin type tasks need to be performed -- typically installations -- a dialog pops up asking for an admin level passsword. Other settings can be locked with admin level access. Some installations require the user to logout and login again as root though one may argue it's better to simply require root password a la sudo.
For what it's worth, I avoid using Microsoft products on my Mac whenever possible -- even on my Win2000 at work. While the rest of the office -- including our file server! -- got infected by the Nimda virus I didn't notice a thing since I get my email on my Mac. ;-)
"Where's my other sock?" - A. Einstein
What IE 5.1 for the Mac should be doing is decoding the Binhexed file and then handing the decoded file back to its (IE's) MIME and Mac creator handler again, as though it were the original downloaded file, and apply the appropriate rules, whether to save, launch, or whatever.
.sit from Stuffit, Stuffit Expander might be launched. If it's an Excel spreadsheet and the preferences are set to open those, then open it it should.
In other words, if the normal behavior when encountering an image/tiff file is to open it in Photoshop, then that is what should happen to a binhexed TIFF. If it's an
The problem here is that it sounds like IE is handing the decoded file to OS X's "file open" handler (the call made when double-clicking an icon in the Finder) instead of to IE's "file download" handler, which checks MIME-handling rules and security zones set in IE and systemwide preferences.
Not unlike an incident I remember back in 1995 during the Windows 95 betas, when the original webless MSN was opened to content developers. It used a Windows Explorer metaphor, with online content organized as folders and icons. Content providers were encouraged to post RTF documents as content, but any file was fair game. Thing was, when users double-cliked on files to open them, they were treated like local files. Some of the earliest Word macro viruses got spread this way. I remember being shown this at a beta developers' convention before the first macro viruses even hit and asking if it could pass opened files through the user's virus scanner before opening them. "No, we hadn't thought of that," said an engineer. Horrified looks and some intensive scribbling on notepads followed, though nothing was done in time for launch beyond a useless request to content providers that they try to scan things for viruses before posting them.
I used to work in the MacBU at Microsoft and my officemate was on the Mac IE team.
.hqx binary, the user might not even know that IE was downloading unless they watched the download manager very closely," I said. I believe some other members of the team had already noticed the problem as well.
.hqx decoding functionality, it should try to process the resulting file. This is good as it allows one to download and unstuff a .sit.hqx archive automatically.
One day we were experimenting with the download behavior of IE, and I noticed the problem. We discussed it and later brought it up to the higher ups on the team during lunch (The food in the Silicon Valley Campus Café is much better than Redmond's by the way):
"If a malicious web site designer were to use some method of redirection to get the browser to download a
We all agreed this was a serious security hole and it is being fixed in the next release.
In the meantime, you can turn off the "Automically decode BinHex files" under Download Options in the Explorer Preferences. We tested Mac IE's behavior with MacBinary files and there is no security hole there.
How did this bug slip by the team? Well, I am not on the IE team, so I couldn't say for certain. I believe the problem is that after IE uses its own
Somehow this behavior was fubared, however: Instead of passing the file back through IE's file helper layer, it was apparently opened directly. This has acceptable behavior if the file downloaded was happyapp.sit.hqx, but not-so-acceptable behavior if the file downloaded is evilevilapp.hqx.
Anyway, someone clearly messed up. We're very sorry. Or rather, they are since I probably won't get rehired after this message.
--
Lagos
Gentle Bunny