Slashdot Mirror
Huge security hole in Internet Explorer for MacOS
Brad Lucier writes "Macintouch
is reporting
(go down the page a bit)
that Internet Explorer 5.1, which comes preinstalled on MacOS X 10.1,
has a huge security hole---when it downloads arbitrary programs encoded
in the Macintosh's standard BinHex (.hqx) format, it automatically
executes them. " Well I guess thats one way to make Unix insecure. Can anyone actually confirm this since it looks kinda sketchy. I wonder what someone's rationale would be for that:"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!".
The fact that OS X is based on FreeBSD may very well keep this hole from becoming as damaging as it is on Windows. Unless you're logged in as root or an Admin user -- always a good idea to be a 'normal' user whenever possible -- I don't know how damaging a malicious program can be. It'd have to get around some pretty strong security.
To what extent do others out there think this fact might "save" IE from being the terrible security disaster under OS X that it is on Windows?
I've got it on my 10.1 system, but I never use it; Mozilla 0.9.4 is far nicer (to me, anyway.)
i am a soviet space shuttle
...this always struck me as a little odd.
I've recently started using Mac OSX for dev work, and so I've only just really got accustomed to the OS.
This isn't a OS10.1-specific thing. Straight OS10 does exactly the same thing.
It is dumb, but you can turn it off in the preferences panel. My guess would be that most users would turn it off when they go into the Prefs to change the default download location (as MacIE5 doesnt ask you for a download folder) to something more sensible.
Ppfffff.
Personally, I don't think this is an *enormous* worry for the average user. Imagine if PC IE6 did this. All hell would break loose. But, theres just not that many nasties lurking for the Mac OSX user, really. And besides, the more savvy users will shut this feature off.
It is mighty dumb though. And not even that userfriendly. When StuffIt starts up to expand your files, it steals focus from what you're doing and makes your system chug like hell on OS10.1.
It is unfair to gloat by saying that every time anything comes up on your screen you should have to say OK. It is a judgement call (imagine if you had to OK each image or flash component separately...). One of the most important parts of designing a product (whether sw, hw, or a chair) is what the features it has and what is the default (e.g., the default for a recliner is the upright position and you have to actively do something to make it recline, imagine if it started out reclining, it would be kind of awkward to get into it).
Having said that, the use of the OK button should be related to the amount of damage a malicious item can cause. In the case of binhex it seems like a no-brainer to ask first...
Setting StuffIt Expander to be the helper app for .sit, .bin. and .hqx file types should circumvent this problem, right?
Guvegrra?
Well, unless this is some unix I've not seen...
Normal users have the ability to open TCP sockets, fork processes etc.
All the code has to do is download itself, background itself as an non-stoppable process and then use the network to scan like crazy for whatever vulnerability you like!
Even if you're not scanning for vulnerabilities, your code could be repeatedly mailing bugs@microsoft.com or whatever. A Denial of service attack with a userlevel account is also possible...
And it's Mac not MAC. MAC is a networking term.
Yeah, just like "most users" turn off Java and JavaScript in their browsers? Or turn off macros in their Word and avoid macro viruses?
Not true. "Most users" are dumb. They have no clue what is the difference between "document" and "program". They can't or don't want to change settings. They just click the icon when asked and execute the virus or trojan.
Well, there will always be dumb users. They are not a problem, braindead defaults are. Without all these be-user-friendly-execute-it-all defaults, we would have less viruses and worms going around. Software developers should take their responsibility seriously.
If I click on a link for a .sit.hqx file and IE decodes the HQX, I'd like it to pass the file off to Expander for further decoding.
.doc.hqx file or a .pdf.hqx file, I'd like IE to get Word or Acrobat to open the file after it removes the encoding.
If I click on a link for a
Apparently this same mechanism accidentally results in executables being run as an attempt to pass them along for further processing to the OS. It's obviously a security whole in retrospect, but understandable how it occured.
If the user has Classic running, which is VERY often the case, there is a problem. Classic is setuid root. All one would have to due is encode a malicious classic program as a .hqx, have it add itself to the startup procedure for OS X, and *poofie* instand backdoor.
Burn Hollywood Burn
That's actually the root cause of this discussion -- Microsoft attempted to resolve the "SIT paradox" by including automatic decoding and unstuffing in the browser. They also kindly added auto-execution.
Believe me, it used to be a lot worse because you needed seperate tools for de-BinHexing and de-MacBinarying files.
As far as protection by using the Admin account, this is a basic tenet of security: assign only the necessary privileges for software to function. Ever wonder why DOS/Win95/Win98/Me are so succeptible to havoc caused by viruses (beyond popularity and braindead M$ application features)? It's because you're always running as de-facto superuser account.
The only reason you claim the Admin account provides "minimal" protection is because you believe the time and effort to restore a system is trivial. Even if that were the case, always running as the Admin account makes it a lot easier for a worm/virus to completely trash your system, taking down your valuable data files along with everything else.
I think fortunately for Microsoft and its millions of users worldwide, most worms/macro viruses these days are pests that put a drag on the Internet infrastructure, rather than seeking out your data files and wiping them away.
But people might not realize they are downloading something until it is too late. an onLoad directive to load a file, or an embed, or simply a disguised link that most people wouldn't bother checking..
XML is like violence. If it doesn't solve the problem, use more.
I think the short answer to your question is education. Windows XP is a secure multi-user OS, and it's now shipping on consumer PCs. Many users now will have no choice but to gain a better understanding of at least logging in, and what activities (app installation) aren't possible with a "restricted" user account.
Having said that, I found the Microsoft scheme to ease multiple user computing for consumers is incredibly convoluted. During installation, a superuser account synonymous with root on Unix named Administrator is created.
However, after booting Lose-XP for the first time and logging in as Administrator, you'll want to add user accounts. Lose-XP forces you to create a "Computer Administrator" account before you can create regular user accounts. After doing so, the Administrator account is hidden from XP's new simplified login screen. The point I'm trying to make is that a relatively basic concept is made more complex, even though the supposedly goal was to make the login screen simpler for Joe Schmoe.
It's an issue, but as alluded to before, it's being handled very differently now. In DOS and legacy Windows, there was only the de-facto superuser-level user. Now that XP is slated to become standard on all consumer PCs, this is obviously no longer the case.Besides my earlier complaint that the handling of users is more complex than it used to be, there is I believe another wrinkle to it (that I read somewhere else). If you add accounts during installation of XP, they receive Administrator credentials instead of normal user privileges. Besides (pre-)installation, login is the first feature users will meet. I don't understand why accounts seem so convoluted in XP.
Finally, Mac OS X takes a different tack. From what I understand, all created accounts are user level accounts in the Unix sense. To access the admin-level account, you have to explicitly enable root. I don't know enough about OS X to comment, but on the face of things, this seems like a simple security policy that many users can actually understand if explained to them.
In short, unless users are going to treat their PCs as black-box Internet appliances (admin'd by a friend or relative), many of them will have to understand and admin their Windows boxes more than they've been accustomed to.
As far as protection by using the Admin account, this is a basic tenet of security: assign only the necessary privileges for software to function.
Funny thing, the way this works out on a personal computer is that pretty much every program the user runs needs the ability to access the user's data. Otherwise the user is continually tripping over the restrictions and being forced to enter passwords.
The only reason you claim the Admin account provides "minimal" protection is because you believe the time and effort to restore a system is trivial.
Relative to the months of creative work and irreplacable personal data that can be lost, getting the local geek to spend a few hours reinstalling software is indeed trivial.
Even if that were the case, always running as the Admin account makes it a lot easier for a worm/virus to completely trash your system, taking down your valuable data files along with everything else.
The only thing it makes it easier to trash are the system files. The user data is totally at the mercy of any trojan they run.
Don't get me wrong, account restrictions could be used to provide better security on a personal computer. However, with rare exceptions, they aren't. The operating environment isn't designed for efficient permissions management and the users aren't sophisticated enough to understand the value anyway.
Multiuser OSs are just that, and not optimally designed for personal computers. The admin account is there to protect the system from the users, not to protect the users from foreign code. There are definitely improvements that could be made with a dedicated networked-PC OS designed with an eye to protecting the user's data from less-trusted network programs such as the web browser.
To sum it up, it isn't hard to imagine system features that would protect the user's data from internet code, and while a priviledged admin account could be a part of implementing those features, it doesn't provide them.
---
You'd be surprised at the broadband connection available to things crawling around in your hair.
And that is exactly what it does, mr Fucking Idiot. It dehqxes it, then runs it. http://www.pardeike.net/danger.hqx Decompresses - then launches on my 10.1 Mac. Note that in order to reproduce this, you MUST binhex an APPL, without stuffing it also.
There seems to be some confusion about what a standard UNIX user expects and what a standard Macintosh or Windows user expects.
.HQX file is normally treated like a smart .tgz file.
.tgz on a Unix box, I expect to decompress it twice, build it and install it. No smarts on the computer's part at all -- it's all with the me.
.HQX on a Mac, I expect that if it's a compressed application (.SIT) I'll end up with an executable on my desktop. If it's not an aplication (PDF file, text file -- whatever...think "file associations") I expect it to be decompressed and run by the appropriate app -- I'm assumed to be vaugely intelligent, but the computer picks up the technical slack.
.(WHATEVER) file on a Windows machine, I expect that something will happen -- but I'm not always sure what -- I'm expected to be happy with whatever the computer does.
To make a very rough analogy, an
If I download a
If I download an
If I download a
UNIX users are expected to know what they're doing. Most of the time Mac users aren't expected to care what's going on as long as everything works for them. Windows users are expected to go along what the computer does (think "smart tags").
This seems to be an instance of developers forgetting that, even though this is a Microsoft product, it's being run on a UNIX machine by Macintosh users.
Relative to the months of creative work and irreplacable personal data that can be lost, getting the local geek to spend a few hours reinstalling software is indeed trivial.
Absolutely correct.
However, one simple modification could bring the user's personal data under the protection of the admin account while still leaving it accessible to the user account: have a program running with root privileges which automatically backs up a copy of all the user's documents to a file only root has rights to. Then if the docs get hosed eg. by a virus running as user, one simply needs to login as root to get at a backed-up copy.
Of course the idea of backing up to another spot on one's own hard drive seems a little strange, but as most *really* important data files tend to be relatively small (unless the user is doing eg. video editing for a living), it seems like a very sensible solution, especially for OS' like Win2k Professional and OSX--which have strong multi-user security, but are generally run as single-user workstations.
Thoughts?
If you click on a link to a binhex'd file, and it's an application, then normally it gets un-binhex'd for you. Well and good. Now what's the next thing you do? Without fail, it is to double-click on the decoded file. Not to check the file in any way, compare fingerprints or whatnot. You go and double-click the file, opening it up. If it's a trojan, you lose.
Some may argue "well, but what if it says it's a picture file, but turns out to be a trojaned app?" Doesn't matter; I can set the app's icon to look like that of a picture file, and you're just as screwed when you double-click on it.
So what about automating the double-click makes this a "huge security hole"? It seems like once you've downloaded the thing, you're already toast.
Please note that I'm not trying to gloss over the wrongness of the auto-launch, but rather to point out that we need some better form of security systemwide.
As someone who manages 25 local geeks, I take great offense to this statement, but it's pretty damn typical of user attitudes so it doesn't shock me.
The local geeks you talk about spend far too much time fixing your screwups and when we try to protect you from yourself by putting strict file perms on your desktop, you go screaming bloody murder because you can't install webshots or some other stupid program-of-the-week your friends told you about.
So instead of us doing something useful like planning for deploying new technologies, coding useful reports for the mountain of data you need to work with in the company's oracle database, ensuring the company doesn't get sued for license non-compliance, keeping server patches up-to-date, keeping up with security lists, etc, etc, we are running around fixing your screwups because you have no respect for the time or talents of your local geek.
Thanks for illustrating this common and typical attitude so well...
Same as every automatic backup method that doesn't allow for regression - if you don't realize you're hosed before the next automatic backup occurs, the needed data can get overwritten with "newer" (e.g. infected, corrupted) versions of the files.
Not every worm is out to delete files, many of them will modify existing files to re-infect the system after you clean out the obvious.
Moof!