Huge security hole in Internet Explorer for MacOS
Brad Lucier writes "Macintouch
is reporting
(go down the page a bit)
that Internet Explorer 5.1, which comes preinstalled on MacOS X 10.1,
has a huge security hole---when it downloads arbitrary programs encoded
in the Macintosh's standard BinHex (.hqx) format, it automatically
executes them. " Well I guess thats one way to make Unix insecure. Can anyone actually confirm this since it looks kinda sketchy. I wonder what someone's rationale would be for that:"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!".
Brilliant. That sort of decision runs by whole teams, I would imagine. Why doesn't anyone speak up? I would imagine that folks on the apple side saw that, also.
You are right, MACs don't play nice, for example.... huh, I can't name one, help me here.
yeah you beat me to the punch but that was pretty much exactly what i was thinking...
"how come something that can be changed with two simple radio button clicks is being broadcast as a gapeing titanic scale hole in Max OS 10.1 security..."
Had i posted it first though, i would have tossed in some. "For Shame!" as well, especially after reading all the kneejerk anti-Mac anti-BSD trolls and their retarded comments.
good call, good post.
except download the test that was posted on Macintouch. if ou had actually quoted it correctly: A change in the way the copy of Internet Explorer bundled with Mac OS X 10.1 handles certain downloads is a cause for concern: [Anon]"I am shocked to report a huge security hole in the latest Internet Explorer version 5.1 that comes preinstalled on MacOS X 10.1 "Every .hqx encoded classic application is decoded by Explorer itself (that's the default, Stuffit Expander isn't used) and then AUTOMATICALLY STARTED!
"This is totally unacceptable. You can test this simply by pointing your browser to danger.hqx where [there is a] very small C program that just displays a message (trust me, it *only* does that message, nothing more)."
it may effect classic versions of explorer but the one shipping with OSX.1 just downloaded.
No, they wont. When its a problem with Windows, or Microsoft software running on Windows, its reported as a general computer problem. This is a problem with Macintosh. Im sure that the media will point that out very specifically.
Liberty in your lifetime
In the preference options, under download options, there is a checkbox for opening binhex, and macbinary files automatically. If you are really concerned about it, turn it off.
It does not deserve a 0
i can't even *begin* to fathom how this got published. binhex (hqx) is a COMPRESSED FILE, not an executable! if it decompressed it and then ran the installer, or some other binary without checking first, then we'd have a problem.
has anyone here ever used a mac? good grief.
For a full list of replacements for Internet Explorer on any computer system, check out the Internet Explorer listing on MSBC's The Alternative. It's worth a read to see just how many IE replacements are available, quite a few of them for Macs.
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
We tried this on my friends G3 Pismo with MacOS X 10.1 and MacOS 9.2.1 installed. Clicking on the danger link from the site, IE downloaded the file. It then was automatically extracted. Classic then started up and tried to run the program. This locked up Classic but we were able to force quit the danger app and shutdown Classic.
This was with a default install of Internet Explorer on 10.1. NO PREFERENCES were changed.
This is very scary indeed!!
Under IE5.1 Final for OS X, go into it's preferences. Under the Recieving Files catagory, choose Download Options. There's 2 checked items by default. 'Automatically decode BinHex' and 'Automatically decode MacBinary'. Uncheck them both and hit ok. IE will now send those files over to Stuffit Expander, like it should. Easy, isn't it?
-Henry
"Useless organic meatbag" -HK-47
You can turn off the automatic decoding of bin.hex files ...
But why the HELL was it on by DEFAULT?
Oh, right.
It's a Microsoft program.
Never mind.
(The fact that it's for use on a non-Microsoft platform, and thus could make that platform vulnerable to malicious cracking, probably wasn't even a factor.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Yes, and IIS is an option in Windows 2000 that can be easily turned off.
/ME checks his Apache logs.
Looks like most people are not aware of that either.
Liberty in your lifetime
Root may be the owner of the file, but that does not mean root owns the process when TruBlue is launched. Classic is just another application, and not a system function. As an app, the only way it gets root power is if a password is entered by an administrative user.