Slashdot Mirror
Huge security hole in Internet Explorer for MacOS
Brad Lucier writes "Macintouch
is reporting
(go down the page a bit)
that Internet Explorer 5.1, which comes preinstalled on MacOS X 10.1,
has a huge security hole---when it downloads arbitrary programs encoded
in the Macintosh's standard BinHex (.hqx) format, it automatically
executes them. " Well I guess thats one way to make Unix insecure. Can anyone actually confirm this since it looks kinda sketchy. I wonder what someone's rationale would be for that:"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!".
The fact that OS X is based on FreeBSD may very well keep this hole from becoming as damaging as it is on Windows. Unless you're logged in as root or an Admin user -- always a good idea to be a 'normal' user whenever possible -- I don't know how damaging a malicious program can be. It'd have to get around some pretty strong security.
To what extent do others out there think this fact might "save" IE from being the terrible security disaster under OS X that it is on Windows?
I've got it on my 10.1 system, but I never use it; Mozilla 0.9.4 is far nicer (to me, anyway.)
i am a soviet space shuttle
Fuckin' morons.
The Mac has always played nice on the Web. What are you talking about?
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
You can turn off the automatic decoding of bin.hex files in the prefences panel under "downloading options". This allows people to have some control.
...this always struck me as a little odd.
I've recently started using Mac OSX for dev work, and so I've only just really got accustomed to the OS.
This isn't a OS10.1-specific thing. Straight OS10 does exactly the same thing.
It is dumb, but you can turn it off in the preferences panel. My guess would be that most users would turn it off when they go into the Prefs to change the default download location (as MacIE5 doesnt ask you for a download folder) to something more sensible.
Ppfffff.
Personally, I don't think this is an *enormous* worry for the average user. Imagine if PC IE6 did this. All hell would break loose. But, theres just not that many nasties lurking for the Mac OSX user, really. And besides, the more savvy users will shut this feature off.
It is mighty dumb though. And not even that userfriendly. When StuffIt starts up to expand your files, it steals focus from what you're doing and makes your system chug like hell on OS10.1.
Hmm, was that chill from reading the article using IE 5 on OSX 10.1, or from that strong gulp of coffee that i just drank?
Its been standard in Mac OS for Stuffit Expander to automatically extract archives once downloaded. Isn't this issue related more to Stuffit Expander than IE?
--just kicked back like italics
It is unfair to gloat by saying that every time anything comes up on your screen you should have to say OK. It is a judgement call (imagine if you had to OK each image or flash component separately...). One of the most important parts of designing a product (whether sw, hw, or a chair) is what the features it has and what is the default (e.g., the default for a recliner is the upright position and you have to actively do something to make it recline, imagine if it started out reclining, it would be kind of awkward to get into it).
Having said that, the use of the OK button should be related to the amount of damage a malicious item can cause. In the case of binhex it seems like a no-brainer to ask first...
I wonder what their rationale was.
DROS - Open-Source Robot Software
Most users don't care so much about the system files, which are just a matter of rerunning the install process. Their personal data is far more valuable to them.
Maybe this will save a little data on systems with multiple users, but we're talking about personal computers here. By definition they are primarily used by one person.
The protection offered by an administrator account is minimal.
---
You'd be surprised at the broadband connection available to things crawling around in your hair.
I had an Excel spreadsheet and was going to put passwords in it, because Microsoft has "strong security" features such as encrypted Excel files. Good thing I did a Google search on the topic first:
> We search for the encryption key that Excel® used to encrypt the spreadsheet. There are many fewer keys than possible passwords, hence we are able to search all of the possible keys in 7 to 10 days.
I found several services offering 100% guarantee to decrypt an encrypted Excel or Word file in under two weeks.
Thanks Microsoft.
- For the complete works of Shakespeare: cat
What a big surprise.
I'm currently running 10.1 (5G64) and have ran many other builds of OSX, both pre-10.0, 10.0.x, and pre-10.1. In all of those builds, I've never seen MS IE auto-launch a hqx as the article at Macintouch claims. I first heard about this last night, checked with several of my friends who also use 10.1, and we were unable to duplicate the security hole.
Personally, I think it's something written by a person who misconfigured their system and is looking to blame Microsoft for more things.
Gawyn
Freedom of Speech?
"Date: Sat, 29 Sep 2001 17:02:59 -0400
From: [MacInTouch reader]
Subject: Security Alert for Explorer 5.1 (MacOS X 10.1)
I am shocked to report a huge security hole in the latest Internet Explorer version 5.1 that comes preinstalled on MacOS X 10.1
Every .hqx encoded classic application is decoded by explorer itself (that's the default, stuffit expander isn't used) and then AUTOMATICALLY STARTED!
This is totally unacceptable. You can test this simply by pointing your browser to
http://www.pardeike.net/danger.hqx
where I put a very small C program that just displays a message (trust me, it *only* does that message, nothing more)"
Can't you see that everyone is buying station wagons?
By the way, I've noticed that even people from Apple use OmniWeb over Microsoft IE.
Never play leapfrog with a unicorn. Or a juggernaut.
I haven't had much chance to play with OS X (disappointing), but all the previous Mac's I've played with have had it set that "Stuffit" (like winzip) is launched automatically for the .hqx file so they're auto unzipped onto your desktop. didn't matter what browser you were using, that's just the way it was done. Probably just something that got overlooked in the MacOS to FreeBSD core transition . . .
Dan
"All that we see and seem is but a dream within a dream." --Edgar Allen Poe
OK, so this behavior appears to be configurable, but why wouldn't you set the default to the more secure alternative? Does Microsoft really think so poorly of their users that they honestly believe having to click one more 'OK' button would cause them to loose a significant market share? This is rediculous. What possible benefit is there in establishing an insecure default setting?
--CTH
--Got Lists? | Top 95 Star Wars Line
I do occasionally use IE, when hitting one of those pages designed by MS only shops, but most of my browsing time is in OmniWeb (www.omnigroup.com). Problem solved.
As an added benefit, OmniWeb has options to disable banner ads (sorry VA), kill javascript popup windows, and it's just a generally nicer browser with more intelligent design decisions. And it keeps web pages from looking like NASCAR with all the bloody ads and popups. Did I mention how it kills ads and popups? Although I will admit IE is wicked fast under 10.1, OmniWeb is plenty fast enough.
ehintz
Without Windows and IIS, the Mac simply wasn't meeting the evil corporation standard for security holes. After all the virus market needs corporate welfare like this is they are ever going to be an accepted player on minority platforms.
Actually it tries to launch stuffit or another expander to automatically unencode the files.
Setting StuffIt Expander to be the helper app for .sit, .bin. and .hqx file types should circumvent this problem, right?
Guvegrra?
I'm sorry... did I miss something?
I thought Internet Explorer 5.1 was a Micro$oft product..
t_t_b
I'm on PJ's "enemies" list! Are you?
No, it's not. IE for the Mac is developed and published by Microsoft. Apple just pre-loads it and ships it with its OS. You can download IE from Microsoft's website, not from Apple's.
And the men who hold high places must be the ones who start
To mold a new reality... closer to the heart
That's total horseshit. Internet Explorer for Mac OS is developed and published by Microsoft, NOT Apple. And by the way, for those of you who after nearly two decades can't get it through your heads, "Mac" is not an acronym, it's an abbreviation (actually more like a nickname). Therefore, capitalization is completely unnecessary and really just goes to show how uninformed and idiot you really are in these matters.
Well, unless this is some unix I've not seen...
Normal users have the ability to open TCP sockets, fork processes etc.
All the code has to do is download itself, background itself as an non-stoppable process and then use the network to scan like crazy for whatever vulnerability you like!
Even if you're not scanning for vulnerabilities, your code could be repeatedly mailing bugs@microsoft.com or whatever. A Denial of service attack with a userlevel account is also possible...
After decoding, it tries to run the application contained within. THAT is the security concern. There is an important difference.
I do have one question, though... being a Unix-derrived OS, does the average user on a Mac OS X system have sufficent privlages to destroy anything outside of his home directory?
Short answer: no. Long answer: it depends. The first user created is an admin user by default, and the admin user can do nasty things. Obviously, a single user environment will be an admin user, and therefore able to have more power. It would mostly depend upon how well written the application is-the demo app showing this exploit actually runs in the classic macos environment, so it's damage would be even more limited.
ehintz
I can't think of a better case for Mozilla or OmniWeb (the way cool browser that came over from the NeXT world).
You're using Mac OS X, why have *anything* to do with Microsoft?? Forget MSIE and use Mozilla or OmniWeb.
Though.... I have to admit that MS Office X looks kinda neat. I just hope Corel hurrys up and makes a "Corel Office Suite X".
And microsoft doesn't have a Macintosh division?
Being that "Microsoft products for the mac" brings you to a page with Internet Explorer for download, I'd say you are making stuff up.
Care to prove Microsoft didn't make the Mac version?
Ever since I can remember, using MacOS has been all about not having to go through any extra crap to get something to work. If you want X on your computer from the internet, you click on X, and it unzips itself and starts the installer.
I am very strongly against Microsoft on all fronts, but I don't think its fair to blame them very strongly for this. This is very much in keeping with the Macintosh ease of use philosophy.
I also don't understand why people are making a big deal out of the option to turn this off. If this were enabled by default, it would ask the user "do you really want to run this"...what do you think the average user would say? How is that dialog box making things more secure?
Slashdot 's editors are dickheads
With MS's history, my friend discovered this three days ago and told me. Both of us assumed since it is an MS product that it was the way it was meant to be. Its such an obvious hole that we didn't even think it was a bug, just terrible and user-un-friendly design (as per the usual MS shit.)
"Old man yells at systemd"
Its been standard in Mac OS for Stuffit Expander to automatically extract archives once downloaded. Isn't this issue related more to Stuffit Expander than IE?"
We all know how hard it is to click on a link and read the article, so I did it for you.
From the MacInTouch web site: "Every .hqx encoded classic application is decoded by Explorer itself (that's the default, Stuffit Expander isn't used) and then AUTOMATICALLY STARTED!"
I suggest that in the future you read the article in question before posting.
Steve M
"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!". "
Knowing Microsoft, even when it does ask you to execute the file, the only option it'll give is "OK".
This sounds a lot like the recently discovered slrn bug (see Bugtraq, LWN, Debian) that automatically executed all scripts encountered, apparently assuming they were self-extracting archive files.
However, I'm not sure Microsoft should be let off the hook for the equivalent behavior on the Mac. The Unix code was there for a very, very long time... when it was added it was a reasonable assumption that people would not send nasties because it was too easy to complain to their employer or grad department (the only way to get online) and cause the sender significant personal pain. (This is also a painful reminder that just because code is available doesn't mean that the right people are reviewing it.) In contrast, by the time somebody added that code to the Mac version of MSIE, the possibility of untraceable, hostile scripts should have been obvious.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
I tried it with my 10.1 system. The .hqx file is decoded into an application, but doesnt get executed unless you double click on it. Seems Ok to me.
not unless you are dumb enough to login as root. you need user authentication to run anything as root.
There was no real chance this would spread to webservers by that route anyway. Not many people surf the web from a webserver (those who do tend to serve files from their userspace, even assuming they don't also run the webserver with their normal user permissions).
Trojans are the basic threat, but viruses have been spreading through other means for a long time. Since most end-users spend all their time in one account, not being able to access the underlying admin privileges is about as relevant as not being able to change the hardware configuration.
---
You'd be surprised at the broadband connection available to things crawling around in your hair.
I do believe Zorak said best when he said, "ALRIGHT! SMACKDOWN!". Let's see the geeks lay some of that smackdown on M$....
If Mr. Edison had thought smarter he wouldn't sweat as much. --Nikola Tesla
"Admin" users do, non-admin users don't. The default user account Mac OS X sets up is a member of the admin group, and can create other admin and non-admin users.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
Just tested it. It appears that IE opens the file without specifing which application to open it with (which is something that OS X supports), in the expectation that the .hqx file is also stuffit compressed (which is logical, %99.99 of the time anything that is .hqx is also .sit). So I just chmod 700 IE (it's owned by root which is in the same group as the admin account) on both Macs in our Lab. Not a big deal since everyone uses Mozilla anyhow.
Burn Hollywood Burn
In the preference options, under download options, there is a checkbox for opening binhex, and macbinary files automatically. If you are really concerned about it, turn it off.
uh......
what the fuck is this then?
Mactopia.
*snicker*...
Not true.
Microsoft has a large mac software division that makes IE as well as Office for Mac and some other software.
In fact, microsoft's mac division has more mac programmers than anywhere else but Apple (or so I read in a macworld article a few months back).
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
Umm, no. Apple does not develop Microsoft Internet Explorer.
How to solve most of our problems: 1.Lots of nuclear plants. 2.Cure aging.
Apple did not write Microsoft Explorer 5.1, no
Apple did not include a preference panel inclosed inside of Microsoft Explorer 5.1. in this panel there is an option called: "download functions" if you deselect the two buttons that say, "Automatically decode MacBinary files" and also "Automatically decode BinHex files"... well then guess what? Microsoft Explorer 5.1 will not automatically decode MacBinaries and BinHex files.
then this whole ugly sorded amazingly complicated and far reaching breech will be gone.
Stupid Apple.
no, you don't need root access to the preferance control panel.
no.
you should probably read the ars technica article on meta data. it'll help you out a lot. all those data forks and file conversions and so forth.
http://cincyboys.blogspot.com/ Everything Cincinnati. Including the word 'Finnih'
.hqx are like .uue. One doesn't 'execute' them. They are text files that just decoded, result is put into a folder and nothing gets executed at all.
.vbs files!
You can get a 'helper' to open the file to possibly decompress it etc, but thats optional.
And if you use the default helper (Stuffit expander), the decompressed files are put into the folder, and STILL nothing gets executed.
Go back to chasing
Internet Explorer on the MAC has nothing to do with Microsoft. It's developed, published, and installed by Apple.
Not. It's developed and published by the Microsoft Macintosh Business unit, which is a somewhat independent MS arm out in the SF Bay Area. Apple's only involvement is bundling IE with the OS. About the only way your statement is accurate is if you're trying to stipulate that IE for Mac has little to do with IE for windows, which is correct. In fact, it's not uncommon for IE/Windoze to inherit good ideas from IE/Mac.
And not to be picky, but it's Mac. Short for Macintosh. Not MAC, short for Media Access Control address, as in your NIC card.
ehintz
And it's Mac not MAC. MAC is a networking term.
IE Exploits:
q279328 - allows execution of code through print templates or web forms
q286045 - allows someone to execute files and read files on your machine (using a combination of both exploits that patch fixed)
q286043 - allows someone to begin a telnet session and send data to your machine (as well as execute it) if you've installed Services for Unix
q273868 - sends your authentication information on every query as long as they're on the same hostname
Four major exploits in the last twelve months. Certainly, those aren't all of the exploits, erm, extra features that IE has had bundled with it lately, but they are a few that have readily accessible information from Microsoft.
One could imagine eternally why Microsoft designs such insecure products, but look at it this way:
Have you ever coded a product that was efficient and secure after being pushed for three days to meet a deadline? Don't you become somewhat exhausted and lazy, primarily because you want to sleep, no matter how much money you're going to be paid? There comes a point where caffeine just won't help you operate anymore and your health becomes more of a priority than a "higher-up"'s regime.
Microsoft developers (in the words of Ballmer) are only human as well -- and I'm sure they work just as hard as we do.
Do you like German cars?
the Microsoft Macintosh Business Unit creates all the Microsoft apps for the Macintosh. educate yourself before posting http://maccentral.macworld.com/news/0109/24.macbu. php
Man, this thing is blown WAY out of proportion. The so-called "bug" isn't a bug at all. If anything, it is a poor choice for a default Helper App configuration, not cause for a big fat alarm. You should be cautious when downloading applications in any case. What happens here is that the Helper App for .bin and .hqx (Stuffit Expander by default on my machine) is launched when those files are downloaded.
This is not a software bug or a security hole in the grand sense. This is a stupid decision by someone who configured the defaults. I suggest that maybe it's not a universal thing, since most reports here do not duplicate the "bug".
I kind of expected the first reported security holes in Mac OS X to be something, well, at least seemingly legitimate.
Mr. Sharumpe
-- The above comments are just my opinion. If you are going to flame me, save your time. I am fireproof.
.hqx files are compressed files, not program files. They aren't run, they are decoded with another program, which is usually Aladdins Stuffit Expander. This has been going on forever, since before OS X. Netscape browsers do this, as does iCab, Opera, and pretty much any other Mac browser. So what's the big deal? The file is useless until it's decoded, so why not have that done automatically?
Quit being so goddamn paranoid and eliteist, get on with your lives, and let others do the same.
we are building a religion
a limited edition
we are now accepting callers
for these pendant key chains
Short Answer is actually Yes. The installer creates an Admin user and then logs that person on automatically at boot. There's nothing particular in the installer or the setup screens to help you or encourage you to create an unprivledged user. However, there are certain GUI actions that require an admin password for confirmation.
Due to the law of defaults, my guess is 90% of OS X users are running with Admin privs.
Whenever I hear the word 'Innovation', I reach for my pistol.
Yeah, just like "most users" turn off Java and JavaScript in their browsers? Or turn off macros in their Word and avoid macro viruses?
Not true. "Most users" are dumb. They have no clue what is the difference between "document" and "program". They can't or don't want to change settings. They just click the icon when asked and execute the virus or trojan.
Well, there will always be dumb users. They are not a problem, braindead defaults are. Without all these be-user-friendly-execute-it-all defaults, we would have less viruses and worms going around. Software developers should take their responsibility seriously.
Launch IE 5.1, go to the Explorer menu, then to Preferences.
Go to the "Receiving Files" options and DISABLE "Automatically decode MacBinary files" and "Automatically decode BinHex files".
Easy as that.
I think a very important point to make here is that by default, the user you set up when installing Mac OS X is an administrative user and not only that is automatically logged in when the computer boots. So obviously ~99% of the Mac OS X boxes out there are vulnerable to this bug. Did you know that you can change the root password on any Mac OS X box that an administrative user is logged into without having to know the current root password? (Hint: Any and all administrative users can use the NetInfo Manager application to modify the fields of the /etc/passwd file directly without having to authenticate...)
Cheers,
Ben
This is no excuse - all default options should be sensible options. Lots of people don't change their prefs from the defaults until something in the standard behaviour annoys them - which may take a long time, or forever.
It's still dangerous, even if it can be disabled. It shouldn't even be an option. If you want to run the thing so badly, then go run it manually.
(subject changed to avoid the "postersubj compression" error, whatever that is...)
I adblock all animated gifs.
Blessed be the prime numbered slashdotters
Microsoft gets the prize for the dumbest software 'features' Like vbscripts in outlook, letting java control your browser and running binaries without asking. Personally i like the vb scripts: bringing down entire mail-servers with a language that was designed for 8-year olds just does it for me... or though, theres allot to be said about browser-controlling you can give people heart attacks from just simple java-scripting with multiple pop-up windows, Bin-Laden should be taking notes.
You all know the way out - don't use IE or Outlook (or Office)
Microsoft is either the most innovative, or the most incompetent.
This comment does not represent the views or opinions of the user.
If I click on a link for a .sit.hqx file and IE decodes the HQX, I'd like it to pass the file off to Expander for further decoding.
.doc.hqx file or a .pdf.hqx file, I'd like IE to get Word or Acrobat to open the file after it removes the encoding.
If I click on a link for a
Apparently this same mechanism accidentally results in executables being run as an attempt to pass them along for further processing to the OS. It's obviously a security whole in retrospect, but understandable how it occured.
If the user has Classic running, which is VERY often the case, there is a problem. Classic is setuid root. All one would have to due is encode a malicious classic program as a .hqx, have it add itself to the startup procedure for OS X, and *poofie* instand backdoor.
Burn Hollywood Burn
Preferences fix it. I run 4 systems at my parents house right now. OS 10.0.1, OS 9.1 (for my parents) OS 7.6 (whee hoo!) Win95, and WIn2k.
What kind of hogwash is this? User friendly has nothing to do with security holes...
One has nothing to do with the other. I can make Windows NT 4 air tight, and it still has all the user friendly features it started with (sorry, don't have enough Linux experience to make the claim, but I'm sure its doable). This security vs user interface crap comes from those who either don't know how to code, or do know how to code, and are too lazy to worry about making it 'look perty'...
Please, please, please, let this horrible association between good UI and bad security die here and now...
---
Programming is like sex... Make one mistake and support it the rest of your life.
I do have one question, though... being a Unix-derrived OS, does the average user on a Mac OS X system have sufficent privlages to destroy anything outside of his home directory?
Probably not, but when it comes down to brass tacks, the part of the system that stings the user the most when it gets damaged is the user's data, which is accessible to the user and fair game to a trojan horse/virus/backdoor.
I'm only out an hour if I just have to reinstall the OS. I'm out possibly several months if my data gets wiped out and I don't back up (like the average user).
NO CARRIER
...though I will admit, it's pretty dismal.
Administrator-class users [i]do [/i]have to authenticate to save their changes to the NetInfo database.
The real problem is sudo. Any Administrator-class user can use sudo on anything they want. That is, obviously, an obscenely huge hole. But it's not quite as bad as you make it sound. Still dire, but there's no need to exaggerate it even further than it already is.
Actually, I did read the article. IIRC, the author points out that file and creator type are not part of the Mac's resource fork, but rather its data fork. So while such information is certainly metadata, there's no good reasons that other OS's shouldn't be able to interpret Mac file type information. (Application type is a little trickier, I admit, but that should be information which a user is free to ignore anyway.)
I strongly agree with the author's contention that suffixes are a lousy way to identify file type, and as a long-term Mac guy, I'm dismayed that MacOS X (which is in almost every other respect a great OS) is moving so strongly in the direction of suffix-identified files.
In any case, none of that is directly relevant here. The IE flaw has to do with the Mac as a file client, not a server.
The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.
That's actually the root cause of this discussion -- Microsoft attempted to resolve the "SIT paradox" by including automatic decoding and unstuffing in the browser. They also kindly added auto-execution.
Believe me, it used to be a lot worse because you needed seperate tools for de-BinHexing and de-MacBinarying files.
I mean, the only way Apple gets blamed is if Microsoft's Mac IE team got approval from a managerial level inside Apple to include the "run as default" in the spec for IE-Mac. I doubt mgmt at Apple is that stupid... so I would be willing to bet that no-one at Apple ever saw the offending code, primarily because M$ is so damned arrogant about their own perceived superiority based on market share. (insert obligatory rant about M$ marketing techniques here). So the chances of anyone at an outside company being given code review privileges were probably between microscopic and non-existent.
IE is not an Apple product and you can bet that now that the problem has been exposed there is going to be some serious backrooms yelling at the idiots in Redmond who are inflicting their poor security models and thinking on the Mac platforms, and that Microsoft is going to have to spend some additional development bucks to fix it.
Of course, we all trust Microsoft's patches to behave themselves, right? NOT!!!!!
...Open Source isn't the only answer -- but it's almost always a better value than the alternatives...
video drivers in the kernel
need i say more
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
On the Mac (and probably everywhere else) this is called "post processing" a download. iCab and OmniWeb both offer this too.
In my experience, this functionality has never been a problem, and has existed at least since 8.5 (what I got on the web with). Stuffit (like Winzip for Macs) also does this -- if you download a file like "foo.tar.gz.sit.zip.hqx" it will automatically keep decoding files until it gets to the foo file. It's a convenience, not a security breach.
1. video drivers in the kernel
2. NT4 is no longer a microsoft product see here
"Effective October 1, 2001, Windows NT Server 4.0, Windows NT 4.0, Enterprise Edition, and Windows NT 4.0 Client Access Licenses (CALs), will no longer be available through volume licensing programs"
skwid
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Wait a minute here... I think there's a fundamental misunderstanding. Decoding a .hqx or MacBinary file is NOT the same thing as running the resulting executable! It doesn't even have to be an executable... any file can be encoded as BinHex or MacBinary. It's just a method of "flattening" the resource fork and data fork into one file. Stuffit's .sit format has done the equivalent (plus compression) for a couple versions now. I don't have the latest IE yet (waiting for my Student ADC copy of 10.1...), but I'm 99% sure it doesn't automatically run any executables, it just harmlessly decodes the encoded files into their original form.
later,
Shadow Knight
Exactly... once microsoft stops supporting it, it becomes secure...
---
Programming is like sex... Make one mistake and support it the rest of your life.
Does anyone else remember how new windows with binary files turn automatically in download of the file? You don't even have to start the download yourself. Just browse on some site...
If programs would be read like poetry, most programmers would be Vogons.
And it's only Classic [blech] apps than are executed automatically. So its not a Unix problem. Its a Mac OS problem. The fact that their OS (their being Mac OS, not that hideous mutation of BSD) has only one privilige level is the worry. Any random binary can scribble over the memory of any other app (thank you Apple, for failing to include memory protection), even the OS itself, including filesystems drivers! Ever wonder why it tells you restart after a random app crashes (which is often) ? Because it could have (and probably did), nuke all the data another app was working with, which will in turn crash and nuke another app...
Anyway, back ontopic... If you want a secure Unix OS, use Linux, or [Net|Free|Open]BSD. At a pinch you can use OSX (But whatever you don't DON'T install Classic. And log in as a normal user. And reenable the root account so you can disable sudo (but with a nice strong password)). If you want a pretty [blech] gui with transparency and animated menus and the "genie-in-a-bottle" effect, but don't care about your data, then by all means, use Mac OS.
Think different? Different what, colours? How about you just think for a moment...
"I think he was truly surprised at how little I cared about how big a market the Mac had" - Linus on Jobs
The huge security hole JUST GOT BIGGER with a huge /. story! Prehaps we should refrain fron reporting these things till they are fixed - kind of like how newspapers sometimes won't report on troop movements (esp. during WWII)
Hi. I'm Jack. Nice to meet you.
---------
get your war on
I imagine Jobs is fuming at this wondering just what it's going to take to keep Microsoft off MacOS. I wonder if Apple has any skunk work projects or programmers working on non-Microsoft browsers and office suites. Kinda conspiracy theory-ish, I know.
obviously no deficiencies vs. no obvious deficiencies
I see various posts here investigating the question of whether an OK button is warranted when making the decision to launch the hqx file. I think the issue is quite different. The problem as described is that any download that the browser thinks is an hqx file gets *executed*... as opposed to decoded by the appropriate program.
.hqx ending).
.hqx
The problem begins and ends with the browser designers' decision to invoke the decode by telling the OS to "launch" the file, leaving it to the system to examine the file's metadata and leading to this security hole when that metadata indicates that the file is an application instead of a binhex file (despite the
The right way to solve this problem is to:
1) download the file ending in
2) tell the OS to launch the OS's choice of decoder program for hqx files, and
3) tell that launched program to decode the downloaded file.
- First they ignore you, then they laugh at you, then ???, then profit.
the Microsoft Macintosh Business unit, which is a somewhat independent MS arm
If only that were true. It is correct that large corporations are actually a bunch of smaller companies bound together as "business units" in an attempt to get them to play nice together, but Microsoft is bound closer than most such businesses, with the top leading by example.
As evidence, take their uniformly poor attitude towards security...and their applying features from games to other software (one can get obsessed about a game and learn all its controls, and if it crashes, one can just pick up from the last save; this mantra has problems when applied to, say, office software). Also see "embrace and extend" used across the board, to varying degrees of success.
That if the user clicked on the link to download the hqx, that he would have run it after it finished downloading anyway? If I click something to download, at that point it really doesn't matter whether the browser runs it or I do.
Gotta get me one of these!
-dair
Except that the checkboxes say Automatically decode binhex files, they don't say ... and execute them without warning. The first would be a nice feature. The second is a security hole of Gatesian proportions.
Uh I don't think the original poster has ever used a Mac and thus has no idea what a .bin or .hqx is. HFS stores files as what are called forks. A file has a resource fork and a data fork. The resource fork is the important part because it contains information about the file telling the system what type of file it is as well as who owns/created it. If you send a file from a Mac to a non-Mac system the resource fork is lost most of the time and you end up with a meaningless set of data. MacBinary and BinHex encoding came about because Mac files needed to be sent over network mediums possibly through systems that had no concept of data forks. They combine the data and resource forks in a single file system entity so they can be sent over a network. BinHex provides a little bit of compression with RLE encoding. The fact that IE automagically decodes either BinHex or MacBinary files means it does what it is supposed to do. This is not a security hole because it doesn't automatically run anything that was encoded. It just turns it into a normal Mac file entity. If you're set to automatically expand SIT or SEA files then you're asking for someone to fuck you over. This is NOT a security hole in IE. Geez
I'm a loner Dottie, a Rebel.
- A
After usibility testing with average Mac users explaining how downloaded files need to be stored somewhere and then doubleclicked to execute, Microsoft said "fuck it" and made it automatic.
Design a computer for an moron, and only morons will use it.
For a full list of replacements for Internet Explorer on any computer system, check out the Internet Explorer listing on MSBC's The Alternative. It's worth a read to see just how many IE replacements are available, quite a few of them for Macs.
== Paul Rickard, Editor of The Microsoft Boycott Campaign ====
Funny. When third-party programs cause problems in Windows it's the OS's fault not the third-party vendor. But when MS is the third-party, it's not the OS's fault but MS's. Bottom line - it's MS's fault no matter what.
My only question is: If a non-MS application causes a problem on a non-MS OS, is anyone at fault?
as a mac fan, i'm very glad the icon next to the title is mr. gates, not the apple.
last thing apple needs on slashdot is bad pr.
go get it
- Create script to toggle 'autoexec
.hqx downloads' to FALSE
- Insert the file into the X-10 popup banner
Problem solved.Kevin Fox
It is not Stuffit. It's Internet Explorer de-binhexing and executing the coded app all on it's own. Since you mention Stuffit, I'm not sure you understand what is going on as Stuffit does not have this behavior (nor is it involved).
It's not a feature of OS X (or the OS's fault in any way). I never noticed the beta-IE (used in OS 10.0[0-4] doing this, and I used it throughout. I rarely booted into OS 9 when OS X came out, and I used the beta fairly extensively as well.
IE is auto-decoding a binhex, then if it's an application, automatically executing it. No other version of IE does this. No other mac internet app does either. Others will auto-decode files for you, but leave it to you to launch them.
Sure, you can turn off the binhex pref, but without the added "feature" it is not a security risk to simply de-binhex a file (probably less dangerous than uu-decoding). Even a savvy user who perused every setting wouldn't know to uncheck "automatically decode binhex" to turn off a feature that's so stupid one wonders why someone would bother coding it (automatically running dl'd apps).
Now Stuffit has it's own security risk. By default, it will auto-mount any disk image it decodes. A disk image can be set to automatically launch an app when loaded. Hence, Stuffit can be made to do what IE is doing in a roundabout way. Personally, I think this "feature" should be turned off for disk images as well.
I use the slowest G4, and I've not noticed Stuffit being a hog, though it is annoying. It ripped through the 189 MB dev tool installer in a few seconds.
IE has other problems as well. It will reset my Internet prefs (usually just the dl folder, but sometimes it will set itself as the default web app). Just use Omniweb, and you get a nice spell checker to spell check your posts (I know I need it).
In reply to both sakusha and Millenium...
I actually forgot to include the most critical step. Here is a complete set of steps that you can verify on your installations.
1. Walk up to a Mac OS X box that has a default install and is therefore already logged in as an administrative user.
2. Open System Preferences...
3. Open the Users control panel.
4. Add a new user and select "Allow user to administer this computer" under the Password tab. Wow...you don't have to authenticate to do this!
5. Log out and log back in as the user you just created.
6. Open NetInfo Manager.
7. Click on the lock button at the bottom of the window and authenticate using the login/password you just created.
8. Choose Enable Root User from the Security submenu in the Domain menu.
8. Navigate to "/" -> "users" -> "" and copy the contents of the "passwd" property.
9. Navigate to "/" -> "users" -> "root" and paste into the "passwd" property.
10. Quit and save your changes.
Amazing...you now have complete ROOT ACCESS to the machine!
P.S. Please try to keep your responses constructive guys...
And I suppose you called it the DOS Operating System, and the GUI interface? You stupid redundant bastard, it's "NIC", not "NIC card". You could say NI card (thus winning a Monty Python Point), but you're too retarded.
;-) Although there comes a certain time where it becomes pointless to fight the popular trend. NIC card, GUI interface, Cable/DSL Modem... All wrong. Sadly, our language has a long standing tradition of words whose original meaning is popularized into something entirely different. Dare I even bring up hacker/cracker? That should be good for a flame war or two... ;-)
Fair enough. I'm rather embarrassed to admit I missed the Python point, painfully obvious in hindsight. But it's a fair cop.
ehintz
I'm gonna be maked at -5 flamebait for this...
Microsoft, Helping people root boxes cince 1983 and now with cross platform capabilities built specifically for Macintosh OS 10!
Do not look at laser with remaining good eye.
Interesting note: When I use the macs at my high school (G4's), IE never seems to work for them, so I always use Netscape. However, I also like to check my email using the macs, and there is no telnet application on these macs, and I can't install NCSA telnet on them because everything on the computer is locked. However, I found a way around it. When I download the hqx version of NCSA, it autoinstalls, bypassing "foolproof" security. I still can't use the telnet app unless I call it up through netscape using telnet: . I just thought this was interesting...because it isn't just IE that does it...it is the stupid hqx and stuffit expander things. I would definitely disable those options. (If I could...but the security features don't let me change anything!)
The anti-salmon
IE definitely auto launches it on my 10.1 system. 5G64, Dual 800 G4. -Ben
1. video drivers in the kernel
And if they weren't then you'd be yelling about how the video performace is so slow.
What's the bloody deal? If you install a crappy video driver even if it's not in the kernel is has hardware access which means that it can toast the system. So don't install crappy video drivers.
NT4 is no longer a microsoft product
you have an interesting interpretation of "discontinued". It does NOT mean that it's no longer a MS product, it just means that they're not supporting it anymore (which makes sense).
If God gave us curiosity
And that is exactly what it does, mr Fucking Idiot. It dehqxes it, then runs it. http://www.pardeike.net/danger.hqx Decompresses - then launches on my 10.1 Mac. Note that in order to reproduce this, you MUST binhex an APPL, without stuffing it also.
Apple does work on non-MS office suites! AppleWorks! It's non-MS and it's actually a very good product...one of the first OSX native applications. I ran it all the way back on the public beta...Also, Apple worked on Mail, which competes with OE.
"...it automatically executes them."
Now if an "executed" program is STILL a security risk -- I don't know how we can ever be secure.
Karma stuck at 50? Add 2-5 inches.. err.. 2-5x Karmas Count to your pen1es.. err.. Karma all naturally and private
launched automatically for me, but only when Classic was running ... sounds like Classic MacOS is the weak link
Under IE5.1 Final for OS X, go into it's preferences. Under the Recieving Files catagory, choose Download Options. There's 2 checked items by default. 'Automatically decode BinHex' and 'Automatically decode MacBinary'. Uncheck them both and hit ok. IE will now send those files over to Stuffit Expander, like it should. Easy, isn't it?
-Henry
"Useless organic meatbag" -HK-47
User files should not be a problem. The same files would also be toast if the hard drive died. If people are not backing up to a durable medium (hey, they all ship with CD burners don't they?), they don't really care about their data.
I'd like to see a virus capble of erasing CD-Rs kept in a locked filing cabinet.
Xix.
"Everything is adjustable, provided you have the right tools"
We're talking about a Microsoft product running in Unix that came pre-installed with the Mac OS.
These are strange times, my friends.
"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!".
.hqx is or does. is it safe or is it malicious code? well malicious coders aren't going to name the hqx files "thiswillhurtyoucomputer.hqx". secondly the people who would be surfing sites where this is a danger would be kids who don't nor won't take the time to investigate if a warning is presented.
.hqx files. sigh. can't we all just get along!!!
joe user might not know what
as stated in another post disabling this is really the only approach but that limits honest deployments of
Huge security hole in Internet Explorer...
Score: (Score:-1, Redundant)
I think the autoexecution is a dumb idea...
but seriously, your downloading an execuable, its being decompressed.
You can run it now, or run it later when you launch it....
Some Mac users don't diferentiate executables and documents. They often double click on executables and documents. The mac stores file type and application to run with documents (at least up to 9.x) so it knows which application to run. Many mac users use documents to launch their programs (a more doc-u-centric approach)
The danger here is people may think they are downloading a data file, when its an executable. most people don't check. The pc sircam virus uses this technique to trick users into launching it, so its not a unique "mac" problem.
Watch what you download..!
On the plus side the Unixy features of OSX should prevent it from hosing your system, you just have to worry about your documents...
This feature has been in IE for mac for some time, the auto-decompression of
The Problem
The problem results from IE not checking what it's launching. It assumes that anything that comes in a .bin or .hqx file must also be compressed in some other format, most commonly .sit, and so it saves the file, and sends an Apple Event (most definitely the Open event) to the FINDER . Why the Finder? The Finder is the UI front to the MacOS, much like the "explorer" process in Windoze. It does things like allowing the user to click files, folders, hard disks, ect. amongst other general OS control tasks. By saving this file and telling the Finder to open it, the IE programmers have saved themselves the effort of figuring out how to find and launch the Stuffit application themselves, and why should they? After all, it might not be a stuffit document. Obviously, though, no check is performed on the file type at all, thus blindly passing the fresh download to the Finder. And since the Finder interprets an Apple Event on an Application file as a launch request, it does just that. And so a massive security hole is born.
The Fix
How about checking the file type before sending that Apple event? It's one simple if statement, or at worst case a loop with an if that checks against an array of "banished" launch types (or even other criteria, I'm not sure how OS X handles the new "package" style Apps). A lil required reading for you boys over at MS's Mac dept:
Inside Macintosh: Files
P.S. The file type code for Applications on MacOS is "APPL", that might come in handy too.
CAn'T CompreHend SARcaSm?
You can turn off the automatic decoding of bin.hex files ...
But why the HELL was it on by DEFAULT?
Oh, right.
It's a Microsoft program.
Never mind.
(The fact that it's for use on a non-Microsoft platform, and thus could make that platform vulnerable to malicious cracking, probably wasn't even a factor.)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
"Can anyone actually confirm this since it looks kinda sketchy."
Real professional, guys. "Well, we heard about this bad thing that involves Microsoft, so we're posting it. We're not sure it's true, hell, we read about it on young Tim Walrus's website; he's a seven yeard elementary shooler in Omaha. Apparent, IE 6 will kill your parents in their sleep."
Stupid.
jack's bicycle is music to my ears
yeah, thats how it works, very convinient. never really thought about it from a security stand-point.
First let me say this is totally unacceptable. However:
1) The app only starts automatically if you just click on the link. If you option-click(what I usually do when I want to download a file). It doesn't autostart it. When you option-click you are basically telling the browser "save this file to my HD", when you just normally click, you are saying "show me this file"(so like a PDF will download to the HD and then be opened). Still obviously it should not automatically open apps.
2) This is only for Classic apps. The reason this is good is that I usually don't have Classic open(because it sucks). So when I click this, it automatically starts opening Classic(which takes 30-45 seconds). If during that time I just click to stop opening Classic, the program never runs.
Even easier: reboot and hold down CMD-S (Option-S on some versions of OS X) and look! You're in single-user mode with root access!
But this is all moot anyhow: if you have physical access to the machine of just about ANY operating system (Linux included), you have full access to everything. Just the other day I booted an NT laptop with a Linux disk that can read NTFS so I could re-set the (forgotten) administrator password.
Big deal. Physical access == root.
- j
"Huge security hole in Internet Explorer..."
(Score:-1, Redundant)
[alk]
How could they have done something so obvious by mistake?
photosMy Photostream
Uh, that a subunit of Microsoft does something does not mean that Microsoft has not done the thing.
There should be a moratorium on the use of the apostrophe.
Max V.
NeXTMail/MIME Mail welcome
The MAC is an aspect of your network card. A Mac is a computer.
There should be a moratorium on the use of the apostrophe.
Max V.
NeXTMail/MIME Mail welcome
www.mozilla.org is the way to go. 0.9.4 absolutley screams compared to some of the older builds, and the mail client works too :)
--
MacSlash
Your Daily Dose of Mac News and Information
--
MacSlash: Your Daily Dose of Mac News and Discussion.
First of all, ehintz is absolutely right about the Macintosh Business unit. (i didn't know they were in the SF Bay...) And anyone who's been to a recent Mac event (like Macworld NY) knows that this 'somewhat independent...arm' seems to have real pride in bringing better solutions to the Mac platform than their 'big brother'. More importantly (and relevant to the original post), as far as the security risk goes, it appears that the Classic environment adheres to the uid/gid rules of the X environment. So a Classic app can't alter mach.sym for instance (you can recover text in Word read-only). The same does not hold true to a seperate Mac OS 9 volume however. So this does pose significant risk.
Anything this important to the user should be backed up, nevermind the risks from trojans and virii, what about file system corruption, disk crashes and the like?
IMO, if you trust your computer to keep your precious data safe you deserve to lose it, just so you might learn to backup.
How about ATM machine, or better yet, take a look (if you dare) at the startup screens from Win2K... "Built on NT Technology"
Internet Explorer on the MAC has nothing to do with Microsoft. It's developed, published, and installed by Apple.
What on earth gave you that silly idea? Apple bundles IE for the OS they sell just like Compaq/HP and Dell bundle it for the OS they sell - oh that's right, Compaq/HP and Dell don't get a choice.
never underestimate the bandwidth of a station wagon full of tapes
I can honestly say that I don't know any savvy Mac users (not syaing they don't exist, just that I don't know any), and unfortunately the Mac isn't marketed towards savvy users.
(Score:-1, Flaimbait)
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
Actually, MAC is just short for media access control. As in the layer. The address part is part of that layer.
"an moron"?!? Is there any chance we can get "Anonymous Coward" changed to "Anonymous Moron"? And while I'm at it, how about a different type of post, one that is clearly distinguishable visually, and is exempt from the compression filter? It could be used for short quips, relevant URLs (without the need for extended explanation), etc.
It's a command-line utility used to access the information in the NetInfo database. It's specifically used to create flat-file versions (normal UNIX-like) of most of the system configuration.
/etc (inetd.conf, services, groups, passwd, and more) are actually stored in an XML database in Mac OS X. It's kind of a neat way to do it, especially the bootup sequence information.
." command. Heck, I don't even know if shadow passwords are available in OS X.
All of the things that UNIX expects in
But not having shadow passwords turned on by default means that anyone can get the passwd database in a crack-able form by running that "nidump passwd
Well I guess thats one way to make Unix insecure. Can anyone actually confirm this since it looks kinda sketchy.
Slashdot wanting to confirm news that could damage Microsoft's reputation? Pshaw!
Do you like German cars?
There seems to be some confusion about what a standard UNIX user expects and what a standard Macintosh or Windows user expects.
.HQX file is normally treated like a smart .tgz file.
.tgz on a Unix box, I expect to decompress it twice, build it and install it. No smarts on the computer's part at all -- it's all with the me.
.HQX on a Mac, I expect that if it's a compressed application (.SIT) I'll end up with an executable on my desktop. If it's not an aplication (PDF file, text file -- whatever...think "file associations") I expect it to be decompressed and run by the appropriate app -- I'm assumed to be vaugely intelligent, but the computer picks up the technical slack.
.(WHATEVER) file on a Windows machine, I expect that something will happen -- but I'm not always sure what -- I'm expected to be happy with whatever the computer does.
To make a very rough analogy, an
If I download a
If I download an
If I download a
UNIX users are expected to know what they're doing. Most of the time Mac users aren't expected to care what's going on as long as everything works for them. Windows users are expected to go along what the computer does (think "smart tags").
This seems to be an instance of developers forgetting that, even though this is a Microsoft product, it's being run on a UNIX machine by Macintosh users.
I'm running Mac OS X 10.1 on a 466 MHz G4.
-- if it was so, it might be; and if it were so, it would be; but as it isn't, it ain't. That's logic - Lewis Carrol
Well, this is simply just a stupid decoding bug. Within IE's prefs you can toggle off binhex and binary decoding. Something like stuffit expander can do the rest for you once you double click the downloaded file. Most people tend to "stuff" and then encode files anyway, so in reality your not really loosing a step. which do you prefer to double click... a sit or zip file? or a bin or hex file?
as for Apple and net standards. Well, as a web developer I can outright say that MacOS X and IE 5 are probably one of the most standards complient combos you are going to find. My rule of thumb is to develop pages on my mac and to tweek them on my 2k box. Typically, if a site works fine with IE 5 Mac it will work fine in every other browser that attempts to follow current web standards. Of course though, IE 5 and 6 for windows is typically a bug ridden POS... so tweeking is always needed. Developing for those browsers first always results in a world of problems for me. If I need to develop on windows I typically use mozilla.
And as for MS. Well, the MS MacBU is primarily a bunch or die hard mac geeks. they have one of the biggest mac labs in the world...second only to apple. The MS MacBU is full of old apple and claris developers...and then make fantastic products. Most people will agrue that Office 2k1 and Office X are much better then their office XP counter part. Moreover, IE 5 for classic MacOS was, and still is, an amazing peice of software. One of the best browsers that I have ever used... on any platform.
Nonetheless, IE 5.1 for OS X has bugs... even in it's "final" state. It was the MacBU's first OS X app... and it was made by carbonizing the older classic 5 browser. The classic 5.0 browser was very very dependant on the little nooks one could exploit in OS 8.5 or 9... I'm not surprized that porting it to X was a problem. However after seeing Office X for OS X I am very excited to see what the MS MacBU will pull out for IE 6 on OS X. I have no doubt that it will also be a great piece of software that folks on other platforms will learn a lot from. MS has a damn fine bunch of Mac developers now...they're the bomb.
"Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
I'm guessing they did this b/c most things that are hqx'ed are also sit'ed underneath. I understand the reasoning, but man, that is a terrible security hole.
first of all, we all know that this IE isnt bundled with macOS, so obviously it means MS wrote this just for that platform for whatever reason.... now you cant blame the OS or whatever anymore - IE's constantly having having security holes. these guys are professionals for goodness' sake. i dont see why this is a problem because IE shouldnt have been way up there on the priority list for the guys at MS to push it out the door for the mac - despite how undependable/unstable it is.
(as an aside (slightly off topic), my school lab now has ONLY IE installed and no netscape. it's not such a big deal since the network isnt mine....)
my blog
Key word is self-extracting. I'm sorry if you had a bad experience, but Aladin's website is very clear about the options and the self-extracting archive is one of them. It does not require another program to execute the decompression.
Fact #2: FreeBSD does not use a Mach kernel.
Fact #3: The
Fact #4: The unix-like, BSD family, portion that makes up the base of MacOS X is not proprietary - it's called Darwin and is open and downloadable in source form (even ported to Intel). Only the upper level graphics system is closed. It's kinda like running a proprietary X Windows system on top of Linux.
Finally, Fact #5: Although there are some proprietary BSD-based OS's, the majority of the proprietary Unix OS's are based on AT&T->Novell->SCO->The OpenGroup code - not on BSD.
Please investigate your claims before boasting such innaccuracies.
I AM, therefore I THINK!
If you click on a link to a binhex'd file, and it's an application, then normally it gets un-binhex'd for you. Well and good. Now what's the next thing you do? Without fail, it is to double-click on the decoded file. Not to check the file in any way, compare fingerprints or whatnot. You go and double-click the file, opening it up. If it's a trojan, you lose.
Some may argue "well, but what if it says it's a picture file, but turns out to be a trojaned app?" Doesn't matter; I can set the app's icon to look like that of a picture file, and you're just as screwed when you double-click on it.
So what about automating the double-click makes this a "huge security hole"? It seems like once you've downloaded the thing, you're already toast.
Please note that I'm not trying to gloss over the wrongness of the auto-launch, but rather to point out that we need some better form of security systemwide.
I know some Mac users that are very good at photoshop and other apps, but couldn't find their way to the "Extentions Folder", much less some security control panel, if they tried.
And I know a lot of windows users like that too.
Personally, I'm a big fan of the mac platform. I can find my way to the "Extentions Folder", and I also know a good deal about windows and linux. But when it comes down to best desktop OS... I still pick the mac. It doesn't have so much to do with being able to understand something more complicated; it's apprecieating something elegant. Granted, I spend a good deal of time on my mac using NiftyTelnet SSH to connect the my linux server, but I still like being on the mac.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
If you're gonna troll - at least be inventive and not absurd!
I AM, therefore I THINK!
C'mon Taco (this is deja vu!), even though the FAQ says WE check for discrepancies, don't you agree that 4 out of 5 of your stories lately have had sensationalist headlines, rather than a "Let's take a look at the potential problem" attitude? - It only takes a little reading and a clear mind to get a real-time picture of what the story is.
Maybe the EDITORS should do a little more looking before barking. (my $2 - cable is expensive)
Bottom line: Set your security to what the app allows and take your chances. (there goes my measly Karma of 5)
db
Cig:
ôô
your an idiot.
no, you're an idiot.
sorry, couldn't resist.
-These aren't my pants.
On MacOS 10.1 build 5G27 with the new
IE 5.1.2 (3707) this is not reproducable.
DW.
If it was open source, other people would be able to check it, test it and hopefully find serious flaws like this before much damage is made.
When you have source available during the beta stages, the "first release" should be infinitely more secure than any proprietary program ever could hope to be.
Now consider the damage done when MacOS is infact shipped with this flawed version of IE pre-installed...
/proton
QA isn't what it used to be. It should have been sent back for fixing. Or perhaps they need Ian Hixie to keep them in check and have it ship when it is worthy of being called a program.
Come on, sure there is a limit on time, but what is wrong with leaving a cake in the oven until it has finished cooking?
(cross posted this on macslash) My friends and I have been early adopters of OSX and we've never actually had IE execute a downloaded app. Yes, it de-archives things for us all of the time through its helper app settings. We've upgraded to IE 5.1 and not changed a single preference setting and none of us have never seen this occur. Is there some special archive/helper app setting I'm not seeing??
--Let's hack root on 127.0.0.1 --panZ
You mean, except for step #1, which states, in no uncertain the terms, the prerequisite for the rest of the steps to work: you're already logged in as administrator. It shouldn't be any surprise that the administrator can gain complete access to the system.
If a corporation is a personhood, is owning stock slavery?
...you could read the article which states, unambiguously, that it executes any resulting executable from the decoding...
If a corporation is a personhood, is owning stock slavery?
What are you taking about?
The Java security model works pretty flawless.Apart from the age-old 'brown orifice' attack I never heard about it fail.
You're badmouthing one of the best security models.
Actually, the EASIEST way is to walk up to the box, insert the OSX CD you happen to have (don't we all have one?)
give it a 3 fingered salute, hold c, then choose "Reset Password..." from the file menu.
Click root,
make up a new password,
confirm it
then quit (which will restart back into OSX)
you now know the root password.
Word to the wise, it is possible to secure OSX boxes against this by password protecting OpenFirmware, which will prevent CD booting without knowing the firmware password.
Physical access is not a security exploit... imagine a DoS on a machine with physical access... that means you pulled the plug.
---
Live Long & Prosper \\//_
CYA STUX =`B^) 'da Captain,
Jedi & Last *-fytr
1. Don't use M$IE use omni web
2. protest very loudly to Apple so they ensure that this function is off by default.
3. write the supreme court and say that Microsoft is sabotaging the only desktop OS left by creating security holes for it
realkiwi
I had this problem before I upgraded to Os X.1.
.hqx file and, after downloading, IE tries to launch Stuffit to open it. Problem is, sometimes IE can't FIND an OsX version of stuffit and launches the classic version instead. THAT'S what most people see happening. It's not the .hqx decoding and running itself, it's IE using the 'only' decoder it has available, launching classic to do so.
this is what happens: You download a
I can't verify this unfortunately, but I'd bet my own mother that that's what's going on.
Jacko
Actually, no, IE has handled .hqx decoding on-the-fly from the first MacOS version. It didn't require StuffIt for decoding, except, perhaps, for the StuffIt Engine extension (under classic MacOS) - but probably not even that.
Moof!
how useable is IE on the mac?
Linux is not a great web platform compared to NT. you cant get the plugins and the (html) compatibility that IE has, which is one of the reasons why I will never get that win box off my desk.
it would be great if I could run a nice NIX box with a browser to suit my needs. AFAIK my only choices are WINE (not good), MacOSX or Solaris.
Ive heard that m$ have cripled the solaris x86 IE so ppl like me cant dump NT is this true? Is IE betetr on OSX?
Do Unto Others As You Would Have Others Do Unto You - ONLY HARDER!
jcr@localhost:~>cat /etc/passwd
##
# User Database
#
# Note that this file is consulted when the system is running in single-user
# mode. At other times this information is handled by lookupd. By default,
# lookupd gets information from NetInfo, so this file will not be consulted
# unless you have changed lookupd's configuration.
##
nobody:*:-2:-2:Unprivileged User:/nohome:/noshell
root:*:0:0:System Administrator:/var/root:/bin/tcsh
daemon:*:1:1:System Services:/var/root:/noshell
www:*:70:70:World Wide Web Server:/Library/WebServer:/noshell
unknown:*:99:99:Unknown User:/nohome:/noshell
The only title of honor that a tyrant can grant is "Enemy of the State."
Let's see. If Internet Exploder is setuid "nobody", then won't any processes it forks inherit that?
Not that this affects me, anyhow. The first thing I do after installing OS X is always to trash IE.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Actually, Type and Creator codes are stored in the data of the
He didn't say that getting the local geek to spend hours reinstalling software would be easy, or that the geek wouldn't figure he had much more interesting things to spend his time and energy on... Just that it would pale in comparison to recovering all of the lost work and communications (presuming that there wasn't a reasonable backup process in place -- now that's something you should assign a geek to spend a few hours on!).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
hmm, 3rd party closed source binary video drivers that can crsh the kernel with "error at 12312:x1"
nice and easy to solve
and linux framebuffer stuff
who cares? My servers don't run windows *or* linux. and besides when did I need a framebuffer to run a mail server? It doesn't even have a screen!
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
It says I can't have any more users.
which means if I want to expand my super stable NT setup I cannot add more users. I'll be forced to upgrade and retrain.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
It's 5 years old! What do you expect?
If it was that big of a problem, couldn't you have just ordered more client licences prior to them closing support/sales for it?
I don't think that it's fair to expect a company to support an old product indefinitely.
If God gave us curiosity
The problem is exacerbated because frankly most Mac users don't want to know how their computers work - that's why they're using a Mac - and put absolute faith in their OS and their programs to protect them from themselves.
hate how stuffit mangles your downloads? try openup for everthing except your .sit downloads.
.tgz etc. files (via the information panel--apple+I), but once you do that, your set.
you have to change the application to launch your
A security flaw in a Microsoft product???? Impossible! I'm not even going to read the article.
I....LOVE....THIS....COMPANYYYYYYYYYY!!!
No, your children are not the special ones. Nor are your pets.
What I want to know is why is Apple only bundling IE with MacOSX? There are plenty of good browsers for MacOSX. Hell, they're all better than IE. I've got Opera, Netscape 6.1, Mozilla, and my personal favorite OmniWeb (Must try iCab). Apple used to bundle both Netscape and IE, why the change? OK, I'm not suggesting they bundle Netscape, it *really* sucks for MacOSX. But how about OmniWeb or Opera? Some choice would be good. Yes, I know that the user could download another browser, but how many novices would? They've got plenty more room on the CD. It seems like Apple signed a black deal with microsoft.
MacBinary files - What's a "MacBinary file"? I don't know where the "options" are! These new Mac's are way too difficult to use - It was much easier when I had Windows, you just plug it in and USE it without have to mess with all these details - I'm not a 'guru' you know!
try { do() || do_not(); } catch (JediException err) { yoda(err); }
Before people foam at the mouth saying "the root account is safe, so let's go home because it's not a *real* exploit", they really should consider the ramifications of this thing. Most users do not back their stuff up. I don't and I've got a decade of sysadmin experience under my belt. Yeah, I know I should automate things but that takes away from my tv time.
So imagine if this thing wipes out your thesis. Or your only photos of your wtc victim son. Or if it mails your pr0n, tax records and Barry Manilow MP3s to your boss.
It would really suck.
Nate
If I had mod points, -1, Bad Spelling.
Virg
Any sort of a security audit. Any securit audit whatsoever would have resulted in a screaming meanie fit over this bug.
The only reason why this isn't gonna land Microsoft in court is that anybody who has the money it would take to rake them over the legal coals and test their absurd EULA with it would have 15 financial advisers paid to remind them that there are far better money pits to throw their cash into.
The only way tha Microsoft could save face on this one would be to admit that they inserted this hole willfully and/or maliciously because -- if they let a security bug this massive through by accident, there is no way that we should trust them to write any code in a sane and secure manner.
FLAME OFF
(that feels much better)
Free Software: Like love, it grows best when given away.
clearly, microsoft's attitude is that if windows is going to be insecure, then all other oses ought to be insecure also. and they'll use their near monopoly on web browsers to make sure.
when religion is no longer the opiate of the masses, governments will resort to real opiates.
Is it just me, or does this behavior sound suspiciously familiar to one Microsoft Outlook which has a tendency to automatically execute hidden scripts, allowing viruses to propagate with unprecedented ease?
I guess they didn't want the Mac users to feel left out on the fun.
---If you can't trust a nerd, who can you trust?
this is a test test hest mest
in the best test
Unable to read configuration file '/bigassraid/htdig//conf/14229.conf'
Geocrawler error message.
My goodness this has generated a lot of needless discussion. The fix is not even as difficult as a script or a manual file change. I did not see this in a quick scan of the posts, but I hope that someone else mentioned this already!
Simply open up the "Preferences", goto "Download Options", and UN-check the following:
Problem solved.
If you are REALLY paranoid about the files even being decompressed automatically by StuffIt at that point, just remove the entries for .bin, .hqx, and .sit under "Preferences" then "File Helpers".
This is as easy of a hole to plug as was the QuickTime autostart worms vulnerability.
What IE 5.1 for the Mac should be doing is decoding the Binhexed file and then handing the decoded file back to its (IE's) MIME and Mac creator handler again, as though it were the original downloaded file, and apply the appropriate rules, whether to save, launch, or whatever.
.sit from Stuffit, Stuffit Expander might be launched. If it's an Excel spreadsheet and the preferences are set to open those, then open it it should.
In other words, if the normal behavior when encountering an image/tiff file is to open it in Photoshop, then that is what should happen to a binhexed TIFF. If it's an
The problem here is that it sounds like IE is handing the decoded file to OS X's "file open" handler (the call made when double-clicking an icon in the Finder) instead of to IE's "file download" handler, which checks MIME-handling rules and security zones set in IE and systemwide preferences.
Not unlike an incident I remember back in 1995 during the Windows 95 betas, when the original webless MSN was opened to content developers. It used a Windows Explorer metaphor, with online content organized as folders and icons. Content providers were encouraged to post RTF documents as content, but any file was fair game. Thing was, when users double-cliked on files to open them, they were treated like local files. Some of the earliest Word macro viruses got spread this way. I remember being shown this at a beta developers' convention before the first macro viruses even hit and asking if it could pass opened files through the user's virus scanner before opening them. "No, we hadn't thought of that," said an engineer. Horrified looks and some intensive scribbling on notepads followed, though nothing was done in time for launch beyond a useless request to content providers that they try to scan things for viruses before posting them.
I have two OS X 10.1 systems. I do not use IE (mozilla is superior), so they have default prefs. I went to versiontracker, downloaded a few binhexed files and in each case it decoded the file (which is corect behavior, and not a significant security risk), but did not attempt to execute the file. On the first system I tested my user's home is an NFS export, so I tested with a local user with a local home, and I even created a new user with a local home, and in no case was I able to reproduce this. I went to my PowerBook and tested there, and I also was not able to reproduce. Something fishy is going on here. Either the report is false (which I am inclined to believe - most who are verifying this are just reporting that the file is decoded which is not a major security concern), or there are other conditions that need to be met (which I would be interested to hear).
Hyperbole is the worst thing ever.
What's so huge about that? If I click on a .exe file using IE, it also starts automagically. I don't understand what all the fuss is about.
-- Cheers!
for the extra paranoid, set up a chroot jail for it
Doing it this way, IE will always run as an unprivilidged user. If it does execute any rogue code, it will also be run as the unprivilidged user, and will therefore be constrained to the sandbox you set up for it.
Why is it that the proponents of "one nation under God" are so eager to get rid of "liberty and justice for all"?
I don't really understand the problem... it's only un-binhexing the files... it's not executing them. So I take a file and stuff it or binhex it... and when they download it it automatically decodes it. Fine. Then the application is sitting on the desktop (or wherever it's been downloaded to). It hasn't been executed, only decoded. The user still needs to click on it to execute it.
This isn't a BIG SECURITY HOLE. Hell, I still wouldn't consider it a security hole, nor would I change the setting to non auto decode. To execute it I would still have to doubleclick on the icon.
In MacOS X, even though my user account has "Administrator" privledges on my system, when I want to change certain preferences or install software that requires access to /System, I'm prompted to enter my password again. Mac users don't regard being prompted for a password on their systems lightly, so this will probably set a red-flag for most people. Basically, root-level exploits won't be helped all that much. Besides which, you downloaded the application - and you weren't planning on executing it?
Nice fud.
A user must authenticate to NetInfo before making changes, they can't just waltz in and edit.
Only the first user created is flagged as Administrator by default, any additional users need to be flagged as such if you intend to let them control the machine.
OS X is actually fairly secure, but not obnoxiously so out of the box. If I want, as Admin, I can set up a laptop such that Joe user can edit network configs, etc, but lock down other capabilites as I wish.
I used to work in the MacBU at Microsoft and my officemate was on the Mac IE team.
.hqx binary, the user might not even know that IE was downloading unless they watched the download manager very closely," I said. I believe some other members of the team had already noticed the problem as well.
.hqx decoding functionality, it should try to process the resulting file. This is good as it allows one to download and unstuff a .sit.hqx archive automatically.
One day we were experimenting with the download behavior of IE, and I noticed the problem. We discussed it and later brought it up to the higher ups on the team during lunch (The food in the Silicon Valley Campus Café is much better than Redmond's by the way):
"If a malicious web site designer were to use some method of redirection to get the browser to download a
We all agreed this was a serious security hole and it is being fixed in the next release.
In the meantime, you can turn off the "Automically decode BinHex files" under Download Options in the Explorer Preferences. We tested Mac IE's behavior with MacBinary files and there is no security hole there.
How did this bug slip by the team? Well, I am not on the IE team, so I couldn't say for certain. I believe the problem is that after IE uses its own
Somehow this behavior was fubared, however: Instead of passing the file back through IE's file helper layer, it was apparently opened directly. This has acceptable behavior if the file downloaded was happyapp.sit.hqx, but not-so-acceptable behavior if the file downloaded is evilevilapp.hqx.
Anyway, someone clearly messed up. We're very sorry. Or rather, they are since I probably won't get rehired after this message.
--
Lagos
Gentle Bunny
I'd be really impressed if a company accuratley predicted the number of NT client licences it needed 5 years in advance, and was willing to cough up cash for licences it didn't need then but might 5 years in the future. Especially as there was no reasonable expectation that MS would discontinue support for the old licensing model in favor of the new subscription/money-gouging model.
I never said they were efficient about it or good at it, just that they do it. Much like wannabe Borg, in fact.
I wish I did know a savvy Mac user in my area. I'm not one and I feel bad when my Mac using friends need help.
I'm sorry you find the truth about Apples advertising strategy inflamatory.
Under capitalism man exploits man. Under communism it's the other way around.
Stuffit expander already unzips/decodes files.
Stuffit expander does not *run* the application, **BUT** what exactly is the next thing that someone does once they download said item?
Unless they are downloading trojans or viruses in a compressed format, this is actually cutting out an extra step.
And to be completely honest, if you think users are going to *hate* this, you need to hang around Mac consumers a bit more often.
And finally, I challenge any of you here to come up with a Mac trojan that works on OS X. If you can, and post a URL within the next 5 days, I'll click on it with our OSX IE5 Macintosh at work.
I'd like to see people actually start creating viruses for the Mac. It'd make my job more important.
Have you ever actually *used* IE 5 for Mac? It's a damn good browser-- better than anything Netscape makes and on par with IE 5.5 for Windoze. In a lot of ways it's better than IE 5.5-- it's more standards compliant, and isn't full of proprietary hooks into the OS like it is with Windoze.
Microsoft might not pour as much money into IE for Mac as it does for Windows, but it certainly isn't a bad browswer. IMHO it's the best browser on the Mac platform.
"M$, an equal opportunity platform security breach."
I think what it boils down to here is that trusting your security to a company will always leave you vulnerable because a company's best interest only *sometimes* is with you the user. A companies formost interest is money for themselves and their stockholders; any true capitalist such as myself with tell you this. If security happens to fall in line with that, then great, but don't ever solely rely on it.
Don't implicitly trust a company with your security, ever.
Trust yourself and trust the code that you can read. Trust no one else.
Oh and don't misconstrue my opinions for those of my employer.
The next remark is false. The previous remark is true.
but not only 'not support' but new users 'cannot be added'
at least with free software Per Seat Licensing won't come up and bite me when the next version is out
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
To quote the report: Here's another interesting report from Macintouch about the behaviour of the preferences: My theory is that Micro$oft assumes that
The bug report is NOT that IE is decoding
To quote the report: Here's another interesting report from Macintouch about the behaviour of the preferences: My theory is that Micro$oft assumes that
I think one factor that many of you are overlooking is that IE5 for OSx is not a final release, but merely a preview release.
In other words, this is it's first round out the gate, there are bound to be bugs with it (as with any program when it's first released).
No man is an island, But if you take a bunch of dead guys and tie them together, they make a pretty good raft.
I don't anticipate having any trouble from this, as I use Mozilla as my default browser on OS X. If I wnated to use M$ products, I would own a Windows machine, not an Apple.
Make sure you also uncheck the "send all files to microsoft and then trash the hard drive" option in the preferences. Fortunately, only a dunderhead wouldn't think to look for that and uncheck it before using IE.
You might also want to uncheck the "auto-install child pornagraphy and 'accidentally' send email to the FBI offering them to come on by and pick up some free child porn" option.
--- What?
"I'm sorry you find the truth about Apples advertising strategy inflamatory."
My "flaimbait" comment had nothing to do with Apple's advertising and a lot to do with your smug implication that savy mac users are few and far between. I'm one of those users, and I know a lot of others. I was insulted on a personal level, and a group level, by your baseless claim.
Also, about the advertising: The mac is marketed as a "supercomputer" as well as being easy to use. Apple is trying to appeal to a broad group of people. That doesn't exclude savy people, it just includes the computer-ignorant masses with them. Macs are marketed to everybody.
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
That would be too easy, as they say. Man... the one time I don't read the article, I end up looking like an idiot. Isn't that always the way?
When I set out to write my comment, I meant for it to actually ask the question, as I wasn't sure things were being interpreted correctly by the predominantly PC /. crowd. I suppose I should have read the article.
later,Shadow Knight
not syaing they don't exist, just that I don't know any
Savvy mac users are few and far between. I would wager that there is a higher percentage of savvy mac users than savvy wintel users in terms of base population, but the base user population for the mac is so much smaller that finding a savvy user is extremely difficult, especially for someone who is not a member of the mac community.
Under capitalism man exploits man. Under communism it's the other way around.
Saying that most Mac users are clueless is narrowing your view far too much. The vast majority of users of ANY consumer OS are clueless. Walk up to your average accounting department employee, secretary, attorney, sales rep, and ask them what version of Windows (e.g., 98, ME, 2000...I'm not even talking service pack numbers.) they run. 75% of the time they can't tell you. Or, they'll say something like "Umm...Windows 97?" Most Windows people I know can't even tell you what e-mail application they use. "Ummm...Explorer?"
I'm absolutely astonished how many long-time users of Windows (and Mac) systems have no real understanding of the way their filesystem works, and many have a pretty hazy understanding of the difference between files and folders (directories, for you *nix people), or why anyone would want to organize files into folders. I know of ENGINEERS who keep all their data files in the "MyFiles" folder on their Windows 2000 Professional workstation.
"The Artist, seeking Beauty, discovers Truth; The Scientist, seeking Truth, discovers Beauty."
Just a year ago, Linux folk were still clamoring that they wanted a port of IE. I'd say the latest Konqueror and Mozilla have been worth the wait.
I agree with your assessment of the average computer user, but the difference is that wintel and *nix vendors are not actively and directly courting the clueless user market like Apple has been for the last few years.
The fact still stands, though, that I have never met a clueful mac user (I do know a couple of mac-haters who know macs fairly well, but I felt it would be inflamatory to mention them before).
Under capitalism man exploits man. Under communism it's the other way around.
Fortunately, gamers' standards are much higher than that. You're more likely to find a logic non-crashing bug in a game than a crashing one. Gamers after all have multiple good options to choose from -- if they don't like what the PC world has to offer, they have excellent selections for the Playstation and N64, two platforms whose games almost never crash.
Read the EULA. You can purchase Windows 2000 seats through volume-licensing and "downgrade" the installation to NT 4. This applies to both the server and workstation editions.
Then, once you and your staff are trained on Windows 2000, you can upgrade, as you've already purchased the right (for n seats, anyway).
I don't know if this applies to shrinkwrap licenses, but that's how it is with volume licensing. Also, I think you can still get NT 4 media kits through the "easy fulfillment" program, if you're a volume-license customer.
I'm not carrying the Microsoft torch here or anything, but your statement is patently false. It is, however, what Microsoft wants you to believe, which is why they insinuate it, and only contradict it in the fine print.
Pining for the days when The Glorious MEEPT!!! graced SlapDash with his wisdom.
ah, well there you go then problem solved.
Seattle must be a nightmare place to live.
Is everyone there so devious?
No wonder the radio station has a shrink on every day!
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
Under capitalism man exploits man. Under communism it's the other way around.
Omniweb does not have complete javascript support.
Or CSS support.
- Scott
Scott Stevenson
Tree House Ideas
I do occasionally use IE, when hitting one of those pages designed by MS only shops, but most of my browsing time is in OmniWeb [omnigroup.com] (www.omnigroup.com). Problem solved.
OmniWeb has incomplete and broken CSS support, and JavaScript has issues as well. It simply cannot render modern pages. This creates major headaches for site authors, and encourages poor page design (nested tables, font tags, single pixel spacers, etc.). This sends the web backwards.
Fortunately, OmniGroup is rewriting their rendering engine for 5.0, to be released sometime next year. But in the meantime, more and more sites are using CSS.
There are occassions when sites are aimed specifically at IE to OmniWeb's detriment, but these are far less common than most people think.
As a company, though, OmniGroup is great.
- Scott
Scott Stevenson
Tree House Ideas
ANOTHER security hole in IE for OS X!
What were the others? I don't remember hearing about any other security issues in MacIE for OS X.
- Scot
Scott Stevenson
Tree House Ideas