Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS Auto-Execution Vulnerability

Posted by pudge on from the mac-os-is-like-so-insecure-and-stuff dept.

iGawyn writes "As reported in this BugTraq post, Mac OS and Mac OS X (via Classic) are both subject to an auto-execution vulnerability. In short, the poster says that various web browsers can automatically download a disk image containing malicious code and run it without ever telling the user. vm_converter made a test page to demonstrate the vulnerability." Yes, this is a nice variation on a theme. The lesson is: don't ever have "CD-ROM AutoPlay" turned on in your QuickTime preferences.

2 of 20 comments (clear)

  1. Re:mozzila seems to catch it by Anonymous Coward · · Score: 4, Insightful

    I am the author of that exploit.(taiyo@vinet.or.jp)
    # vm_converter is documentation's author,but not exploit's.

    >mozzila (0.9.8) seems to catch it no problem.
    "All" mozzila is NOT safe with these vulnerabilites.
    When user turn off "Always ask before opening this type of file" checkbox, mozzila catch these problem too.

    >too bad the author didn't include a ......
    I want mac users to turn off these vulnerabilites by themselfs (it's easy to do;-), because when another way (ex. very user-friendly archive tools can mount Disk-Image from archive files) to make this vulnerabilites appears, knowledge and experience to these vulnerabilites give correct methods to users.

    Thanks for your recommend.

  2. Re:mozzila seems to catch it by Hadlock · · Score: 2, Insightful

    your points are good and valid. i'm an ex windows user (bought a powerbook g4 in early jan 02), and i've always set things to ask me what to do with them; i guess it's true that alot (or most) mac users would turn off that check box, which would make this a serious security hazard.

    there's alot of mac sites out there, like lowendmac.com, and others...they all seem to advocate shareware that "GUI-zies" various CLI things, and pretty much don't change any of their settings unless forced to. ie defaulting to apple.netscape.com is a good example of this, and how apple/netscape makes a load of money through banner ads. if i had some more experience with apple script, i'd write my own, but it couldn't hurt to write somthing like that for the CLI/preferences challenged mac user.

    thanks again for bringing this security exploit to our (my) attention, somthing i would have (otherwise) learned about the hard way (well, possibly)

    --
    moox. for a new generation.