Mac OS X Struck By Severe Security Hole

An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."

Also works in Mail.app

[daveschroeder]

You can send this same shell script masquerading as a JPG file and shown as such by Mail.app, and it gets executed as soon as it is clicked/viewed in Mail.app (obviously not affected by Safari's "safe files" setting).

You can test this by downloading this harmless exmaple:

http://www.heise.de/security/dienste/browsercheck/ demos/safari/Heise.jpg.zip

...and sending the resulting JPG to yourself in Mail.app.

This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.

I'd expect a security update that addresses this *very* soon. This is a bad one.

Re:Also works in Mail.app

[joetheappleguy]

Thanks for the test file. I downloaded with Safari, but have "Open Safe Files" turned off it did nothing after download.

I then unzipped the file and had a look at it in the Column view of the Finder, at this stage a normal jpeg would have been previewed, but the Finder had the file listed as "Terminal Application", but I think that most Mac users tend to use List or Icon view though, which would force them to open the file, activating it.

I then emailed myself the file with Mail.app 1.3.11 (In 10.3.9) and after the receiving the email I was warned that "Heise.jpg is an Application and could contain viruses, etc". after I attempted to save the attachment - It also did not preview in the mail message (Obviously)

Seems that this type of vulnerability is most likely to affect mid-level users who are somewhat reckless with their clicking and think they know better than new users who read and "cancel" every message box for fear of breaking their computers or advanced users who realize at a glance that the .jpg does not "feel" right.

Workaround: Camino

[Ryan+Amos]

I don't use Safari because it doesn't render pages as well as a mozilla based browser, and now I have a reason to gloat :)

Get Camino here. Camino is an OS X native browser using the gecko rendering engine. Looks better than Safari, is faster than Safari, and apparently is more secure than Safari. Plus the security is more easily tunable.

Most Mac users have heard of it by now, but I'm just giving them another plug because it kicks ass.

Re:Workaround: Camino

[IronyChef]

Camino is an OS X native browser using the gecko rendering engine. ... faster than Safari

I don't know what the evidence for this claim is, but my (warm app, cold cache) tests on a few sites showed Camino to range from similar to slower than Safari.

and apparently is more secure than Safari.

Read the Secunia article - this isn't a Safari security hole, it's an underlying platform issue and can be exploited in other ways.
Besides, the Mozilla family browsers have had their share of security holes.

Just disable auto-opening files...

[Justin205]

The 'workaround' is to just disable auto-opening 'safe' files. I've done this on every Mac I've used, since I started using them, as I always saw it as a potential security risk (and a potential annoyance - I don't want my files opened immediatly sometimes). In my mind, automatically doing almost anything like opening downloaded files without asking is bad.

So just live without automatic file opening for the time being, and you're safe.

Protect yourself in one click

[toupsie]

Mac OS X users can protect themselves simply by removing the check mark from the "Open safe files after downloading" option in Safari's preferences under the General tab. I have tested this and it works. This is quite a nasty little exploit so I suggest making the change ASAP.

Seems to work with any browser

[name_already_taken]

I just tried the test with Firefox, and it doesn't appear to matter which browser you use. If you open the file after it downloads, the calculator app appears.

The only difference is that the default behavior in Safari is to automatically open downloaded files of certain trusted types.

Who wouldn't try clicking on a movie icon? I would think that most people would.

System should be safe

[Fahrvergnuugen]

Someone correct me if I'm wrong, but this exploit can only affect items that the user has rights to. If a script were written to make changes to the system, OSX should prompt you for your password, right?

Yep, this is a genuinely bad bug

[frankie]

Quick point of order: the bug doesn't execute automatically if you turned off the "Open Safe Downloads" preference. However, it's still really Really REALLY bad.

Explanation: Apple recognizes a particular folder within a zip archive as resource forks. This way you can correctly upload/download old-style apps and/or OSX metadata. The latter feature is where the problem occurs.

If you take a shell script, rename it to a "safe" file extension (such as mov, jpg, etc), then change its metadata (aka the "Open With..." setting) to Terminal.app instead of the expected default application, you now have a shell script that looks like an ordinary media file.

If you then use OSX built-in BOMarchive command, you have a zipped shell script that looks like a "safe" download.

End result: arbitrary shell script execution (under OSX default settings) upon visiting a malicious URL.

Conclusion: remote metadata should not be trusted. This bug would not occur if downloaded files could only belong to their default app.

Re:how bad is it really?

[nkarman]

No, it does NOT ask for an admin password, however you need to be logged in as a privledged user (administrator) for it to work. A standard user clicking the test link does not execute calculator, an admin user does. All the more reason to not do your everyday work in an administrative account. My test was Safari 2.0.3/OSX 10.4.5. Now if the code tried to do something more system wide through the terminal window it opened, it would probably require a su or sudo authentication. Opening a program or executing some simple code is enough to cause some problems though.

Re:This IS a bad one

[Kadin2048]

FWIK, the JPG extension wasn't really necessary. I think that if you had a properly-formatted shell script, that starts with a shebang line, even if you give it a bad filename extension, Safari will still recognize it as "unsafe" and won't execute it.

The problem occurs when you have a shell script without the shebang line, and it's given Type/Creator codes so that it will open in Terminal.app (which will happily execute shell script without a shebang line, in the user's default shell). The name is unimportant; the only purpose it would serve is to make the user more likely to click on it on the web page. Which, as other people have pointed out, isn't really necessary since the file could be set to download automatically by the page. Clicking a link ON the page isn't necessarily required.