Slashdot Mirror
Mac OS X Struck By Severe Security Hole
An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."
How the heck do people figure this stuff out!! Man, if they'd devote this kind of effort to creating legitimate software, imagine the possiblities! The best programmers in the world in my opinion are code crackers... If I had their talent I'd be loaded!!! lol...
Auf Wiedersehen!
I don't want to start a flaimbait. However here it is: There is no safe software. OSX is inherently safer than windows, but it's not 100% safe, by default (no software is). This is to say that I hope many mac user will finally get conscious about this: Mac OSX is not de facto immune by any exploit, flaw or whatever. Not because you are using OSX you should not be careful, and use the proper software.
As the bible says.
He who humbles themselves shall be exhulted he who exhults them selves shal be humbled.
This is true in tech as well.
If you feel that your computer is involnerable to hacks you will get hack eventually. This is true for Linux, Solaris, even OpenBSD users. The more secure you say it is the more people will want to find a way to break in. This is espectially true for OS X users because they like to glote on how secure their OS is. But there are a lot of people still feel bitter with the IBM vs. Apple wares (even though the PC won a while ago) and still hate apple with a pation so they will find ways to break in. Never gloat on how secure your system is because it will only end in tears.
But if you figure your system isn't truely safe and take steps to keep it as safe as possible and not make a big toute of how safe it is, then you may have a chanse of keeping it safe.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
So the vulnerability 'only' allows a cracker to steal or delete the user's personal data. In other words, the most valuable files stored on the computer. Plus accessing things like web browser cache and history could give them passwords or at least information for a phishing attack.
For everybody else who says "thank heavens I use Firefox" in these threads, please read parent post. This is a problem held over from when OS used metadata/extensions to figure out what to do with a file, automatically, before we had to worry about the bad guys trying to manipulate this data. These techniques date back to single-user systems, and they are vulnerable.
(Usual disclaimer: I use a unix>windows mix at work, mac at home, and use primarily firefox on all three).
People need to learn techniques to lock down their boxes - different OS are not all equally vulnerable, but are all vulnerable.
Using plain ol' text since 1968
this exploit can only affect items that the user has rights to
Like ~/Documents/ where you're encouraged to store pretty much everything you make with your machine.
Or ~/Pictures/ where iPhoto keeps everything it loads up.
Or ~/Music/ where iTunes puts all your music.
Or wherever the hell iMovie keeps what you build with it - probably either ~/Movies/ or ~/Documents/
Or wherever the hell GarageBand keeps its work.
Sure, the machine still boots. But if a script does rm -rf ~*.* you're kinda fucked. Why is it that Slashdotters always say 'oh, this exploit just affects userland, no big deal'?
egypt urnash minimal art.
Granted, if I try to change firewall settings or affect anything outside of your account's permissions you will be prompted for a password. But I could still delete or corrupt all your files, change your bookmarks, send email to your friends and family with an exploit and try to IM your buddies with it - I just have to choose a well-crafted malware.
I'd say this is a potentially evil hole. I just had my wife and kids change their default settings (I'd always had mine disabled - never thought to change my family's). I think, though that this one will also be quickly and simply patched. And really, the more "benign" wake-up calls Mac users get the better protected they will be and the more difficult it will be for any malware to gain traction.
"terrorism" and "pedophilia" are the root passwords to the Constitution
A program can still do plenty of damage even without root privileges. Your system per se may be safe, but your files aren't: they can be deleted or sent over the network. Or you could become a spam-bot, just like a Windows user: it doesn't require root privileges to open a port.
It may not be able to make itself last through rebootings, but you're not supposed to have to reboot OS X very often.
For the most part, it always requires less skill to break something than to get something working
I agree, to a point.
Haphazard destruction doesn't generally require skill. On the other hand, speaking as someone with Integration & Test experience, the deliberate breaking of something that is engineered to be resistant in that manner does require skill.
Constructive destruction, I guess is what I'm referring to. Sticking RAM in an acid solution could conceivably cause BSODs, but that doesn't mean you've hacked Windows.
From another response I just gave:
:-(
Since we've gone through the whole "download safe files" business a year ago, and Apple provided a prompt fix, and, additionally, since this is just Safari's executable-recognition code missing this because the shell script is malformed (i.e., missing the shebang), I expect a fix soon.
I was speaking to the social engineering aspect of this, since the automated aspect of this is so easy to mitigate, has already been addressed in one form a year ago, and I'm assuming will be quickly patched, leaving only the social engineering aspect to deal with. Which, once again, is no more or less serious than any social engineering exploit on any other platform.
Also, in case you hadn't noticed, getting a user to visit a web site is still a social engineering principle. Whether it's double clicking a file or tricking a user to view a web site, it's still "social engineering". What makes this unique is that Safari, in its default state, could potentially download a file and execute a shell script without user interaction. That's a Bad Thing. But since we've already dealt with this a year ago and missing malformed shell scripts was apparently an oversight, I expect this to be fixed soon.
Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something.
And as we all know, that can happen on any platform.
In other words, this isn't a flaw that is endemic or inherent to any fundamental functionality; by all rights this whole issue was intended to be "fixed" a year ago, but it appears Apple missed malformed shell scripts marked as executable. Oops. So, that will be fixed, and everything else left is social engineering.
This isn't the first time a "view a webpage and something will download that can run without user interaction" exploit has happened on Mac OS X. But I'm sure the press will make a HUGE deal of this one, even though the previous two "viruses" discovered this week are *pure* social engineering, utterly useless, and the vulnerability that one used had even been patched since June 2005 and only affected Mac OS X 10.4.0.
I fully expect this to be the beginning of attacks on Mac OS X as "just as insecure as Windows" in earnest in the mainstream press, and also for people to completely misunderstand and believe it's related to the x86 transition. Yay.
- Safari's fault for attempting to execute an unsafe file (e.g. not querying the OS properly to really discover if the file is "safe" or not).
- OS X's fault for executing files themselves instead of opening them in the appropriate application.
IMNSHO, the expected behavior of Secunia's demo should be QuickTime complaining that it doesn't understand the format of theI pity the foo that isn't metasyntactic
I PURPOSELY set Safari Version 2.0.3 (417.8) under Mac OS X 10.4.5 to "open safe files" and I have admin privileges.
.mov extension could exectute a shell script. THAT should be a concern. NOT Safari, IMO.
It downloaded the file.
To get it to unzip I had to double-click on it.
To get it to execute I had to double click on it.
According to This article
Safari also unpacks ZIP archives, and displays the documents inside if they are "safe". In the event active content is found in the archive, user confirmation is requested.
Typically shell scripts begin with a "shebang line" such as "#!/bin/bash" to indicate which interpreter will handle the script's execution. In case a shell script is stored into a ZIP archive without the shebang line, Safari stops recognizing the content as potentially dangerous and executes shell commands sans a confirmation prompt.
If users assign the Finder to open scripts using the Terminal, Mac OS X loads scripts without shebang lines into the Terminal where they are executed by a shell.
If a script is given an extension such as "mov" or "jpg" and stored in a ZIP archive, Mac OS X adds a binary metadata file to the archive which instructs the operating system on another Mac to open the script with the Terminal application, irrespective of the script file's extension or symbol displayed in the Finder. The Terminal redirects scripts without interpreter lines directly to bash, the standard shell in OS X.
So you have to jump through hoops. Another BS story to set the Mac community into a panic.
I did find it interesting that a file with a
-- Boycott Shell
I have not tried it in Safari with "open safe downloads" off, however I just tried it again in Firefox and if you have it set to automatically open zip files and then you open the movie file, the calculator does appear. (my system is up to date according to Software Update too.
I think the real problem is that it's possible to disguise an attack as a quicktime movie file. The file "secunia.mov" appears to be a text file containing the following line:
/Applications/Calculator.app/Contents/MacOS /Calculator; exit
I guess my question would be why does it run when it's not actually a valid movie?
Putting moderation advice in your
The problem happens when you choose to download a file from a web site. Just VISITING the site won't do that. Several others here have observed that setting Safari to not open "Safe" files in the main preferences window will solve this in the short term.
The real problem isn't Safari or Mail.app, it's LaunchServices which needs to smarten up Real Soon Now.
But then again.. you ARE running as a user.. right? Ok.. that's what I thought, so even if you DID launch this app instead of saving it and checking it out first, and it WAS malicious.. it would still only be able to affect stuff in your isolated home directory (Which you DO backup.. right?). The system itself would remain stable.
There was a big 'to do' about this very issue when Apple first came out with Widgets. It was discovered that the "open safe files..." checkbox was on by default, and any problems/exploits could be stopped by unchecking that box.
So this is OLD news.
What's more upsetting is that Apple hasn't made the unchecked state of that box the default...
"Money is truthful. If a man speaks of his honor, make him pay cash." Notebooks of Lazarus Long, Robert A. Heinlein
A zip file that extracts a shell script with a movie icon pasted on it? This is a "critical exploit"?
Secunia must be hurting for sales.
For the most part, it always requires less skill to break something than to get something working.
Your car analogy would be good if we were talking about computer code -- it takes a lot more skill to write some good code than to mess it up (in textual form). But that's not what we're talking about here.
We're talking about circumvention of security, often known as "breaking" it; but that break (to circumvent protection) is a very conceptually different break than your car example (to render nonfunctional).
Finding exploits like this takes time, intelligence, and often understanding of the software in question. Especially in a well-crafted system, you have to know how the system works in order to circumvent it.
You're a little big wrong. :-) The vast majority of Mac users work full-time in Administrator accounts. These are "below" the root account, so it's not as bad as in Windows XP, but it can still be an issue. Generally, items in /System cannot be modified without explicitly authenticating for root privileges. Items in /Library can be changed immediately by admins, and that's enough to cause all kinds of havoc. Not to mention that even a standard user can install items in their own ~/Library, which might be enough to do things like keystroke logging for that user's sessions.
I think the point that some people make is that if someone ran rm -rf that you can just reboot and restore from backup and create a new user account and be none for the worse. Well except for the fact that your financial statements, medical information and other personal items just got uploaded to the Internet. Ooops.
The history of that school of thought is that under real multi-user systems if one non-root account gets hosed everyone else can continue on with no ill effects.
Anyway I'm beyond shocked that this setting is defaulted to on is OS X. That sounds like a majore screw up to me.
If you wanna get rich, you know that payback is a bitch
/.'s comments that you can activate this problem by simply visiting a web site is absolute bunk
It's possible for a website to initiate a download.
and have the automatic "safe file open" option turned on
Which is on by default, therefore it can be used to propogate worms.
Files that don't match their extension should be handled.
WRONG! There's three things that MUST be fixed.
Open safe files after downloading SHOULD NOT BE ON BY DEFAULT EVEN IF IT IS AN OPTION.
Zip files and other containers SHOULD NOT BE TREATED AS SAFE FILES EVEN IF IT IS ON.
Unpackers MUST NOT AUTOMATICALLY OPEN ANY FILES IN THE CONTENTS OF A PACKAGE.
Both Apple's unzipper (attacked in this case) and stuffit expander violate this last in different ways.
Since we've gone through the whole "download safe files" business...
I think the lesson to be learned is that there is no such thing as a "safe" file type. Zip files can be auto-executed, image files can be run through scripting interpreters, malformed images can create buffer overflows in parsers...
We've seen security updates on Windows, Mac and Linux for GIF, PNG, JPEG and TIFF libraries.
Shell scripts are nothing but executable text files.
The solution, I suspect, is to simply not auto-open *anything* that isn't handled by the downloading app itself. Process whatever transfer encoding, but if the file is a disk image, wait for the user to open it. If it's a StuffIt or Zip archive, wait for the user to open it. If it's a video clip, and it's not playing in the browser, wait for the user to open it.
Sure, it removes a little convenience, but in the long run Apple might be better off disabling and then removing this option entirely.
Filename extensions.
This is *exactly* the point I was waiting for. This has been brought up before -- just look at this Daring Fireball article. This dates back to 2004 -- it is a safe option to have default URL handlers turned off in a few cases. Having default action disabled downloads the file -- but double-clicking it in Finder, or even Ctrl-clicking and using "Open" submenu action does not cause any harm...
--AP
I for one am happy that each security flaw that appears on the OSX platform gets this much attention. I hope it stays that way. Windows users may think they have a reason to gloat, but security flaws and new viruses there are so commonplace that no one even seems to care -- it's just another iteration of a larger problem. As long as we get this kind of uproar over easily-fixed flaws, OSX will always be a more secure platform.
// This is not a sig.
Why is it that Slashdotters always say 'oh, this exploit just affects userland, no big deal'
Why is it that most people who trot out that line always assume that because a windows exploit can take down their OS, it isn't going to trash their home directory as well?
Also, it's a hell of a lot easier to restore a single user's files if the rest of the OS is still intact.
If your OS gets pwn3d, you can't trust it. At all. You know the r00tkit tech that Sony has recently been grilled about? It's called a r00tkit as if you have one it allows an attacker to keep r00t on your box without you knowing about it. So, if your OS dies, you need to wipe the lot and reinstall from scratch to be sure it's gone.
If you've been lucky enough to have installed your OS on a separate partition from your personal files, and none of your personal files have been touched (despite your OS getting hosed), then a reformat and reinstall of all your apps might only take you, oh, 2-3 hours?
If your OS is on the same partition as your personal stuff, you have to be careful about what you blow away, and things take longer.
If your personal files get trashed as well as your OS, well, you've got the 2-3 hours to restore the OS and all those apps, as before. Then you have all your personal files to restore. Then you have everyone elses personal files to restore. And they didn't even do anything bad! How pissed are they going to be if you've lost some of their work?
An exploit that just affects one user's personal files is a hell of a lot easier to recover than an exploit that affects everyone's personal files, and the OS you're accessing those files with.
That's why slashdotters say that.
Why doesn't the gene pool have a life guard?
1) Your original post made it sound like a changed icon/social engineering trick. Adding a single word 'also' does not mitigate that.
The vulnerability *I* was describing, i.e., the one that worked in Mail.app with this malformed-shell-script- masqerading-as-something-else, is a changed icon/social engineering trick. Albeit one that, in the example of Mail.app, one that a lot of people could possibly fall for, since Mail identifies it as a "JPEG Image", it has the correct icon, etc.; but by the time the user clicks it, it's too late. Which was exactly why I was bringing it up.
2) You repeat that this is what you do for a living (post on slahdot?). Congratulations. Being a computer professional does not make you special on slashdot.
1. I didn't say it made me special,
2. I didn't say it made me special "on slashdot".
3) Your closing argument (paraphrased): when the vulnerability is fixed, it will come down to social engineering. Ummmmmm OK - thats true I guess (shrugs). My point was Ubuntu (and all other linux distros I'm aware of) do not do the script auto-execution (of malformed, or otherwise) of which you speak. Prior to hearing of this, I thought neither did OS X
"Ummmmmm", but that's exactly what I said. I said once the (Safari auto-download-and-execute) vulnerability is fixed, it will come down to social engineering.
Also (now speaking of the Safari vulnerability), this isn't some kind of deep-rooted flaw in Mac OS X. This is specific to precisely two things:
Safari passing things it interprets to be "safe" compressed files for handling after download, and LaunchServices subsequent execution. They ARE set as executable. This isn't some non-executable script getting executed erroneously. It IS executable. It just doesn't get seen by Safari as executable because it's missing the shebang. This is clearly a mistake.
Now, I will agree that this functionality should probably be eliminated (the whole "safe files" business). But, Apple will probably try to hold onto the safe files functionality for various reasons, and therefore, all it needs to do is properly recognize this as executable. They were obviously making some assumptions before that can't be made with regard to when/how something may be executable. But make no mistake: this IS an executable file. Also, it's not that the "OS" has "auto script execution". It's a Safari problem. This was an unintentional oversight that should have been fixed when the rest of the safe files stuff was "fixed" a year ago. Yes, Safari is seen by many as part of the OS, but Safari is just an application. A Linux application trusted by the user and the system could just as easily have a similar type shortcoming (NO, not identical - I said "similar"). This is NOT the intended behavior of Safari. Which is why it will be fixed.
Whether or not Apple should do away with the idea of thinking there "are safe files" altogether (which I agree with) is a matter of a different discussion.
Change the name of the Terminal application. Call it "hdfjhTerminal" or some other random name.
-- Boycott Shell
There is no totally safe software, but there are practices that are inherently safe, and practices that are inherently unsafe.
...) were treated as bugs, and the unsafe practice was stopped. Until Microsoft integrated IE's HTML control with Windows Explorer (under the name Active Desktop) in 1997, and refused (even, ironically, under threat of being forcibly split up for unrelated reasons) to abandon the practice of using a common mechanism for handling local and internet content.
Passing an unsafe file (ALL files recieved from an unsafe source are unsafe) to an API designed to allow dangerous things (LaunchServices is how many applications run their own components, it has to be able to do dangerous things) is an inherently unsafe practice. It should never be followed.
Maintaining a separate registry of applications that are designed to accept unsafe files (safe applications) and using that for unsafe files is an inherently safe practice.
This was the norm for all applications that dealt with untrusted data. The rare case where it wasn't (the Internet Worm, the WANK virus,
Now, what Apple's done (and continues to do) is a smaller exposure than Windows's habit of waving its technicolor bum at virus writers, but it's still inherently unsafe and they need to turn around and fix it right.
Of all the times for Apple to follow Microsoft's lead, why did they have to pick this one? Dear God, if you exist, please explain this...
To get it to unzip I had to double-click on it.
Then you have a nonstandard configuration (have you installed a different unzipper or otherwise changed the handling of zip files?), or you didn't actually have "Open Safe Files" turned on.
if people are able to get control of your machine they can turn it into a spambot, a DOS machine or other such device without your knowledge.
But they don't need root to get control of your machine and turn it into a spambot...
All they need is a place to hide an executable that you'll run every time you log in.
Like, oh, dozens of places beneath ~/Library/
It is a bug, there is not supposed to be any auto-run (as opposed to auto-open of non-executable media files). Now, in its attempt to auto-open say, this faux JPG file launch services opens the actual script in the terminal. This run in terminal function is necessary, i've used it myself numerous times for starting MySql and the like from a prewritten script.
If there is an implementational problem it is that Safari can't/won't tap into the same type determination algorithm that launch services uses, to determine the safeness of a file type.
While it would be naive not to freak out about this, it is equally naive to expect Joe User to carefully examine every file he downloads to see if it is really safe. Inherently safe files (non-executables) should always be passed swiftly along, and the warnings and blocks be saved for files that really pose a threat. Of course they have to be categorized correctly, and that's what failed here. Downloading a zipped JPG to view it is not a power user task, and must be considered safe. Joe won't know that JPGs are compressed and zipping them is redundant...highly suspect to the trained eye!
There's no 'on' position on the Slacker switch!
and the parent has confirmed my prediction - Apple-bashing (or shall we call it smashing?) articles will be modded down by Apple zealots?
How did you reach that conclussion*?
Is everyone who mods down serial trolls these days an Apple zealot?
*see GP