Slashdot Mirror
Mac OS X Struck By Severe Security Hole
An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."
.. finally learned how to "Think Different".
You can test this by downloading this harmless exmaple:
http://www.heise.de/security/dienste/browsercheck
...and sending the resulting JPG to yourself in Mail.app.
This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.
I'd expect a security update that addresses this *very* soon. This is a bad one.
I don't use Safari because it doesn't render pages as well as a mozilla based browser, and now I have a reason to gloat :)
Get Camino here. Camino is an OS X native browser using the gecko rendering engine. Looks better than Safari, is faster than Safari, and apparently is more secure than Safari. Plus the security is more easily tunable.
Most Mac users have heard of it by now, but I'm just giving them another plug because it kicks ass.
*RING*
Jobs: Hello?
Gates: BWAHAHAHAHA! PWNED!!!!
Jobs: Goddamnit, Bill, I told you to stop calling!
____
~ |rip/\/\aster /\/\onkey
The 'workaround' is to just disable auto-opening 'safe' files. I've done this on every Mac I've used, since I started using them, as I always saw it as a potential security risk (and a potential annoyance - I don't want my files opened immediatly sometimes). In my mind, automatically doing almost anything like opening downloaded files without asking is bad.
So just live without automatic file opening for the time being, and you're safe.
"Your effort to remain what you are is what limits you."
It's inevitable though that there will be a major OSX infection, so it's time for Mac users to get more conscious of this stuff.
"Pshaw! OS X will seamlessly update my applications wirelessly while I brew and sip my moca-latte, all with real time AJAX and SOAP requests over https with COCA SVG Widget bindings.
Mac users do not suffer from the contagions of the common masses."
May the Maths Be with you!
Mac OS X users can protect themselves simply by removing the check mark from the "Open safe files after downloading" option in Safari's preferences under the General tab. I have tested this and it works. This is quite a nasty little exploit so I suggest making the change ASAP.
Strange women lying in ponds distributing swords is no basis for a system of government.
The only difference is that the default behavior in Safari is to automatically open downloaded files of certain trusted types.
Who wouldn't try clicking on a movie icon? I would think that most people would.
Putting moderation advice in your
Went to the proof of concept, followed directions and it did not execute.
I'm running 10.4.5 with Safari 2.0.3. Looks like not everyone is vulnerable.
How the heck do people figure this stuff out!! Man, if they'd devote this kind of effort to creating legitimate software, imagine the possiblities! The best programmers in the world in my opinion are code crackers... If I had their talent I'd be loaded!!! lol...
Auf Wiedersehen!
MS Windows users have had this for 5 years. Congrats to Apple for finally catching up to us.
So the guys in apple who had the __MACOSX part to zip files didn't communicate that to the Safari folks. Communication gaps happen, but this is gross oversight in a company which claims to sell their software for a premium because it is cool (and well-tested UNIX background).
Shell vulnerabilities seem to be the entry point usually, seeing the firefox shell:// that was recently discovered... Integration comes with its own sweet price.
Quidquid latine dictum sit, altum videtur
Better integration with the keychain and mail, as well as a native appearance. Me, I use Firefox.
There's also Camino if you want something that looks native. It's gecko based, but doesn't have the extendibility.
I don't want to start a flaimbait. However here it is: There is no safe software. OSX is inherently safer than windows, but it's not 100% safe, by default (no software is). This is to say that I hope many mac user will finally get conscious about this: Mac OSX is not de facto immune by any exploit, flaw or whatever. Not because you are using OSX you should not be careful, and use the proper software.
As the bible says.
He who humbles themselves shall be exhulted he who exhults them selves shal be humbled.
This is true in tech as well.
If you feel that your computer is involnerable to hacks you will get hack eventually. This is true for Linux, Solaris, even OpenBSD users. The more secure you say it is the more people will want to find a way to break in. This is espectially true for OS X users because they like to glote on how secure their OS is. But there are a lot of people still feel bitter with the IBM vs. Apple wares (even though the PC won a while ago) and still hate apple with a pation so they will find ways to break in. Never gloat on how secure your system is because it will only end in tears.
But if you figure your system isn't truely safe and take steps to keep it as safe as possible and not make a big toute of how safe it is, then you may have a chanse of keeping it safe.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
So the vulnerability 'only' allows a cracker to steal or delete the user's personal data. In other words, the most valuable files stored on the computer. Plus accessing things like web browser cache and history could give them passwords or at least information for a phishing attack.
Someone correct me if I'm wrong, but this exploit can only affect items that the user has rights to. If a script were written to make changes to the system, OSX should prompt you for your password, right?
Kiteboarding Gear Mention slashdot and get 10% off!
But I missed the part in the article where this can all be blamed on Microsoft, can someone please help me out?
I'd expect a security update that addresses this *very* soon. This is a bad one.
Security fix has been out for some time.
Available here
My pics.
I am envious, the exploit doesn't work on my windows box. If I try to run the proof of concept file, it says it's not a movie file. Damn it!
The CB App. What's your 20?
Quick point of order: the bug doesn't execute automatically if you turned off the "Open Safe Downloads" preference. However, it's still really Really REALLY bad.
Explanation: Apple recognizes a particular folder within a zip archive as resource forks. This way you can correctly upload/download old-style apps and/or OSX metadata. The latter feature is where the problem occurs.
If you take a shell script, rename it to a "safe" file extension (such as mov, jpg, etc), then change its metadata (aka the "Open With..." setting) to Terminal.app instead of the expected default application, you now have a shell script that looks like an ordinary media file.
If you then use OSX built-in BOMarchive command, you have a zipped shell script that looks like a "safe" download.
End result: arbitrary shell script execution (under OSX default settings) upon visiting a malicious URL.
Conclusion: remote metadata should not be trusted. This bug would not occur if downloaded files could only belong to their default app.
I remember quite distinctly the horror I felt when I first got my mac and discovered that it automatically opened safe files... At least around 10.4.2 or so, this was default behavior. And this option has carried on with me to 10.4.5, but is disabled today.
http://aspell.sourceforge.net/
Why isn't Secunia being flamed here for releasing details of an exploit before Apple has had a chance to patch it? Are there not enough details for someone to create their own version? I may be wrong, but I did not notice one mention of any fact that indicates that Apple was notified of the problem and/or given an opportunity to fix the problem. I am used to seeing such information releases eing labeled as "irresponsible" but I have not seen any discussion of this aspect of the story yet.
Laws affecting technology will always be bad until enough techies become lawyers.
It's just another choice you're free to make. I like Safari a lot more than Firefox, because it works the way you would expect a Mac app to work. I haven't tried Camino yet, though.
For everybody else who says "thank heavens I use Firefox" in these threads, please read parent post. This is a problem held over from when OS used metadata/extensions to figure out what to do with a file, automatically, before we had to worry about the bad guys trying to manipulate this data. These techniques date back to single-user systems, and they are vulnerable.
(Usual disclaimer: I use a unix>windows mix at work, mac at home, and use primarily firefox on all three).
People need to learn techniques to lock down their boxes - different OS are not all equally vulnerable, but are all vulnerable.
Using plain ol' text since 1968
Comment removed based on user account deletion
No, it does NOT ask for an admin password, however you need to be logged in as a privledged user (administrator) for it to work. A standard user clicking the test link does not execute calculator, an admin user does. All the more reason to not do your everyday work in an administrative account. My test was Safari 2.0.3/OSX 10.4.5. Now if the code tried to do something more system wide through the terminal window it opened, it would probably require a su or sudo authentication. Opening a program or executing some simple code is enough to cause some problems though.
"Norton AntiVirus for Machintosh sales are finally going to take off! Yessss!"
One line blog. I hear that they're called Twitters now.
The Opensource virus scanner ClamXav (based on ClamAV) already scans for this. I simply set it to watch my desktop and mail downloads folders. I even tested it by downloading the sample file and sure enough, it warns me both in Safari and in Mail.app
For the most part, it always requires less skill to break something than to get something working
I agree, to a point.
Haphazard destruction doesn't generally require skill. On the other hand, speaking as someone with Integration & Test experience, the deliberate breaking of something that is engineered to be resistant in that manner does require skill.
Constructive destruction, I guess is what I'm referring to. Sticking RAM in an acid solution could conceivably cause BSODs, but that doesn't mean you've hacked Windows.
My credit card has been repeatedly comprimised while using Safari.
Most recently, a $300 charge appeared on my statement after visiting this page.
__ Someday, but not this morning, I'll finally learn to use the preview button.
I PURPOSELY set Safari Version 2.0.3 (417.8) under Mac OS X 10.4.5 to "open safe files" and I have admin privileges.
.mov extension could exectute a shell script. THAT should be a concern. NOT Safari, IMO.
It downloaded the file.
To get it to unzip I had to double-click on it.
To get it to execute I had to double click on it.
According to This article
Safari also unpacks ZIP archives, and displays the documents inside if they are "safe". In the event active content is found in the archive, user confirmation is requested.
Typically shell scripts begin with a "shebang line" such as "#!/bin/bash" to indicate which interpreter will handle the script's execution. In case a shell script is stored into a ZIP archive without the shebang line, Safari stops recognizing the content as potentially dangerous and executes shell commands sans a confirmation prompt.
If users assign the Finder to open scripts using the Terminal, Mac OS X loads scripts without shebang lines into the Terminal where they are executed by a shell.
If a script is given an extension such as "mov" or "jpg" and stored in a ZIP archive, Mac OS X adds a binary metadata file to the archive which instructs the operating system on another Mac to open the script with the Terminal application, irrespective of the script file's extension or symbol displayed in the Finder. The Terminal redirects scripts without interpreter lines directly to bash, the standard shell in OS X.
So you have to jump through hoops. Another BS story to set the Mac community into a panic.
I did find it interesting that a file with a
-- Boycott Shell
None of the steps involved in causing this attack to happen should have been implemented in the first place. They're all well-known to be risky, and have all been used in exploits in the past.
"Open Safe Files After Downloading" is inherently risky. No files should be considered safe. The user should always make an explicit request to open any file not handled by the browser itself. Approving an action requested by a potential attacker is not making an explicit request: even if Safari detected the executable and popped up a dialog it would still not be good enough to prevent many people from reflexively approving it.
In addition, automatic execution or interpretation by a general purpose scripting language of any files in an archive, removable media, disk image, or any other potentially untrusted container is inherently risky. Executing code, using applications found in the volume as handlers, or otherwise using them, should be deferred until the user has explicitly requested the code be run, installed, or used.
This should be such a fundamental principle of secure software design that it shouldn't have even occurred to Apple not to follow it.
Just being less insecure than Microsoft is not enough. One might as well laud smallpox as being less deadly than Ebola.
(and... I told you so)
I have not tried it in Safari with "open safe downloads" off, however I just tried it again in Firefox and if you have it set to automatically open zip files and then you open the movie file, the calculator does appear. (my system is up to date according to Software Update too.
I think the real problem is that it's possible to disguise an attack as a quicktime movie file. The file "secunia.mov" appears to be a text file containing the following line:
/Applications/Calculator.app/Contents/MacOS /Calculator; exit
I guess my question would be why does it run when it's not actually a valid movie?
Putting moderation advice in your
The problem happens when you choose to download a file from a web site. Just VISITING the site won't do that. Several others here have observed that setting Safari to not open "Safe" files in the main preferences window will solve this in the short term.
The real problem isn't Safari or Mail.app, it's LaunchServices which needs to smarten up Real Soon Now.
There was a big 'to do' about this very issue when Apple first came out with Widgets. It was discovered that the "open safe files..." checkbox was on by default, and any problems/exploits could be stopped by unchecking that box.
So this is OLD news.
What's more upsetting is that Apple hasn't made the unchecked state of that box the default...
"Money is truthful. If a man speaks of his honor, make him pay cash." Notebooks of Lazarus Long, Robert A. Heinlein
I went to a story about an OSX security hole and a Risk game broke out!
That's the furthest away from the topic in the shortest amount of time I've ever seen. Bravo!
"Leo Fender was in a 'state of grace' when he designed the Stratocaster." -- Paul Reed Smith
For the most part, it always requires less skill to break something than to get something working.
Your car analogy would be good if we were talking about computer code -- it takes a lot more skill to write some good code than to mess it up (in textual form). But that's not what we're talking about here.
We're talking about circumvention of security, often known as "breaking" it; but that break (to circumvent protection) is a very conceptually different break than your car example (to render nonfunctional).
Finding exploits like this takes time, intelligence, and often understanding of the software in question. Especially in a well-crafted system, you have to know how the system works in order to circumvent it.
I actually played around a little bit this morning trying to make my own 'evil zip file' It's not trivial, but it's something that someone with 1/2 a clue could whip up in an hour or so, or make a shell script that Kiddies could use to automate the creating of evil things.
The parent here is spot on. This isn't a Safari or Mail problem. This is a problem in how the zip launcher handles embedded meta-data. It's ripe for 'Kornikovina.jpg' type exploitation.
What if it is just turtles all the way down?
/.'s comments that you can activate this problem by simply visiting a web site is absolute bunk
It's possible for a website to initiate a download.
and have the automatic "safe file open" option turned on
Which is on by default, therefore it can be used to propogate worms.
Files that don't match their extension should be handled.
WRONG! There's three things that MUST be fixed.
Open safe files after downloading SHOULD NOT BE ON BY DEFAULT EVEN IF IT IS AN OPTION.
Zip files and other containers SHOULD NOT BE TREATED AS SAFE FILES EVEN IF IT IS ON.
Unpackers MUST NOT AUTOMATICALLY OPEN ANY FILES IN THE CONTENTS OF A PACKAGE.
Both Apple's unzipper (attacked in this case) and stuffit expander violate this last in different ways.
Filename extensions.
The lesson to be learned is that Apple needs to be hit with a clue bat. Their system is not as inherently unsafe as Microsoft's (the problem is in the safari shell application, not the Webkit itself), but they're not continuing to apply the same good security practices that the operating system they inherited had been using.
The solution, I suspect, is to simply not auto-open *anything* that isn't handled by the downloading app itself.
Or by a plugin designed to work with the downloading app, that is intended to implement the same security guarantees.
It would actually be reasonable to call external applications for *some* files, but only if they were able to register as applications that are intended to handle untrusted content.
Unfortunately, Apple's LaunchServices doesn't qualify as such a registry.
(not to mention that having ZIP files automatically unpacked is something I personally find EXTREMELY inconvenient and unpleasant, and if they implemented such a registry and if the unzipper WAS 100% secure I would still want to be able to remove it from the list of "safe" applications)
I for one am happy that each security flaw that appears on the OSX platform gets this much attention. I hope it stays that way. Windows users may think they have a reason to gloat, but security flaws and new viruses there are so commonplace that no one even seems to care -- it's just another iteration of a larger problem. As long as we get this kind of uproar over easily-fixed flaws, OSX will always be a more secure platform.
// This is not a sig.
'' Goodness me, I'll admit I don't know that much about the workings of OS X but I'm shocked to hear that meta data stored in a file is trusted in this fashion. ''
No, that is no problem at all. The problem is that two applications (Safari and Finder) used different code to decide whether this is a script or not. Safari thought it was a JPEG file. That would have been no problem at all if the Finder had agreed and had asked Photoshop to open that JPEG file. The problem was that the Finder looked at the same file with the same metadata and came to a different conclusion, believing that the same file was a shell script.
t would still only be able to affect stuff in your isolated home directory (Which you DO backup.. right?). The system itself would remain stable.
You're assuming that a worm's only goal is to delete everything it can and you'll notice immediately. How about a worm that ftps all your private files to a server? Would you notice?
How about the fact that the default user in OSX can modify everything in Applications. iTunes could be replaced with a script that did something malicious, then ran iTunes.. would you notice?
Every worm ever released on windows could be "written off" just as you have done this one.
Change the name of the Terminal application. Call it "hdfjhTerminal" or some other random name.
-- Boycott Shell
I then created a brand new test account with no admin priv's and tried it and it worked there also.
This is on a fully patched OS X 10.4.5 system.
Just FYI.
"terrorism" and "pedophilia" are the root passwords to the Constitution
There is no totally safe software, but there are practices that are inherently safe, and practices that are inherently unsafe.
...) were treated as bugs, and the unsafe practice was stopped. Until Microsoft integrated IE's HTML control with Windows Explorer (under the name Active Desktop) in 1997, and refused (even, ironically, under threat of being forcibly split up for unrelated reasons) to abandon the practice of using a common mechanism for handling local and internet content.
Passing an unsafe file (ALL files recieved from an unsafe source are unsafe) to an API designed to allow dangerous things (LaunchServices is how many applications run their own components, it has to be able to do dangerous things) is an inherently unsafe practice. It should never be followed.
Maintaining a separate registry of applications that are designed to accept unsafe files (safe applications) and using that for unsafe files is an inherently safe practice.
This was the norm for all applications that dealt with untrusted data. The rare case where it wasn't (the Internet Worm, the WANK virus,
Now, what Apple's done (and continues to do) is a smaller exposure than Windows's habit of waving its technicolor bum at virus writers, but it's still inherently unsafe and they need to turn around and fix it right.
Of all the times for Apple to follow Microsoft's lead, why did they have to pick this one? Dear God, if you exist, please explain this...
To get it to unzip I had to double-click on it.
Then you have a nonstandard configuration (have you installed a different unzipper or otherwise changed the handling of zip files?), or you didn't actually have "Open Safe Files" turned on.
if people are able to get control of your machine they can turn it into a spambot, a DOS machine or other such device without your knowledge.
But they don't need root to get control of your machine and turn it into a spambot...
All they need is a place to hide an executable that you'll run every time you log in.
Like, oh, dozens of places beneath ~/Library/
It is a bug, there is not supposed to be any auto-run (as opposed to auto-open of non-executable media files). Now, in its attempt to auto-open say, this faux JPG file launch services opens the actual script in the terminal. This run in terminal function is necessary, i've used it myself numerous times for starting MySql and the like from a prewritten script.
If there is an implementational problem it is that Safari can't/won't tap into the same type determination algorithm that launch services uses, to determine the safeness of a file type.
While it would be naive not to freak out about this, it is equally naive to expect Joe User to carefully examine every file he downloads to see if it is really safe. Inherently safe files (non-executables) should always be passed swiftly along, and the warnings and blocks be saved for files that really pose a threat. Of course they have to be categorized correctly, and that's what failed here. Downloading a zipped JPG to view it is not a power user task, and must be considered safe. Joe won't know that JPGs are compressed and zipping them is redundant...highly suspect to the trained eye!
There's no 'on' position on the Slacker switch!
I'm going to delete Calculator.app on all of my Macs. That way I can go back to living with no malware whatsowhoever.
I've updated Paranoid Android to be aware of this class of exploit. You can download it here or grab the source code and compile it yourself.
Note that Paranoid Android is an APE module. I like 'em, but it's something to be aware of.
Basic directions: Run the installer, log out, log back in, launch System Preferences and choose the Application Enhancer prefpane. Choose Paranoid Android. Turn on "Watch non-default application launches". Unless you're really paranoid, turn off "Watch URI schemes", since that class of exploit was fixed awhile ago.
Once you've done this, both the Safari exploit and the Mail.app exploit will trigger a dialog window telling you what's going on and giving you a chance to use the default application (Quicktime Player) instead of the custom one (Terminal).
Once Apple puts out a fix for this, I recommend ditching Paranoid Android - it's a pretty heavy solution.
More info on PA can be found here.
and the parent has confirmed my prediction - Apple-bashing (or shall we call it smashing?) articles will be modded down by Apple zealots?
How did you reach that conclussion*?
Is everyone who mods down serial trolls these days an Apple zealot?
*see GP
The problem is dug very deep in Mac OS X: One does not know if one can trust a certain file or not. A patch for the current security hole is easy, but won't solve the real problem.
On Mac OS (9 and X) a file can have an arbitrary icon and type, independent from its name. Some systems use the filename to guess type and icon. On Mac OS this information is stored as separate data, in a so called ressource fork. So one could create a file "some_file.xls" that is a text-file and has the icon of photoshop. Or one could create a file "celebrity_naked.jpg" that is indeed a program and has the icon of the preview application --- or worse whose icon shows a naked person. Even when there is no security hole, the user might eventually try to open this file. With the current security hole this step can be skipped --- the browser will open it automatically.
Mac OS X needs a way to mark a file as trustworthy. When a file is not marked this way, several dangerous operation will be disabled and the file must be marked in a certain way in the file browser (Finder, open dialogue, etc.). I think the Finder should have an extra check box in the file info dialogue: "This file is trustworthy". Terminal, Help Viewer and other easily exploitable application should refuse to open a non-trustworthy file. And this files should be viewed with a big red explanation mark on their icon --- at least when they can be opened with a dangerous application. So the user can easily see, that these files are a potential threat. Of course, per default only the system files are marked trustworthy.
An easy way to implement such a "trustworthy" flag would be extended POSIX attributes. On Mac OS X 10.4 every file can have an arbitrary number of these attributes. I suggest the following scheme: A file is only trustworthy, when it has a certain attribute. The name of the attribute depends on the user, its value is a digital signature of the file; e.g. name="trustworthy:34833066-DC6A-459F-8462-7100E84A D100" value="Here comes the signature...". Additionally there are some virtual accounts for the machine and the administrator. When they trust the file, every user on the machine or the domain implicitly trust the file too. This scheme has several advantages:
The real bug is in Terminal.app - it runs scripts even if they don't start with the shebang
/bin/sh, which it's supposed to do.
/bin/sh either. The POSIX standard specifies that if the shell fails to execute the script using exec(), if the execute bit is set it should run it itself.
Terminal.app does no such thing. It simply passes on whatever you give it to
It's not a bug in
The "bug" is a pair of known design flaws in Safari that Apple should have fixed two years ago, along with a change in the unzipper that changed the behaviour Safari was mistakenly depending on.