Forgot your password?
typodupeerror

Mac OS X Struck By Severe Security Hole 559

Posted by CmdrTaco
from the bend-over-everyone dept.
An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."
This discussion has been archived. No new comments can be posted.

Mac OS X Struck By Severe Security Hole

Comments Filter:
  • by Anonymous Coward on Tuesday February 21, 2006 @11:27AM (#14767721)
    .. finally learned how to "Think Different".
    • Seriously (Score:3, Insightful)

      by BoomerSooner (308737)
      How the heck do people figure this stuff out!! Man, if they'd devote this kind of effort to creating legitimate software, imagine the possiblities! The best programmers in the world in my opinion are code crackers... If I had their talent I'd be loaded!!! lol...

      Auf Wiedersehen!
      • Re:Seriously (Score:3, Insightful)

        by BewireNomali (618969)
        I don't know how accurate that is.

        For the most part, it always requires less skill to break something than to get something working. i.e. my ten year old nephew can destroy my car if I let him under the hood - it doesn't make him as talented as an automotive engineer. With some knowledge, he can do more sophisticated sabotage, but he still isn't as skilled as the average engineering undergrad.

        The analogy works in other places: in sports, defensive teams succeed way more often than high flying offensive team
        • Re:Seriously (Score:3, Insightful)

          my ten year old nephew can destroy my car if I let him under the hood - it doesn't make him as talented as an automotive engineer.

          I can see where you're coming from, but I think that's a poor analogy.

          You nephew is more like a beta tester that can find bugs easily, as he can do something wrong or unexpected and "break" an application. Finding ways around security is something else; sometimes it's just exploiting a bug but sometimes there's a lot more to it (research, investigating, and some coding).

          The I be

          • Re:Seriously (Score:5, Insightful)

            by AHumbleOpinion (546848) on Tuesday February 21, 2006 @12:39PM (#14768492) Homepage
            I believe the poster's comments better relate wishing that hackers would act more like ex-criminals developing security systems. Ie, reformed bank robbers providing a service to make banks more secure; they obviously have the skills, they might as well use them for good.

            I think your analogy doesn't really support your point and in fact supports the GP. Reformed bank robbers are not really security experts who can design new security systems, I think you your opinion is based more on movies than on reality. Similarly, hackers are romanticized, their skills exaggerated, in movies and in ill informed nerd mythology spread by sites like slashdot.

            It really is that hackers outnumber developers and that developers have to be perfect all the time and one of the hackers just needs to get lucky once. Hackers are often more like specialized technicians that are skilled in a narrow range, not a skilled engineer that can design a system from scratch. And then there are the kiddies.
        • I&T (Score:3, Insightful)

          For the most part, it always requires less skill to break something than to get something working

          I agree, to a point.

          Haphazard destruction doesn't generally require skill. On the other hand, speaking as someone with Integration & Test experience, the deliberate breaking of something that is engineered to be resistant in that manner does require skill.

          Constructive destruction, I guess is what I'm referring to. Sticking RAM in an acid solution could conceivably cause BSODs, but that doesn't mean you've ha
        • False analogy (Score:5, Insightful)

          by xiphoris (839465) on Tuesday February 21, 2006 @01:13PM (#14768828) Homepage
          For the most part, it always requires less skill to break something than to get something working.

          Your car analogy would be good if we were talking about computer code -- it takes a lot more skill to write some good code than to mess it up (in textual form). But that's not what we're talking about here.

          We're talking about circumvention of security, often known as "breaking" it; but that break (to circumvent protection) is a very conceptually different break than your car example (to render nonfunctional).

          Finding exploits like this takes time, intelligence, and often understanding of the software in question. Especially in a well-crafted system, you have to know how the system works in order to circumvent it.
      • Re:Seriously (Score:4, Insightful)

        by Xugumad (39311) on Tuesday February 21, 2006 @02:07PM (#14769360)
        People figure this out by looking at corner cases, and prodding stuff to see if it breaks. Most exploits are fairly simple though; we're finally getting away from buffer overflows, but they're easy to find by looking at where programs deal with a string, and seeing what happens if you put a much too large string in. Time consuming, but straight forward.

        There are some genuinely skilled crackers out there, but they're fairly few and far between. I maintain a bunch of computers, and most of them deal with a cracking attempt a day. Let me give you a quick log extract:

        Feb 21 03:22:56 <hostname> sshd[25243]: Invalid user firebird from <IP removed>
        Feb 21 03:22:57 <hostname> sshd[25245]: Invalid user art from <IP removed>
        Feb 21 03:22:59 <hostname> sshd[25247]: Invalid user manu from <IP removed>
        Feb 21 03:23:00 <hostname> sshd[25249]: Invalid user peru from <IP removed>
        Feb 21 03:23:02 <hostname> sshd[25251]: Invalid user contra from <IP removed>
        Feb 21 03:23:03 <hostname> sshd[25253]: Invalid user fbi from <IP removed>
        Feb 21 03:23:05 <hostname> sshd[25255]: Invalid user melanie from <IP removed>

        That's just someone trying random username/password combinations and hoping. Eventually, they'll find somewhere with looser security, and get in, but that doesn't make them skilled, it makes them annoyingly persistant.

        Don't get me wrong, this OS X exploit is actually fairly interesting, but most crackers have just enough knowledge to be dangerous, and not enough to use it wisely.

        If you want impressive, have you considered the people securing these things? They don't have to find just one security hole, they have to find them all. They have to know every way someone might try breaking the system, and then some...
  • by daveschroeder (516195) * on Tuesday February 21, 2006 @11:27AM (#14767730)
    You can send this same shell script masquerading as a JPG file and shown as such by Mail.app, and it gets executed as soon as it is clicked/viewed in Mail.app (obviously not affected by Safari's "safe files" setting).

    You can test this by downloading this harmless exmaple:

    http://www.heise.de/security/dienste/browsercheck/ demos/safari/Heise.jpg.zip [heise.de]

    ...and sending the resulting JPG to yourself in Mail.app.

    This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.

    I'd expect a security update that addresses this *very* soon. This is a bad one.

    • I'd expect a security update that addresses this *very* soon. This is a bad one.

      Security fix has been out for some time.

      Available here [ubuntu.com]
      • Ubuntu can't run shell scripts and can run ordinary productivity software in a commercially supported OS environment from a major vendor?

        Sign me up!

        And seriously, this isn't any bigger than any number of social engineering security vulnerabilities that take advantage of some flaw or shortcoming in any other OS...
        • by NtroP (649992) on Tuesday February 21, 2006 @12:10PM (#14768182)
          And seriously, this isn't any bigger than any number of social engineering security vulnerabilities that take advantage of some flaw or shortcoming in any other OS...
          As much as I hate it, I'm going to have to disagree with you here. I can add an exploit to my web page that will tell your browser to automatically download a file when the page is viewed - the only user interaction necessary would be to visit my page. If you haven't configured you browser to NOT open "safe" files (the default is to go ahead and open them automatically) then my exploit is triggered - no user interaction, again. I have now infected your system.

          Granted, if I try to change firewall settings or affect anything outside of your account's permissions you will be prompted for a password. But I could still delete or corrupt all your files, change your bookmarks, send email to your friends and family with an exploit and try to IM your buddies with it - I just have to choose a well-crafted malware.

          I'd say this is a potentially evil hole. I just had my wife and kids change their default settings (I'd always had mine disabled - never thought to change my family's). I think, though that this one will also be quickly and simply patched. And really, the more "benign" wake-up calls Mac users get the better protected they will be and the more difficult it will be for any malware to gain traction.

          • by daveschroeder (516195) * on Tuesday February 21, 2006 @12:24PM (#14768336)
            From another response I just gave:

            Since we've gone through the whole "download safe files" business a year ago, and Apple provided a prompt fix, and, additionally, since this is just Safari's executable-recognition code missing this because the shell script is malformed (i.e., missing the shebang), I expect a fix soon.

            I was speaking to the social engineering aspect of this, since the automated aspect of this is so easy to mitigate, has already been addressed in one form a year ago, and I'm assuming will be quickly patched, leaving only the social engineering aspect to deal with. Which, once again, is no more or less serious than any social engineering exploit on any other platform.

            Also, in case you hadn't noticed, getting a user to visit a web site is still a social engineering principle. Whether it's double clicking a file or tricking a user to view a web site, it's still "social engineering". What makes this unique is that Safari, in its default state, could potentially download a file and execute a shell script without user interaction. That's a Bad Thing. But since we've already dealt with this a year ago and missing malformed shell scripts was apparently an oversight, I expect this to be fixed soon.

            Once fixed (or, in the interim, a single box unchecked) every other aspect of this just becomes tricking the user to click something.

            And as we all know, that can happen on any platform.


            In other words, this isn't a flaw that is endemic or inherent to any fundamental functionality; by all rights this whole issue was intended to be "fixed" a year ago, but it appears Apple missed malformed shell scripts marked as executable. Oops. So, that will be fixed, and everything else left is social engineering.

            This isn't the first time a "view a webpage and something will download that can run without user interaction" exploit has happened on Mac OS X. But I'm sure the press will make a HUGE deal of this one, even though the previous two "viruses" discovered this week are *pure* social engineering, utterly useless, and the vulnerability that one used had even been patched since June 2005 and only affected Mac OS X 10.4.0.

            I fully expect this to be the beginning of attacks on Mac OS X as "just as insecure as Windows" in earnest in the mainstream press, and also for people to completely misunderstand and believe it's related to the x86 transition. Yay. :-(
            • by Kelson (129150) * on Tuesday February 21, 2006 @01:51PM (#14769225) Homepage Journal
              Since we've gone through the whole "download safe files" business...

              I think the lesson to be learned is that there is no such thing as a "safe" file type. Zip files can be auto-executed, image files can be run through scripting interpreters, malformed images can create buffer overflows in parsers...

              We've seen security updates on Windows, Mac and Linux for GIF, PNG, JPEG and TIFF libraries.

              Shell scripts are nothing but executable text files.

              The solution, I suspect, is to simply not auto-open *anything* that isn't handled by the downloading app itself. Process whatever transfer encoding, but if the file is a disk image, wait for the user to open it. If it's a StuffIt or Zip archive, wait for the user to open it. If it's a video clip, and it's not playing in the browser, wait for the user to open it.

              Sure, it removes a little convenience, but in the long run Apple might be better off disabling and then removing this option entirely.
              • The lesson to be learned is that Apple needs to be hit with a clue bat. Their system is not as inherently unsafe as Microsoft's (the problem is in the safari shell application, not the Webkit itself), but they're not continuing to apply the same good security practices that the operating system they inherited had been using.

                The solution, I suspect, is to simply not auto-open *anything* that isn't handled by the downloading app itself.

                Or by a plugin designed to work with the downloading app, that is intended
            • ...but it could well be related to the transition, or more precisely, the fact that a haxx0r can now install OSX on a space partition on a PC and start coding with it rather than having to buy a Mac just for the privilege. In fact I'd put money on this is exactly why we are suddenly seeing a lot of attention with OSX security as OSX now has a completely new audience that can obtain the OS and start coding with it for free.
    • This IS a bad one (Score:5, Insightful)

      by QuaintRealist (905302) <quaintrealist@@@gmail...com> on Tuesday February 21, 2006 @12:03PM (#14768104) Homepage Journal
      For everybody else who says "thank heavens I use Firefox" in these threads, please read parent post. This is a problem held over from when OS used metadata/extensions to figure out what to do with a file, automatically, before we had to worry about the bad guys trying to manipulate this data. These techniques date back to single-user systems, and they are vulnerable.

      (Usual disclaimer: I use a unix>windows mix at work, mac at home, and use primarily firefox on all three).

      People need to learn techniques to lock down their boxes - different OS are not all equally vulnerable, but are all vulnerable.
    • by joetheappleguy (865543) on Tuesday February 21, 2006 @01:08PM (#14768780) Homepage
      Thanks for the test file. I downloaded with Safari, but have "Open Safe Files" turned off it did nothing after download.

      I then unzipped the file and had a look at it in the Column view of the Finder, at this stage a normal jpeg would have been previewed, but the Finder had the file listed as "Terminal Application", but I think that most Mac users tend to use List or Icon view though, which would force them to open the file, activating it.

      I then emailed myself the file with Mail.app 1.3.11 (In 10.3.9) and after the receiving the email I was warned that "Heise.jpg is an Application and could contain viruses, etc". after I attempted to save the attachment - It also did not preview in the mail message (Obviously)

      Seems that this type of vulnerability is most likely to affect mid-level users who are somewhat reckless with their clicking and think they know better than new users who read and "cancel" every message box for fear of breaking their computers or advanced users who realize at a glance that the .jpg does not "feel" right.
      • This is *exactly* the point I was waiting for. This has been brought up before -- just look at this Daring Fireball article [daringfireball.net]. This dates back to 2004 -- it is a safe option to have default URL handlers turned off in a few cases. Having default action disabled downloads the file -- but double-clicking it in Finder, or even Ctrl-clicking and using "Open" submenu action does not cause any harm...
  • Glad I have that option turned off!

    It's inevitable though that there will be a major OSX infection, so it's time for Mac users to get more conscious of this stuff.

    Oh, and more $$$ for the anti-virus guys I guess.
  • Workaround: Camino (Score:5, Informative)

    by Ryan Amos (16972) on Tuesday February 21, 2006 @11:28AM (#14767740)
    I don't use Safari because it doesn't render pages as well as a mozilla based browser, and now I have a reason to gloat :)

    Get Camino here [caminobrowser.org]. Camino is an OS X native browser using the gecko rendering engine. Looks better than Safari, is faster than Safari, and apparently is more secure than Safari. Plus the security is more easily tunable.

    Most Mac users have heard of it by now, but I'm just giving them another plug because it kicks ass.
    • Camino is an OS X native browser using the gecko rendering engine.

      Hate to reply with possible FUD, but I have honestly resisted using Camino due to the whole plug-in situation. Things like AdBlock/Filterset.G, NukeAnything, Tabbrowser Prferences, and FasterFox(!) really make FireFox much more usable/safe than any other browser out there (Opera was decent at v8.0, but I haven't really tried it since). How is the extension situation with Camino these days?

      • Camino has absorbed some of the features of those plugins. It can now block ads and flash and other things. Unfortunately, no Abe Vigoda tracker is available.
      • Check out the CamiTools plugin for Camino. It adds several of the features you mention. The only things I'd like to see it feature that it doeesn't are the FlashBlock menubar toggle (avail in FB1.5), and movable tabs. It also runs a lot faster that both Firefox and Safari, which is important if you're using a 4-year-old mac...
    • Maybe in limited cases, but if you do multilingual stuff Safari leaves the Gecko camp miles behind.
    • I know the Acid2 test doesn't tell the whole story, but Safari passes [mozillazine.org] it. Opera 9 comes damn close. Mozilla browsers are a damn mess.
    • by IronyChef (518287) on Tuesday February 21, 2006 @01:27PM (#14768965)
      Camino is an OS X native browser using the gecko rendering engine. ... faster than Safari

      I don't know what the evidence for this claim is, but my (warm app, cold cache) tests on a few sites showed Camino to range from similar to slower than Safari.

      and apparently is more secure than Safari.

      Read the Secunia article [secunia.com] - this isn't a Safari security hole, it's an underlying platform issue and can be exploited in other ways.
      Besides, the Mozilla family browsers have had their share of security holes.

  • by TripMaster Monkey (862126) * on Tuesday February 21, 2006 @11:31AM (#14767769)

    *RING*

    Jobs:
    Hello?

    Gates: BWAHAHAHAHA! PWNED!!!!

    Jobs: Goddamnit, Bill, I told you to stop calling!
  • by Justin205 (662116) on Tuesday February 21, 2006 @11:32AM (#14767775) Homepage
    The 'workaround' is to just disable auto-opening 'safe' files. I've done this on every Mac I've used, since I started using them, as I always saw it as a potential security risk (and a potential annoyance - I don't want my files opened immediatly sometimes). In my mind, automatically doing almost anything like opening downloaded files without asking is bad.

    So just live without automatic file opening for the time being, and you're safe.
  • by toupsie (88295) on Tuesday February 21, 2006 @11:33AM (#14767779) Homepage
    Mac OS X users can protect themselves simply by removing the check mark from the "Open safe files after downloading" option in Safari's preferences under the General tab. I have tested this and it works. This is quite a nasty little exploit so I suggest making the change ASAP.
    • I already had mine unchecked. I don't remember if this is default behavior, or I specifically chose it. I do remember unchecking it because I didn't want anything starting up when I download something.
    • that only fixes the problem where it unzips automatically. It does not fix the icon issuse where there is a shell script with a Quicktime icon. The real fix to this would be to ID files based on the content and not the extension.
      • I'm not clear how the file extension enters into it. I thought the problem was that OSX allows any file to have an arbitrary icon. So the file extension is correct, but the icon is misleading. I suppose this is less of a problem on Windows, because most files are not allowed to have arbitrary icons - the icon is assigned based on the file extension, so a *.vbs file can never have the icon of a *.jpg. Unless, of course, you have permission to change the global file association/icon assignment.
    • by hackstraw (262471) * on Tuesday February 21, 2006 @11:43AM (#14767912)
      This is quite a nasty little exploit so I suggest making the change ASAP.

      I did this years ago.

      Can someone remind me what is the point of a browser allowing "driveby downloads" and automatically launching the content of the download?

      Safari has a nice download manager that lists the most recent downloads, and by simply double clicking on the one you trust and want to view is up to you.

      This is at least over a 1 year old issue: http://www.net-security.org/vuln.php?id=3461 [net-security.org]

      Is it too much to ask for normal users to double click on a file to launch it? This is what we used to do, and still do with email, ftp, removable media, networked drives, everything. What is the point of a driveby download and launch?

    • This is hardly the point - apparently [slashdot.org] OS X (or some portion of it, at least) understands that the file is not a movie, but a shell script. It's not amongst the "safe files". It's either:
      • Safari's fault for attempting to execute an unsafe file (e.g. not querying the OS properly to really discover if the file is "safe" or not).
      • OS X's fault for executing files themselves instead of opening them in the appropriate application.

      IMNSHO, the expected behavior of Secunia's demo should be QuickTime complaining

  • by name_already_taken (540581) on Tuesday February 21, 2006 @11:34AM (#14767801)
    I just tried the test with Firefox, and it doesn't appear to matter which browser you use. If you open the file after it downloads, the calculator app appears.

    The only difference is that the default behavior in Safari is to automatically open downloaded files of certain trusted types.

    Who wouldn't try clicking on a movie icon? I would think that most people would.

    • Being able to download and run stuff has always been a risk.

      It doesnt matter what OS you use (zOS, Linux, windows, Mac, etc), you run the risk of damaging those parts the user has access to if you run things downloaded from random websites.

  • OS X 10.4.5 (Score:3, Interesting)

    by RugRat (323562) on Tuesday February 21, 2006 @11:36AM (#14767817)
    Went to the proof of concept, followed directions and it did not execute.

    I'm running 10.4.5 with Safari 2.0.3. Looks like not everyone is vulnerable.
    • I'm also running 10.4.5 with Safari 2.0.3, and it happily executed. You may have, as others have already mentioned, automatic execution of safe files unchecked.
      • How does something happily execute? Either it executes or doesn't execute. I swear, people wanting to through in their adverbs.
        • by krbvroc1 (725200) on Tuesday February 21, 2006 @12:12PM (#14768201)
          As my long slender finger eagerly depressed the mouse button, I waited with anticipation for the tell tale glow that my computer was performing as I trusted it would. I could hear the sturdy heads of the hard disk chatter as my user data was happily sent to digital heaven. It was not until later that day when I again turned to my computer for comfort that I realize the significance of was had transpired earlier.
  • I remember when this came out for IE - you could have a link in a webpage that would launch Notepad or open the systems cdrom drive. As IE is with Windows, it sounds like Safari is to OS X; too close to the OS. Of course what can a cmd like this do to someone w/o admin access? We'll see, but the focus should be on *why* this happened in OS X? What was the idea to have Safari be able to run apps?

    We shouldn't be surprised at things like this popping up, OS X is getting more popular/press, so they've beco
  • ...what a stupid idea.

    I honestly think that Jobs really bought into his own RDF with this one.

    You can't tell me that after Win98 & IE4 + 8 years... anyone still believes that bypassing security for "features" is a good idea on as hostile a network as the internet.

    Esp. with someone with as seemingly high a clue-factor as Jobs... :sigh:

    I just turned off the feature on my Safari, and sent an email to my wife to do the same on her powerbook.
  • by Kohath (38547) on Tuesday February 21, 2006 @11:36AM (#14767833)
    MS Windows users have had this for 5 years. Congrats to Apple for finally catching up to us.
  • Very inneresting. I downloaded the Secunia.mov.zip file on my XP machine at work. Looking at the unzipped files in a text editor, you get the Secunia.mov file which contains "/Applications/Calculator.app/Contents/MacOS/Calc u lator; exit". In the __MACOSX folder (resource data), there is a ._Secunia.mov, which contains binary data and the string "/Applications/Utilities/Terminal.app". Basically, it's a shell script that fires up calculator and exits. As others have said, it's a result of the split off of th
  • by Gopal.V (532678) on Tuesday February 21, 2006 @11:39AM (#14767864) Homepage Journal
    The vulnerability is caused due to an error in the processing of file association meta data (stored in the "__MACOSX" folder) in ZIP archives. This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive.
    Considering that Mac OSes have never believed in file extensions and have always read file meta-data to determine action, this ranks equal with a browser executing .jpg.exe files when you click on the seemingly innocent nude-zeta-jones.jpg.exe [theregister.co.uk]...
    disabling the "Open *safe* files after downloading" option in Safari

    So the guys in apple who had the __MACOSX part to zip files didn't communicate that to the Safari folks. Communication gaps happen, but this is gross oversight in a company which claims to sell their software for a premium because it is cool (and well-tested UNIX background).

    Shell vulnerabilities seem to be the entry point usually, seeing the firefox shell:// that was recently discovered... Integration comes with its own sweet price.

  • I don't want to start a flaimbait. However here it is: There is no safe software. OSX is inherently safer than windows, but it's not 100% safe, by default (no software is). This is to say that I hope many mac user will finally get conscious about this: Mac OSX is not de facto immune by any exploit, flaw or whatever. Not because you are using OSX you should not be careful, and use the proper software.
    • There is no totally safe software, but there are practices that are inherently safe, and practices that are inherently unsafe.

      Passing an unsafe file (ALL files recieved from an unsafe source are unsafe) to an API designed to allow dangerous things (LaunchServices is how many applications run their own components, it has to be able to do dangerous things) is an inherently unsafe practice. It should never be followed.

      Maintaining a separate registry of applications that are designed to accept unsafe files (saf
  • 1. User must download link

    2. Safari must allow expanding of zip file

    3. Zip app must allow executing of unzipped file (this is not normal)

    4. Normally, the file will appear on the desktop, without being executed. It does have a movie icon, but for those of us who always pre-watch movies and what have you in a Finder column window, this doesn't really present a problem; it says Terminal Document below the movie icon (and no one in their right mind would zip a movie anyway, it's a bit like those pornmovie.exe y
  • by Fahrvergnuugen (700293) on Tuesday February 21, 2006 @11:43AM (#14767907) Homepage

    Someone correct me if I'm wrong, but this exploit can only affect items that the user has rights to. If a script were written to make changes to the system, OSX should prompt you for your password, right?

    • by Peganthyrus (713645) on Tuesday February 21, 2006 @12:06PM (#14768135) Homepage
      this exploit can only affect items that the user has rights to

      Like ~/Documents/ where you're encouraged to store pretty much everything you make with your machine.
      Or ~/Pictures/ where iPhoto keeps everything it loads up.
      Or ~/Music/ where iTunes puts all your music.
      Or wherever the hell iMovie keeps what you build with it - probably either ~/Movies/ or ~/Documents/
      Or wherever the hell GarageBand keeps its work.

      Sure, the machine still boots. But if a script does rm -rf ~*.* you're kinda fucked. Why is it that Slashdotters always say 'oh, this exploit just affects userland, no big deal'?
      • by bogie (31020)
        I think the point that some people make is that if someone ran rm -rf that you can just reboot and restore from backup and create a new user account and be none for the worse. Well except for the fact that your financial statements, medical information and other personal items just got uploaded to the Internet. Ooops.

        The history of that school of thought is that under real multi-user systems if one non-root account gets hosed everyone else can continue on with no ill effects.

        Anyway I'm beyond shocked that t
      • Why is it that Slashdotters always say 'oh, this exploit just affects userland, no big deal'

        Why is it that most people who trot out that line always assume that because a windows exploit can take down their OS, it isn't going to trash their home directory as well?

        Also, it's a hell of a lot easier to restore a single user's files if the rest of the OS is still intact.

        If your OS gets pwn3d, you can't trust it. At all. You know the r00tkit tech that Sony has recently been grilled about? It's called a r00tkit a
    • A program can still do plenty of damage even without root privileges. Your system per se may be safe, but your files aren't: they can be deleted or sent over the network. Or you could become a spam-bot, just like a Windows user: it doesn't require root privileges to open a port.

      It may not be able to make itself last through rebootings, but you're not supposed to have to reboot OS X very often.
    • You're a little big wrong. :-) The vast majority of Mac users work full-time in Administrator accounts. These are "below" the root account, so it's not as bad as in Windows XP, but it can still be an issue. Generally, items in /System cannot be modified without explicitly authenticating for root privileges. Items in /Library can be changed immediately by admins, and that's enough to cause all kinds of havoc. Not to mention that even a standard user can install items in their own ~/Library, which might be en
  • Interesting (Score:5, Funny)

    by jayhawk88 (160512) <jayhawk88@gmail.com> on Tuesday February 21, 2006 @11:44AM (#14767917)
    But I missed the part in the article where this can all be blamed on Microsoft, can someone please help me out?
  • ...it wants it's exploit back.
  • by feranick (858651) on Tuesday February 21, 2006 @11:47AM (#14767948)
    I am envious, the exploit doesn't work on my windows box. If I try to run the proof of concept file, it says it's not a movie file. Damn it!
  • I know it's an ancient version, but I just tried it under VMWare in Safari 2.0 (412) and it only launches Quicktime. Well I guess that's bad enough.
  • by bennomatic (691188) on Tuesday February 21, 2006 @11:49AM (#14767964) Homepage
    ...in which Microsoft is taking the lead and Apple is copying them.

  • by frankie (91710) on Tuesday February 21, 2006 @11:52AM (#14767986) Journal
    Quick point of order: the bug doesn't execute automatically if you turned off the "Open Safe Downloads" preference. However, it's still really Really REALLY bad.

    Explanation: Apple recognizes a particular folder within a zip archive as resource forks. This way you can correctly upload/download old-style apps and/or OSX metadata. The latter feature is where the problem occurs.

    If you take a shell script, rename it to a "safe" file extension (such as mov, jpg, etc), then change its metadata (aka the "Open With..." setting) to Terminal.app instead of the expected default application, you now have a shell script that looks like an ordinary media file.

    If you then use OSX built-in BOMarchive command, you have a zipped shell script that looks like a "safe" download.

    End result: arbitrary shell script execution (under OSX default settings) upon visiting a malicious URL.

    Conclusion: remote metadata should not be trusted. This bug would not occur if downloaded files could only belong to their default app.
  • Are we so used to MS bundling the browser with the OS that we can't think that they're different things? Granted, Safari does come with OSX, but thats not the point - its the wording of the headline thats trollish.
  • by Compulawyer (318018) on Tuesday February 21, 2006 @11:55AM (#14768016)
    Why isn't Secunia being flamed here for releasing details of an exploit before Apple has had a chance to patch it? Are there not enough details for someone to create their own version? I may be wrong, but I did not notice one mention of any fact that indicates that Apple was notified of the problem and/or given an opportunity to fix the problem. I am used to seeing such information releases eing labeled as "irresponsible" but I have not seen any discussion of this aspect of the story yet.
    • Because this was reported by Heise [heise.de] via Michael Lehm [uni-ulm.de] via mac-tv [mac-tv.de].
  • by bobdotorg (598873) on Tuesday February 21, 2006 @12:30PM (#14768387)
    My credit card has been repeatedly comprimised while using Safari.

    Most recently, a $300 charge appeared on my statement after visiting this page. [apple.com]
  • by argent (18001) <peter.slashdot@2006@taronga@com> on Tuesday February 21, 2006 @12:35PM (#14768441) Homepage Journal
    None of the steps involved in causing this attack to happen should have been implemented in the first place. They're all well-known to be risky, and have all been used in exploits in the past.

    "Open Safe Files After Downloading" is inherently risky. No files should be considered safe. The user should always make an explicit request to open any file not handled by the browser itself. Approving an action requested by a potential attacker is not making an explicit request: even if Safari detected the executable and popped up a dialog it would still not be good enough to prevent many people from reflexively approving it.

    In addition, automatic execution or interpretation by a general purpose scripting language of any files in an archive, removable media, disk image, or any other potentially untrusted container is inherently risky. Executing code, using applications found in the volume as handlers, or otherwise using them, should be deferred until the user has explicitly requested the code be run, installed, or used.

    This should be such a fundamental principle of secure software design that it shouldn't have even occurred to Apple not to follow it.

    Just being less insecure than Microsoft is not enough. One might as well laud smallpox as being less deadly than Ebola.

    (and... I told you so)
  • by snStarter (212765) on Tuesday February 21, 2006 @12:40PM (#14768497)
    The problem happens when you choose to download a file from a web site. Just VISITING the site won't do that. Several others here have observed that setting Safari to not open "Safe" files in the main preferences window will solve this in the short term.

    The real problem isn't Safari or Mail.app, it's LaunchServices which needs to smarten up Real Soon Now.
  • This is good news (Score:5, Insightful)

    by saltydogdesign (811417) on Tuesday February 21, 2006 @02:42PM (#14769714)
    I for one am happy that each security flaw that appears on the OSX platform gets this much attention. I hope it stays that way. Windows users may think they have a reason to gloat, but security flaws and new viruses there are so commonplace that no one even seems to care -- it's just another iteration of a larger problem. As long as we get this kind of uproar over easily-fixed flaws, OSX will always be a more secure platform.

We gave you an atomic bomb, what do you want, mermaids? -- I. I. Rabi to the Atomic Energy Commission

Working...