Huge security hole in Internet Explorer for MacOS 606
Brad Lucier writes "Macintouch
is reporting
(go down the page a bit)
that Internet Explorer 5.1, which comes preinstalled on MacOS X 10.1,
has a huge security hole---when it downloads arbitrary programs encoded
in the Macintosh's standard BinHex (.hqx) format, it automatically
executes them. " Well I guess thats one way to make Unix insecure. Can anyone actually confirm this since it looks kinda sketchy. I wonder what someone's rationale would be for that:"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!".
Intrinsic Security in OS X (Score:4, Insightful)
To what extent do others out there think this fact might "save" IE from being the terrible security disaster under OS X that it is on Windows?
I've got it on my 10.1 system, but I never use it; Mozilla 0.9.4 is far nicer (to me, anyway.)
Re:Intrinsic Security in OS X (Score:2)
A single infection, however, could still be just as damaging from the standpoint of a user. Lost data is still lost data.
This is not a worm hole. (Score:2)
Trojans are the basic threat, but viruses have been spreading through other means for a long time. Since most end-users spend all their time in one account, not being able to access the underlying admin privileges is about as relevant as not being able to change the hardware configuration.
Near-Useless Security (Score:4, Troll)
Maybe this will save a little data on systems with multiple users, but we're talking about personal computers here. By definition they are primarily used by one person.
The protection offered by an administrator account is minimal.
Re:Near-Useless Security (Score:4, Insightful)
As far as protection by using the Admin account, this is a basic tenet of security: assign only the necessary privileges for software to function. Ever wonder why DOS/Win95/Win98/Me are so succeptible to havoc caused by viruses (beyond popularity and braindead M$ application features)? It's because you're always running as de-facto superuser account.
The only reason you claim the Admin account provides "minimal" protection is because you believe the time and effort to restore a system is trivial. Even if that were the case, always running as the Admin account makes it a lot easier for a worm/virus to completely trash your system, taking down your valuable data files along with everything else.
I think fortunately for Microsoft and its millions of users worldwide, most worms/macro viruses these days are pests that put a drag on the Internet infrastructure, rather than seeking out your data files and wiping them away.
Re:Near-Useless Security (Score:5, Insightful)
Funny thing, the way this works out on a personal computer is that pretty much every program the user runs needs the ability to access the user's data. Otherwise the user is continually tripping over the restrictions and being forced to enter passwords.
The only reason you claim the Admin account provides "minimal" protection is because you believe the time and effort to restore a system is trivial.
Relative to the months of creative work and irreplacable personal data that can be lost, getting the local geek to spend a few hours reinstalling software is indeed trivial.
Even if that were the case, always running as the Admin account makes it a lot easier for a worm/virus to completely trash your system, taking down your valuable data files along with everything else.
The only thing it makes it easier to trash are the system files. The user data is totally at the mercy of any trojan they run.
Don't get me wrong, account restrictions could be used to provide better security on a personal computer. However, with rare exceptions, they aren't. The operating environment isn't designed for efficient permissions management and the users aren't sophisticated enough to understand the value anyway.
Multiuser OSs are just that, and not optimally designed for personal computers. The admin account is there to protect the system from the users, not to protect the users from foreign code. There are definitely improvements that could be made with a dedicated networked-PC OS designed with an eye to protecting the user's data from less-trusted network programs such as the web browser.
To sum it up, it isn't hard to imagine system features that would protect the user's data from internet code, and while a priviledged admin account could be a part of implementing those features, it doesn't provide them.
Re:Near-Useless Security (Score:4, Insightful)
Absolutely correct.
However, one simple modification could bring the user's personal data under the protection of the admin account while still leaving it accessible to the user account: have a program running with root privileges which automatically backs up a copy of all the user's documents to a file only root has rights to. Then if the docs get hosed eg. by a virus running as user, one simply needs to login as root to get at a backed-up copy.
Of course the idea of backing up to another spot on one's own hard drive seems a little strange, but as most *really* important data files tend to be relatively small (unless the user is doing eg. video editing for a living), it seems like a very sensible solution, especially for OS' like Win2k Professional and OSX--which have strong multi-user security, but are generally run as single-user workstations.
Thoughts?
Re:Near-Useless Security (Score:3, Insightful)
As someone who manages 25 local geeks, I take great offense to this statement, but it's pretty damn typical of user attitudes so it doesn't shock me.
The local geeks you talk about spend far too much time fixing your screwups and when we try to protect you from yourself by putting strict file perms on your desktop, you go screaming bloody murder because you can't install webshots or some other stupid program-of-the-week your friends told you about.
So instead of us doing something useful like planning for deploying new technologies, coding useful reports for the mountain of data you need to work with in the company's oracle database, ensuring the company doesn't get sued for license non-compliance, keeping server patches up-to-date, keeping up with security lists, etc, etc, we are running around fixing your screwups because you have no respect for the time or talents of your local geek.
Thanks for illustrating this common and typical attitude so well...
Re:Near-Useless Security (Score:5, Insightful)
I think the short answer to your question is education. Windows XP is a secure multi-user OS, and it's now shipping on consumer PCs. Many users now will have no choice but to gain a better understanding of at least logging in, and what activities (app installation) aren't possible with a "restricted" user account.
Having said that, I found the Microsoft scheme to ease multiple user computing for consumers is incredibly convoluted. During installation, a superuser account synonymous with root on Unix named Administrator is created.
However, after booting Lose-XP for the first time and logging in as Administrator, you'll want to add user accounts. Lose-XP forces you to create a "Computer Administrator" account before you can create regular user accounts. After doing so, the Administrator account is hidden from XP's new simplified login screen. The point I'm trying to make is that a relatively basic concept is made more complex, even though the supposedly goal was to make the login screen simpler for Joe Schmoe.
It's an issue, but as alluded to before, it's being handled very differently now. In DOS and legacy Windows, there was only the de-facto superuser-level user. Now that XP is slated to become standard on all consumer PCs, this is obviously no longer the case.Besides my earlier complaint that the handling of users is more complex than it used to be, there is I believe another wrinkle to it (that I read somewhere else). If you add accounts during installation of XP, they receive Administrator credentials instead of normal user privileges. Besides (pre-)installation, login is the first feature users will meet. I don't understand why accounts seem so convoluted in XP.
Finally, Mac OS X takes a different tack. From what I understand, all created accounts are user level accounts in the Unix sense. To access the admin-level account, you have to explicitly enable root. I don't know enough about OS X to comment, but on the face of things, this seems like a simple security policy that many users can actually understand if explained to them.
In short, unless users are going to treat their PCs as black-box Internet appliances (admin'd by a friend or relative), many of them will have to understand and admin their Windows boxes more than they've been accustomed to.
Durable backup (Score:2)
I'd like to see a virus capble of erasing CD-Rs kept in a locked filing cabinet.
Xix.
Re:Intrinsic Security in OS X (Score:5, Insightful)
This is correct. However, this practically causes every local exploit to be remote exploit which makes things pretty much easier for an attacker. In addition it really doesn't matter if malicious code destroys only your personal data or your personal data and system libraries. You're fscked anyway!
Re:Intrinsic Security in OS X (Score:2, Interesting)
User level is DANGEROUS for malicious code! (Score:4, Insightful)
Normal users have the ability to open TCP sockets, fork processes etc.
All the code has to do is download itself, background itself as an non-stoppable process and then use the network to scan like crazy for whatever vulnerability you like!
Even if you're not scanning for vulnerabilities, your code could be repeatedly mailing bugs@microsoft.com or whatever. A Denial of service attack with a userlevel account is also possible...
Re:User level is DANGEROUS for malicious code! (Score:2)
I can think of millions of incredibly destructive things to do at the user level, so let's not pat OS X on the back for being a Unix and having some better-than-MS security model that will keep it safe while running lame MS applications. Security is as security does and this hole can do some real damage despite being a user process.
Re:Intrinsic Security in OS X - It's even worse... (Score:2)
It's not quite THAT bad... (Score:2)
Administrator-class users [i]do [/i]have to authenticate to save their changes to the NetInfo database.
The real problem is sudo. Any Administrator-class user can use sudo on anything they want. That is, obviously, an obscenely huge hole. But it's not quite as bad as you make it sound. Still dire, but there's no need to exaggerate it even further than it already is.
Re:It's not quite THAT bad... (Score:3, Informative)
%admin ALL=(ALL) ALL
in their
...or you should live with it, but ensure that your main account is a non-administrator account.
- j
Re:Intrinsic Security in OS X - It's even worse... (Score:2, Informative)
Re:Intrinsic Security in OS X (Score:2, Informative)
BTW, I tested this hole, and it is as bad as it sounds. Macslash.com has a nice little demo that you can try yourself if you're running 10.1.
--
I am the hub of jack's digital universe.
Not true (Score:5, Insightful)
Re:Not true (Score:4, Informative)
But, you could easily add to the Classic system startup, and cause lots of havoc there
Re:Not true (Score:3, Informative)
[localhost:Classic Startup.app/Contents/Resources] login% pwd
/System/Library/CoreServices/Classic Startup.app/Contents/Resources
[localhost:Classic Startup.app/Contents/Resources] login% ls -la TruBlueEnvironment
-rwsr-xr-x 1 root wheel 476740 Sep 26 20:04 TruBlueEnvironment
Sure looks like it's setuid root to me.
Re:Intrinsic Security in OS X (Score:2)
Nope. On a single-user system, you'll probably be logged in as an Administrator, which gives you full write access to
The only additional thing root gives you is write access to
Re:Intrinsic Security in OS X (Score:3, Interesting)
If mass destruction is your aim, then the following will do the job nicely:
Or, you could:
Maybe it'd be a program to brute-force su, something often possible (brute-forcing ssh or telnet usually isn't.
With a bit more work, you could:
And run something on port 666 on attacker.com that gives attacker.com shell access.
All this assumes the rest of the operating system's security is iron-clad. Local exploits are, in general, much easier to pull off than remote ones. Account compromise is not a nice thing, at all.
b&
Re:Intrinsic Security in OS X (Score:2)
Wrong. Darwin is based on FreeBSD 3.2 (IIRC... I may have the version wrong), ported to Mach, with lots of optimizations to get rid of some of Mach's performance issues and some funky Apple-isms. OS X then runs on top of Darwin.
Re:Intrinsic Security in OS X (Score:2)
The problem is, there's no way to tell the difference between a data file and an executable that's been compressed. Say, you find a font with the letters in the shape of Natalie Portman in Mac format, and download it. If someone decided to put a trojan in instead of a font, then you're screwed.
Wow are you way off... (Score:3, Interesting)
Fact #2: FreeBSD does not use a Mach kernel.
Fact #3: The
Fact #4: The unix-like, BSD family, portion that makes up the base of MacOS X is not proprietary - it's called Darwin and is open and downloadable in source form (even ported to Intel). Only the upper level graphics system is closed. It's kinda like running a proprietary X Windows system on top of Linux.
Finally, Fact #5: Although there are some proprietary BSD-based OS's, the majority of the proprietary Unix OS's are based on AT&T->Novell->SCO->The OpenGroup code - not on BSD.
Please investigate your claims before boasting such innaccuracies.
Re:Intrinsic Security in OS X (Score:2)
creating libtool
loading cache
creating
creating Makefile
creating src/Makefile
checking for r00taxx in -lr00t... no
no r00t? Darn!
yeah, needless to say, that makefile and source got a closer looking at...
if you're curious, this was avi-xmms, a plugin for xmms that uses its playlist for avi files played by aviplay...
if I actually ever get it compiled
---
Re:Intrinsic Security in OS X (Score:2, Informative)
True, but since win2k doesn't have the equivalent of sudo or su, it can be a serious pain in the ass, especially for some luser who can't figure out why they can't do something unless they log out and log back in as admin, not a quick operation.
I would say that windows security (I know, an oxymoron) has improved since the bad old days of DOS, but it leaves much to be desired.
Re:Intrinsic Security in OS X (Score:2, Funny)
Not quite, W2K introduced the "Run as..." feature, and the NT Resource Kits have a su in them.
Don't get me wrong, they're still a bit of a PITA to use and not as transparent as sudo (but sudo is a bit of a hack really). They are there though.
I hate MS as much as the next guy, but will correct any incorrect MS bashing (don't worry, there's still plenty of other things to bash).
Sigh. (Score:3, Funny)
Fuckin' morons.
Re:Sigh. (Score:2, Funny)
i can hear it now "Oh my God, There is a terrible bug in all comuters, you have to shut off and go hide in a bunker. The world is coming to an end!"
Preferences (Score:4, Informative)
Re:Preferences (Score:3, Informative)
Over the years, Mac owners have enjoyed the ability to automaticall decode hqx and sit files without having them execute!
I say dump IE completely and use the alternates of which there are plenty.
Re:Preferences (Score:2)
You said it. And since this is a unix system here, you can serve justice to Microsoft, in a small way:
rm -rf /Applications/Internet\ Explorer*
Try it on the next OS X machine you admin. Very therapeutic, IMHO.
Re:Preferences (Score:2)
Re:Preferences (Score:2)
...or Mozilla [mozilla.org] (hey, it runs!)
:)
Re:Preferences (Score:2)
Re:Preferences (Score:2, Troll)
Re:Preferences (Score:2)
Re:Preferences (Score:2)
doesn't that mean that the only thing that it will do is run your decompressor automatically?
which is not a big deal at all?
Well, yeah..... (Score:4, Insightful)
I've recently started using Mac OSX for dev work, and so I've only just really got accustomed to the OS.
This isn't a OS10.1-specific thing. Straight OS10 does exactly the same thing.
It is dumb, but you can turn it off in the preferences panel. My guess would be that most users would turn it off when they go into the Prefs to change the default download location (as MacIE5 doesnt ask you for a download folder) to something more sensible.
Ppfffff.
Personally, I don't think this is an *enormous* worry for the average user. Imagine if PC IE6 did this. All hell would break loose. But, theres just not that many nasties lurking for the Mac OSX user, really. And besides, the more savvy users will shut this feature off.
It is mighty dumb though. And not even that userfriendly. When StuffIt starts up to expand your files, it steals focus from what you're doing and makes your system chug like hell on OS10.1.
Users are dumb (Score:5, Insightful)
Yeah, just like "most users" turn off Java and JavaScript in their browsers? Or turn off macros in their Word and avoid macro viruses?
Not true. "Most users" are dumb. They have no clue what is the difference between "document" and "program". They can't or don't want to change settings. They just click the icon when asked and execute the virus or trojan.
Well, there will always be dumb users. They are not a problem, braindead defaults are. Without all these be-user-friendly-execute-it-all defaults, we would have less viruses and worms going around. Software developers should take their responsibility seriously.
Re: Well, yeah... (Score:2, Interesting)
This is no excuse - all default options should be sensible options. Lots of people don't change their prefs from the defaults until something in the standard behaviour annoys them - which may take a long time, or forever.
It's still dangerous, even if it can be disabled. It shouldn't even be an option. If you want to run the thing so badly, then go run it manually.
(subject changed to avoid the "postersubj compression" error, whatever that is...)
Re:Well, yeah. (Score:2)
Except that the checkboxes say Automatically decode binhex files, they don't say ... and execute them without warning. The first would be a nice feature. The second is a security hole of Gatesian proportions.
Not Stuffit's Fault (Score:5, Informative)
It is not Stuffit. It's Internet Explorer de-binhexing and executing the coded app all on it's own. Since you mention Stuffit, I'm not sure you understand what is going on as Stuffit does not have this behavior (nor is it involved).
It's not a feature of OS X (or the OS's fault in any way). I never noticed the beta-IE (used in OS 10.0[0-4] doing this, and I used it throughout. I rarely booted into OS 9 when OS X came out, and I used the beta fairly extensively as well.
IE is auto-decoding a binhex, then if it's an application, automatically executing it. No other version of IE does this. No other mac internet app does either. Others will auto-decode files for you, but leave it to you to launch them.
Sure, you can turn off the binhex pref, but without the added "feature" it is not a security risk to simply de-binhex a file (probably less dangerous than uu-decoding). Even a savvy user who perused every setting wouldn't know to uncheck "automatically decode binhex" to turn off a feature that's so stupid one wonders why someone would bother coding it (automatically running dl'd apps).
Now Stuffit has it's own security risk. By default, it will auto-mount any disk image it decodes. A disk image can be set to automatically launch an app when loaded. Hence, Stuffit can be made to do what IE is doing in a roundabout way. Personally, I think this "feature" should be turned off for disk images as well.
I use the slowest G4, and I've not noticed Stuffit being a hog, though it is annoying. It ripped through the 189 MB dev tool installer in a few seconds.
IE has other problems as well. It will reset my Internet prefs (usually just the dl folder, but sometimes it will set itself as the default web app). Just use Omniweb, and you get a nice spell checker to spell check your posts (I know I need it).
All users will eventually run the executable (Score:2)
but seriously, your downloading an execuable, its being decompressed.
You can run it now, or run it later when you launch it....
Some Mac users don't diferentiate executables and documents. They often double click on executables and documents. The mac stores file type and application to run with documents (at least up to 9.x) so it knows which application to run. Many mac users use documents to launch their programs (a more doc-u-centric approach)
The danger here is people may think they are downloading a data file, when its an executable. most people don't check. The pc sircam virus uses this technique to trick users into launching it, so its not a unique "mac" problem.
Watch what you download..!
On the plus side the Unixy features of OSX should prevent it from hosing your system, you just have to worry about your documents...
somewhat unfair to gloat (Score:3, Insightful)
Having said that, the use of the OK button should be related to the amount of damage a malicious item can cause. In the case of binhex it seems like a no-brainer to ask first...
Original posting (Score:3, Informative)
"Date: Sat, 29 Sep 2001 17:02:59 -0400
From: [MacInTouch reader]
Subject: Security Alert for Explorer 5.1 (MacOS X 10.1)
I am shocked to report a huge security hole in the latest Internet Explorer version 5.1 that comes preinstalled on MacOS X 10.1
Every .hqx encoded classic application is decoded by explorer itself (that's the default, stuffit expander isn't used) and then AUTOMATICALLY STARTED!
This is totally unacceptable. You can test this simply by pointing your browser to
http://www.pardeike.net/danger.hqx
where I put a very small C program that just displays a message (trust me, it *only* does that message, nothing more)"
Tried it. Does nothing (Score:3, Informative)
Re:Tried it. Does nothing (Score:2, Informative)
It may be configurable but why not secure defaults (Score:2)
--CTH
Personally, I prefer OmniWeb (Score:5, Informative)
As an added benefit, OmniWeb has options to disable banner ads (sorry VA), kill javascript popup windows, and it's just a generally nicer browser with more intelligent design decisions. And it keeps web pages from looking like NASCAR with all the bloody ads and popups. Did I mention how it kills ads and popups? Although I will admit IE is wicked fast under 10.1, OmniWeb is plenty fast enough.
Re:Personally, I prefer OmniWeb (Score:2, Informative)
Workaround? (Score:2, Insightful)
OmniWeb, Mozilla (Score:2)
You're using Mac OS X, why have *anything* to do with Microsoft?? Forget MSIE and use Mozilla or OmniWeb.
Though.... I have to admit that MS Office X [microsoft.com] looks kinda neat. I just hope Corel hurrys up and makes a "Corel Office Suite X".
i didn't even think it was a bug (Score:4, Interesting)
Knowing Microsoft... (Score:3, Funny)
Knowing Microsoft, even when it does ask you to execute the file, the only option it'll give is "OK".
Sounds like the recent slrn bug (Score:3, Interesting)
However, I'm not sure Microsoft should be let off the hook for the equivalent behavior on the Mac. The Unix code was there for a very, very long time... when it was added it was a reasonable assumption that people would not send nasties because it was too easy to complain to their employer or grad department (the only way to get online) and cause the sender significant personal pain. (This is also a painful reminder that just because code is available doesn't mean that the right people are reviewing it.) In contrast, by the time somebody added that code to the Mac version of MSIE, the possibility of untraceable, hostile scripts should have been obvious.
Yup it's real. (Score:2)
look in the preferences (Score:2, Redundant)
Security comparison; reason for insecure code? (Score:4, Informative)
q279328 [microsoft.com] - allows execution of code through print templates or web forms
q286045 [microsoft.com] - allows someone to execute files and read files on your machine (using a combination of both exploits that patch fixed)
q286043 [microsoft.com] - allows someone to begin a telnet session and send data to your machine (as well as execute it) if you've installed Services for Unix
q273868 [microsoft.com] - sends your authentication information on every query as long as they're on the same hostname
Four major exploits in the last twelve months. Certainly, those aren't all of the exploits, erm, extra features that IE has had bundled with it lately, but they are a few that have readily accessible information from Microsoft.
One could imagine eternally why Microsoft designs such insecure products, but look at it this way:
Have you ever coded a product that was efficient and secure after being pushed for three days to meet a deadline? Don't you become somewhat exhausted and lazy, primarily because you want to sleep, no matter how much money you're going to be paid? There comes a point where caffeine just won't help you operate anymore and your health becomes more of a priority than a "higher-up"'s regime.
Microsoft developers (in the words of Ballmer) are only human as well -- and I'm sure they work just as hard as we do.
Re:Security comparison; reason for insecure code? (Score:3, Funny)
Harder! Because evil never sleeps...
Here's the fix (no sarcastic anti-MS comment here) (Score:5, Informative)
Go to the "Receiving Files" options and DISABLE "Automatically decode MacBinary files" and "Automatically decode BinHex files".
Easy as that.
Why is it there? (Score:4, Insightful)
If I click on a link for a
Apparently this same mechanism accidentally results in executables being run as an attempt to pass them along for further processing to the OS. It's obviously a security whole in retrospect, but understandable how it occured.
Re:Why is it there? (Score:2)
Mac OS has always been more dangerous as far as trusting data files goes, simply because their forked file format allowed executable code to be attached to any otherwise "pure" data file. If I'm not mistaken (I'm not overly familiar with the internals of the Mac OS), this behavior was used so that data files could FIND their host application, or another suitable application instead, when they were double-clicked. It's a great convenience feature, but it also makes spreading illicit code easier... you don't have to virus scan a
I wonder if this exploit has anything to do with that.
Re:Why is it there? (Score:2)
Nope, completely wrong. The "finding" you're talking about (where the Finder got its name) in an attribute in the filesystem, not something in the resource fork, and it's simply two 4-byte identifiers in each file. It's true that you can embed executable code in any file, but there's no reason why this code should EVER be executed, unless the file in question is an executable type of file (such as an application, an extension, or a control panel).
I wonder if this exploit has anything to do with that.
Nope.
Re:Why is it there? (Score:4, Informative)
That actually makes sense.
Solution: Check to see what the .hqx decoded to. If its filetype is APPL, do not launch it.
Time for a patch... :)
Re:Why is it there? (Score:2)
Yep, I agree.
If I click on a link for a
Absolutely not. The is NO REASON why a Word or Acrobat document should be encoded as BinHex, EVER. If I stumble across one, I want to be forced to go through the extra step of double-clicking, just to make sure I really know what I'm doing.
pop-up virus? (Score:2)
Does anyone else remember how new windows with binary files turn automatically in download of the file? You don't even have to start the download yourself. Just browse on some site...
Replace IE On Any System (Score:2, Redundant)
Solution (Score:5, Funny)
- Create script to toggle 'autoexec
.hqx downloads' to FALSE
- Insert the file into the X-10 popup banner
Problem solved.New slogan (Score:2, Funny)
Microsoft, Helping people root boxes cince 1983 and now with cross platform capabilities built specifically for Macintosh OS 10!
not just IE..tis a mac thing (Score:3, Offtopic)
Execution (Score:2, Funny)
Now if an "executed" program is STILL a security risk -- I don't know how we can ever be secure.
Simple fix for the problem (Score:2, Redundant)
-Henry
Step back and smell the irony (Score:3, Funny)
These are strange times, my friends.
two points to be made (Score:2)
1) The app only starts automatically if you just click on the link. If you option-click(what I usually do when I want to download a file). It doesn't autostart it. When you option-click you are basically telling the browser "save this file to my HD", when you just normally click, you are saying "show me this file"(so like a PDF will download to the HD and then be opened). Still obviously it should not automatically open apps.
2) This is only for Classic apps. The reason this is good is that I usually don't have Classic open(because it sucks). So when I click this, it automatically starts opening Classic(which takes 30-45 seconds). If during that time I just click to stop opening Classic, the program never runs.
That's not the security hole... (Score:4, Insightful)
If you click on a link to a binhex'd file, and it's an application, then normally it gets un-binhex'd for you. Well and good. Now what's the next thing you do? Without fail, it is to double-click on the decoded file. Not to check the file in any way, compare fingerprints or whatnot. You go and double-click the file, opening it up. If it's a trojan, you lose.
Some may argue "well, but what if it says it's a picture file, but turns out to be a trojaned app?" Doesn't matter; I can set the app's icon to look like that of a picture file, and you're just as screwed when you double-click on it.
So what about automating the double-click makes this a "huge security hole"? It seems like once you've downloaded the thing, you're already toast.
Please note that I'm not trying to gloss over the wrongness of the auto-launch, but rather to point out that we need some better form of security systemwide.
Shades of MSN 1.0 (Score:3, Informative)
In other words, if the normal behavior when encountering an image/tiff file is to open it in Photoshop, then that is what should happen to a binhexed TIFF. If it's an
The problem here is that it sounds like IE is handing the decoded file to OS X's "file open" handler (the call made when double-clicking an icon in the Finder) instead of to IE's "file download" handler, which checks MIME-handling rules and security zones set in IE and systemwide preferences.
Not unlike an incident I remember back in 1995 during the Windows 95 betas, when the original webless MSN was opened to content developers. It used a Windows Explorer metaphor, with online content organized as folders and icons. Content providers were encouraged to post RTF documents as content, but any file was fair game. Thing was, when users double-cliked on files to open them, they were treated like local files. Some of the earliest Word macro viruses got spread this way. I remember being shown this at a beta developers' convention before the first macro viruses even hit and asking if it could pass opened files through the user's virus scanner before opening them. "No, we hadn't thought of that," said an engineer. Horrified looks and some intensive scribbling on notepads followed, though nothing was done in time for launch beyond a useless request to content providers that they try to scan things for viruses before posting them.
Re:IE Flaw (Score:2, Funny)
Re:IE Flaw (Score:2)
Actually, I did read the article. IIRC, the author points out that file and creator type are not part of the Mac's resource fork, but rather its data fork. So while such information is certainly metadata, there's no good reasons that other OS's shouldn't be able to interpret Mac file type information. (Application type is a little trickier, I admit, but that should be information which a user is free to ignore anyway.)
I strongly agree with the author's contention that suffixes are a lousy way to identify file type, and as a long-term Mac guy, I'm dismayed that MacOS X (which is in almost every other respect a great OS) is moving so strongly in the direction of suffix-identified files.
In any case, none of that is directly relevant here. The IE flaw has to do with the Mac as a file client, not a server.
Re:Not M$ (Score:2, Informative)
Re:Not M$ (Score:2, Interesting)
Microsoft has a large mac software division that makes IE as well as Office for Mac and some other software.
In fact, microsoft's mac division has more mac programmers than anywhere else but Apple (or so I read in a macworld article a few months back).
Re:Not M$ (Score:2)
Re:Not M$ (Score:5, Informative)
Not. It's developed and published by the Microsoft Macintosh Business unit, which is a somewhat independent MS arm out in the SF Bay Area. Apple's only involvement is bundling IE with the OS. About the only way your statement is accurate is if you're trying to stipulate that IE for Mac has little to do with IE for windows, which is correct. In fact, it's not uncommon for IE/Windoze to inherit good ideas from IE/Mac.
And not to be picky, but it's Mac. Short for Macintosh. Not MAC, short for Media Access Control address, as in your NIC card.
Re:Not M$ (Score:2)
If only that were true. It is correct that large corporations are actually a bunch of smaller companies bound together as "business units" in an attempt to get them to play nice together, but Microsoft is bound closer than most such businesses, with the top leading by example.
As evidence, take their uniformly poor attitude towards security...and their applying features from games to other software (one can get obsessed about a game and learn all its controls, and if it crashes, one can just pick up from the last save; this mantra has problems when applied to, say, office software). Also see "embrace and extend" used across the board, to varying degrees of success.
Re:Not exactly.... what it REALLY does (Score:2, Informative)
As YOU DIDN"T read this article using said browser (Score:5, Informative)
Its been standard in Mac OS for Stuffit Expander to automatically extract archives once downloaded. Isn't this issue related more to Stuffit Expander than IE?"
We all know how hard it is to click on a link and read the article, so I did it for you.
From the MacInTouch web site: "Every .hqx encoded classic application is decoded by Explorer itself (that's the default, Stuffit Expander isn't used) and then AUTOMATICALLY STARTED!"
I suggest that in the future you read the article in question before posting.
Steve M
Re:...As I read this article using said browser (Score:2, Informative)
Example: When you download a copy of a program through IE and Stuffit Expander automatically runs after the download completes, the program you downloaded doesn't automatically run after Stuffit quits. You have to double click or open the uncompressed program for it to execute. Therein lies the problem with this version of IE--it executes programs after they are downloaded. See the difference?
Re:...As I read this article using said browser (Score:2)
IE5 on OS9 (what I'm using :) automagically extracts .hqx and .bin files.
This is a cool feature. It avoids the annoying StuffIt! wait when the expander process is spawned.
Of course, I have Virex enabled, so I get that wait imposed on me.
Incidentally, Fetch (an FTP client) does too. (It also automagically extracts .gz and .tar files. This is really irritating when I'm just transferring my gzips to the iMac for burning. but oh well. :)
Re:Thanks, Apple (Score:2)
"Admin" users do, non-admin users don't. The default user account Mac OS X sets up is a member of the admin group, and can create other admin and non-admin users.
Re:Thanks, Apple (Score:2)
Probably not, but when it comes down to brass tacks, the part of the system that stings the user the most when it gets damaged is the user's data, which is accessible to the user and fair game to a trojan horse/virus/backdoor.
I'm only out an hour if I just have to reinstall the OS. I'm out possibly several months if my data gets wiped out and I don't back up (like the average user).
Re:Security Hole a Hoax (Score:2, Informative)
However, I installed OS X and the 10.1 upgrade the other day, and I don't have the problem described.
Re:I really don't see what the problem is. (Score:2)
Re:Well! (Score:2)
2. NT4 is no longer a microsoft product see here [microsoft.com]
"Effective October 1, 2001, Windows NT Server 4.0, Windows NT 4.0, Enterprise Edition, and Windows NT 4.0 Client Access Licenses (CALs), will no longer be available through volume licensing programs"
skwid
Re:Well! (Score:2)
And if they weren't then you'd be yelling about how the video performace is so slow.
What's the bloody deal? If you install a crappy video driver even if it's not in the kernel is has hardware access which means that it can toast the system. So don't install crappy video drivers.
NT4 is no longer a microsoft product
you have an interesting interpretation of "discontinued". It does NOT mean that it's no longer a MS product, it just means that they're not supporting it anymore (which makes sense).
The real reason (Score:2, Funny)
Design a computer for an moron, and only morons will use it.
Re:Wouldn't you think (Score:4, Insightful)
Apple directly competes with MS... (Score:2, Informative)