New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus • Advice and insight from world-class Apple enthusiasts • Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
OS X - Operating System General OS operation information and support

OS 10.4 - New Serious flaw found on OSX


Post Reply New Thread Subscribe

 
Thread Tools
Kyomii

 
Kyomii's Avatar
 
Member Since: Nov 12, 2004
Location: Lancashire, UK
Posts: 356
Kyomii will become famous soon enough
Mac Specs: MacMini DC 1.66, Powerbook G4

Kyomii is offline
http://isc.incidents.org/diary.php?storyid=1138

Thoughts? I understand the first part, but can someone explain the second part please of how this still makes a machine vulnerable without needing Safari?

I ask this because surely the user would have to decompress the file to begin with, and if the file is from a suspicious/malicious site, then a user would not choose to unzip it ?

Also, does OSX not give you a warning when you are unzipping a file if there are commands in it?

Fondest regards, Kyomii

My Snapshots
QUOTE Thanks
EDIT-XTREEM

 
EDIT-XTREEM's Avatar
 
Member Since: Jun 27, 2005
Location: In the mac store and at home on my iMac
Posts: 1,165
EDIT-XTREEM has a spectacular aura about

EDIT-XTREEM is offline
thats terrible i bet apple will fix it sooner rather than later

Mac Pro (Early 2009) 8 Core 2.26 GHz, 6 GB Ram, 640 GB Drive. Dell 2408WFP.
QUOTE Thanks
jram

 
jram's Avatar
 
Member Since: Apr 08, 2005
Posts: 472
jram is a jewel in the roughjram is a jewel in the rough

jram is offline
I tried it with Shiira, it landed on my desk top.. In safari I unchecked this box a long time ago, it stops the automatic opening of a file.
QUOTE Thanks
Kyomii

 
Kyomii's Avatar
 
Member Since: Nov 12, 2004
Location: Lancashire, UK
Posts: 356
Kyomii will become famous soon enough
Mac Specs: MacMini DC 1.66, Powerbook G4

Kyomii is offline
Quote:
Originally Posted by jram
I tried it with Shiira, it landed on my desk top.. In safari I unchecked this box a long time ago, it stops the automatic opening of a file.

Yes, I agree. I always have mine unticked too. However, they are saying, even if it is unchecked in Safari that it still presents a serious risk in the updated part, as it does not require Safari to run.

Just wanted to know in layman's terms what they are trying to say in the second part of the report as I can see the vulnerability, but the method behind it (having to uncompress a suspect file) is unlikely to happen too much - unless users are in the habit of uncompressing suspect files perhaps?

Fondest regards, Kyomii

My Snapshots
QUOTE Thanks
jram

 
jram's Avatar
 
Member Since: Apr 08, 2005
Posts: 472
jram is a jewel in the roughjram is a jewel in the rough

jram is offline
I really don't understand, but I just clicked on a link that is suppose to be a demo of the exploit.. It didn't open, are you saying it doesn't have to open??
QUOTE Thanks
Kokopelli
Guest
 
Posts: n/a

This is just a reflection of Safari autohandleing certain file types automatically near as I can tell.

This was corrected for default behavior with the whole widget fiasco. If someone has safari (or other app) set to autohandle the file there is a risk. Further as near as I can tell you can have a script autorun on unzipping of the file, this might not be the wisest of things to allow a zip file to do without warning. If that is the case then it is "as designed" but is a potential problem.
QUOTE Thanks
JunMacTech
Guest
 
Posts: n/a

You guys are missing the severity of this:

Taken from link:
Quote:
When this script was stored in a ZIP archive, Mac OS X will add a binary metadata to the archive. This file determines what will be used to open the main file in the archive, regardless of the extension or symbol displayed in the Finder.
This has nothing to do with safari. Malicious files can be disguised to appear like any file that the mean ol destructor of the mac omniverse desires. One simple way to guard from this is to stick to column view. The nice little preview window will tell you what app is associated with the file, regardless of name and extension.
QUOTE Thanks
PowerBookG4

 
PowerBookG4's Avatar
 
Member Since: Jan 08, 2005
Location: New Jersey
Posts: 6,190
PowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud of
Mac Specs: Mac Pro 8x3.0ghz 12gb ram 8800GT , MBP 2.16 2GB Ram 17 inch.

PowerBookG4 is offline
Quote:
Originally Posted by JunMacTech
This has nothing to do with safari. Malicious files can be disguised to appear like any file that the mean ol destructor of the mac omniverse desires. One simple way to guard from this is to stick to column view. The nice little preview window will tell you what app is associated with the file, regardless of name and extension.
I believe this to be correct in some ways, although they are saying that it can be applied in any file format, they are saying it is launched through safari. If you acces this file in any other way (ie. through mail or an im transfer) then you will have to execute it yourself, which is not much of a threat because you should know how your computer works and how it should handle certainf file types.. you are correct that a good way to protect yourself is to use column veiw but an other good way to protect yourself would be to enbable file extentions in finder so you can see what it is you are dealing with. It is very easy for somebody (like it already occured) to change the icon of an application to appear to be a jpeg.

My Website
Blog
I love my hosting company!
I was on the M-F honor roll for Febuary:2006
QUOTE Thanks
JunMacTech
Guest
 
Posts: n/a

Quote:
Originally Posted by PowerBookG4
If you acces this file in any other way (ie. through mail or an im transfer) then you will have to execute it yourself, which is not much of a threat because you should know how your computer works and how it should handle certainf file types..
I agree that I know how my computer works, and that users SHOULD. Unfortunately for me, most of the users that I support do not. If it looks like a jpeg, they are going to open it. If they downloaded a "mp3" from a peer to peer network, they aren't going to pay attention to the fact that it is only 2KB. They are going to execute that file and execute the nice little script that deletes their home directory.

I can show them how to protect themselves, the fact is they won't.

I can lead the horse to water, **** I can toss it in. But unless I ram a feeding tube down it's throat or stick it with an IV, 90% of the time it's not going to take a drink.
QUOTE Thanks
Tiranis
Guest
 
Posts: n/a

Hmm... I agree with JunMacTech, but the problem here is: how do you "fix it"? First, Apple has to keep the support for custom icons on all files—there would be many complaints if they didn't, so now what do you do? I, honestly, have no idea. :-\
QUOTE Thanks
technologist

 
Member Since: Mar 30, 2004
Location: USA
Posts: 4,744
technologist has a reputation beyond reputetechnologist has a reputation beyond reputetechnologist has a reputation beyond reputetechnologist has a reputation beyond reputetechnologist has a reputation beyond reputetechnologist has a reputation beyond reputetechnologist has a reputation beyond reputetechnologist has a reputation beyond reputetechnologist has a reputation beyond reputetechnologist has a reputation beyond reputetechnologist has a reputation beyond repute
Mac Specs: 12" Apple PowerBook G4 (1.5GHz)

technologist is offline
Quote:
Originally Posted by Tiranis
Hmm... I agree with JunMacTech, but the problem here is: how do you "fix it"? First, Apple has to keep the support for custom icons on all files—there would be many complaints if they didn't, so now what do you do? I, honestly, have no idea. :-\
Other people have suggested that the Finder should attach a "badge" (a small overlaid icon, like the arrow on an alias) to every executable. This would have to include applications and Terminal documents (like the shell script in the proof-of-concept) at a minimum, and perhaps AppleScripts. No matter what icon you paste onto the file, the badge would appear over it.
QUOTE Thanks
Badger
Guest
 
Posts: n/a

The code activates and runs in the Terminal; it does not run in Safari. Deselecting the open safe files option does not prevent downloading the malicious file; it only prevents it from being automatically opened. And it does not stop Mail or other programs from opening the file. You can prevent the code from running by simply renaming the Terminal to something else like myTerminal. Macintouch has posted a link to a non-harmful example to test your system.
QUOTE Thanks
PowerBookG4

 
PowerBookG4's Avatar
 
Member Since: Jan 08, 2005
Location: New Jersey
Posts: 6,190
PowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud ofPowerBookG4 has much to be proud of
Mac Specs: Mac Pro 8x3.0ghz 12gb ram 8800GT , MBP 2.16 2GB Ram 17 inch.

PowerBookG4 is offline
It would be productive to do that, but how many people who want to make their own applicatoin with their own icon would get annoyed by the fact that there is going to be a badge over it?

My Website
Blog
I love my hosting company!
I was on the M-F honor roll for Febuary:2006
QUOTE Thanks
JunMacTech
Guest
 
Posts: n/a

Quote:
Originally Posted by Badger
The code activates and runs in the Terminal; it does not run in Safari. Deselecting the open safe files option does not prevent downloading the malicious file; it only prevents it from being automatically opened. And it does not stop Mail or other programs from opening the file. You can prevent the code from running by simply renaming the Terminal to something else like myTerminal. Macintouch has posted a link to a non-harmful example to test your system.
Interesting, I had read that renaming these apps could break other things...?
QUOTE Thanks
JunMacTech
Guest
 
Posts: n/a

Quote:
Originally Posted by JunMacTech
Interesting, I had read that renaming these apps could break other things...?
Ok, here is what I did.

Renamed /applications/utilities/Terminal.app
to _Terminal.app

Create a workflow containing:
Ask for Confirmation
Launch Application

In the Ask for Confirmation, say something like Are you sure you wish to launch the Terminal? Give the security reasons why.

Launch application - > Point to _Terminal.app

Save the workflow as an application called Terminal.app in /applications/utilities

Now whenever /applications/utilities/Terminal.app is called, it will request your permission.
QUOTE Thanks

Post Reply New Thread Subscribe


« Sharing Pics | How to copy a dvd to a external Hard drive »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

Similar Threads
Thread
Thread Starter
Forum
Replies
Last Post
having some serious issues... speedydave Apple Notebooks 3 09-12-2005 04:53 PM
Critical Flaw Found in Firefox IChing OS X - Operating System 0 05-09-2005 06:37 PM
HELP!! Installing OSX was tough, But NOW I'm hosed Aloel OS X - Operating System 8 04-23-2005 07:13 PM
Broken Disk Drive but Want to Upgrade to OSX...Impossible? mariamarchita OS X - Operating System 3 02-27-2005 01:52 PM
printing PostScript with OSX davidp158 OS X - Operating System 9 02-09-2005 08:56 PM

All times are GMT -4. The time now is 02:13 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?