02-21-2006, 05:57 AM

http://isc.incidents.org/diary.php?storyid=1138

Thoughts? I understand the first part, but can someone explain the second part please of how this still makes a machine vulnerable without needing Safari?

I ask this because surely the user would have to decompress the file to begin with, and if the file is from a suspicious/malicious site, then a user would not choose to unzip it ?

Also, does OSX not give you a warning when you are unzipping a file if there are commands in it?

02-21-2006, 07:23 AM

thats terrible i bet apple will fix it sooner rather than later

02-21-2006, 07:42 AM

I tried it with Shiira, it landed on my desk top.. In safari I unchecked this box a long time ago, it stops the automatic opening of a file.

02-21-2006, 07:52 AM

Quote:

Originally Posted by jram

I tried it with Shiira, it landed on my desk top.. In safari I unchecked this box a long time ago, it stops the automatic opening of a file.

Yes, I agree. I always have mine unticked too. However, they are saying, even if it is unchecked in Safari that it still presents a serious risk in the updated part, as it does not require Safari to run.

Just wanted to know in layman's terms what they are trying to say in the second part of the report as I can see the vulnerability, but the method behind it (having to uncompress a suspect file) is unlikely to happen too much - unless users are in the habit of uncompressing suspect files perhaps?

02-21-2006, 08:23 AM

I really don't understand, but I just clicked on a link that is suppose to be a demo of the exploit.. It didn't open, are you saying it doesn't have to open??

02-21-2006, 09:06 AM

This is just a reflection of Safari autohandleing certain file types automatically near as I can tell.

This was corrected for default behavior with the whole widget fiasco. If someone has safari (or other app) set to autohandle the file there is a risk. Further as near as I can tell you can have a script autorun on unzipping of the file, this might not be the wisest of things to allow a zip file to do without warning. If that is the case then it is "as designed" but is a potential problem.

02-21-2006, 09:40 AM

You guys are missing the severity of this:

Taken from link:

Quote:

When this script was stored in a ZIP archive, Mac OS X will add a binary metadata to the archive. This file determines what will be used to open the main file in the archive, regardless of the extension or symbol displayed in the Finder.

This has nothing to do with safari. Malicious files can be disguised to appear like any file that the mean ol destructor of the mac omniverse desires. One simple way to guard from this is to stick to column view. The nice little preview window will tell you what app is associated with the file, regardless of name and extension.

02-21-2006, 10:35 AM

Quote:

Originally Posted by JunMacTech

This has nothing to do with safari. Malicious files can be disguised to appear like any file that the mean ol destructor of the mac omniverse desires. One simple way to guard from this is to stick to column view. The nice little preview window will tell you what app is associated with the file, regardless of name and extension.

I believe this to be correct in some ways, although they are saying that it can be applied in any file format, they are saying it is launched through safari. If you acces this file in any other way (ie. through mail or an im transfer) then you will have to execute it yourself, which is not much of a threat because you should know how your computer works and how it should handle certainf file types.. you are correct that a good way to protect yourself is to use column veiw but an other good way to protect yourself would be to enbable file extentions in finder so you can see what it is you are dealing with. It is very easy for somebody (like it already occured) to change the icon of an application to appear to be a jpeg.

02-21-2006, 10:49 AM

Quote:

Originally Posted by PowerBookG4

If you acces this file in any other way (ie. through mail or an im transfer) then you will have to execute it yourself, which is not much of a threat because you should know how your computer works and how it should handle certainf file types..

I agree that I know how my computer works, and that users SHOULD. Unfortunately for me, most of the users that I support do not. If it looks like a jpeg, they are going to open it. If they downloaded a "mp3" from a peer to peer network, they aren't going to pay attention to the fact that it is only 2KB. They are going to execute that file and execute the nice little script that deletes their home directory.

I can show them how to protect themselves, the fact is they won't.

I can lead the horse to water, **** I can toss it in. But unless I ram a feeding tube down it's throat or stick it with an IV, 90% of the time it's not going to take a drink.

02-21-2006, 11:16 AM

Hmm... I agree with JunMacTech, but the problem here is: how do you "fix it"? First, Apple has to keep the support for custom icons on all files—there would be many complaints if they didn't, so now what do you do? I, honestly, have no idea. :-\

02-21-2006, 11:57 AM

Quote:

Originally Posted by Tiranis

Hmm... I agree with JunMacTech, but the problem here is: how do you "fix it"? First, Apple has to keep the support for custom icons on all files—there would be many complaints if they didn't, so now what do you do? I, honestly, have no idea. :-\

Other people have suggested that the Finder should attach a "badge" (a small overlaid icon, like the arrow on an alias) to every executable. This would have to include applications and Terminal documents (like the shell script in the proof-of-concept) at a minimum, and perhaps AppleScripts. No matter what icon you paste onto the file, the badge would appear over it.

02-21-2006, 12:26 PM

The code activates and runs in the Terminal; it does not run in Safari. Deselecting the open safe files option does not prevent downloading the malicious file; it only prevents it from being automatically opened. And it does not stop Mail or other programs from opening the file. You can prevent the code from running by simply renaming the Terminal to something else like myTerminal. Macintouch has posted a link to a non-harmful example to test your system.

02-21-2006, 12:27 PM

It would be productive to do that, but how many people who want to make their own applicatoin with their own icon would get annoyed by the fact that there is going to be a badge over it?

02-21-2006, 12:49 PM

Quote:

Originally Posted by Badger

The code activates and runs in the Terminal; it does not run in Safari. Deselecting the open safe files option does not prevent downloading the malicious file; it only prevents it from being automatically opened. And it does not stop Mail or other programs from opening the file. You can prevent the code from running by simply renaming the Terminal to something else like myTerminal. Macintouch has posted a link to a non-harmful example to test your system.

Interesting, I had read that renaming these apps could break other things...?

02-21-2006, 01:09 PM

Quote:

Originally Posted by JunMacTech

Interesting, I had read that renaming these apps could break other things...?

Ok, here is what I did.

Renamed /applications/utilities/Terminal.app
to _Terminal.app

Create a workflow containing:
Ask for Confirmation
Launch Application

In the Ask for Confirmation, say something like Are you sure you wish to launch the Terminal? Give the security reasons why.

Launch application - > Point to _Terminal.app

Save the workflow as an application called Terminal.app in /applications/utilities

Now whenever /applications/utilities/Terminal.app is called, it will request your permission.