Results 1 to 12 of 12

Thread: Mac OSX Bug

  1. #1

    Liam's Avatar
    Member Since
    Aug 15, 2006
    Location
    Abu Dhabi, United Arab Emirates
    Posts
    483
    Mac OSX Bug

  2. #2

    KoDorSean's Avatar
    Member Since
    Jun 03, 2006
    Location
    Denver Colorado
    Posts
    2,371
    Specs:
    2.4 GHz intel core 2 duo MBP, iPhone 5, iPad 3
    Quote Originally Posted by Liam View Post
    interesting, ill stay away from .dmg

    I was on the M-F honor roll for month : May 2007

  3. #3

    cazabam's Avatar
    Member Since
    Jun 06, 2006
    Posts
    1,153
    Specs:
    MacBook 2.0GHz White, 512MB RAM, 60GB HDD
    I don't think there's a reason to shun .dmg entirely (after all, most software is packaged in .dmg these days). However, I will be vigilant about where the .dmgs I use are from!

  4. #4


    Member Since
    Aug 16, 2006
    Posts
    245
    I like the bit in the BBC article that states:

    Apple has yet to provide a fix for the DMG bug though a workaround is known which should stop computers falling victim.
    And then doesn't elaborate at all on the workaround...

  5. #5

    D3v1L80Y's Avatar
    Member Since
    Feb 02, 2004
    Location
    PA
    Posts
    12,456
    Specs:
    MacBook
    Quote Originally Posted by kodorsean View Post
    interesting, ill stay away from .dmg
    That wouldn't be a wise thing to do... in fact, it would be a little silly IMO.
    As was stated, the vast majority of downloadable software (shareware, freeware) for Mac OS comes in the .dmg format.
    The article never elaborates on what this "code bug" is or does, nor does it describe what a "vulnerable" machine entails. It really doesn't say much of anything, really.
    The most important line of the article I find is this:
    Quote Originally Posted by Article
    The bug has only been proved to work under laboratory conditions. No cases of it being exploited in the wild are known and no users are thought to be at risk.
    The second-most important line is this:
    Quote Originally Posted by Article
    It urged users to avoid downloading DMG files, which bear a .dmg suffix, from unknown sources.
    The bolded suggestions should be more or less common sense, anyway.:black:
    __________________________________________________
    Posting and YOU|Forum Community Guidelines|The Apple Product Cycle|Forum Courtesy

    mac: a waterproof raincoat made of rubberized fabric
    MAC: a data communication protocol sub-layer, also known as the Media Access Control
    Mac: a brand name which covers several lines of personal computers designed, developed, and marketed by Apple Inc.


  6. #6

    Zoolook's Avatar
    Member Since
    Sep 24, 2006
    Location
    Brooklyn, New York
    Posts
    2,756
    Specs:
    15" MacBook Pro, i7 2.66Ghz, 8GB RAM, 512GB SSD; iPad 3, iPhone 5
    I like the replies so far, I don't think there is any need for panic.

    1stly, a whole bunch of stuff as to happen before there is any serious risk. You have to download a .dmg from an untrustworthy source. Then after executing it and mounting the new files, your machine is potentially vulnerable or unstable. So between you executing the .dmg and any restart someone has to attack your machine, meaning getting around your firewall, knowing your IP address etc.

    Secondly, even with the most secure OS in the world, you cannot account for user flaws. Whenever people download shareware or freeware and want to install it and the OS asks for the root password, people happily give it. ANY of these programmes could potentially be dangerous and open the system's back door to intruders.
    In the land of the blind, the one-eyed man is stoned to death.
    - Joan D. Vinge


  7. #7

    KoDorSean's Avatar
    Member Since
    Jun 03, 2006
    Location
    Denver Colorado
    Posts
    2,371
    Specs:
    2.4 GHz intel core 2 duo MBP, iPhone 5, iPad 3
    Quote Originally Posted by D3v1L80Y View Post
    That wouldn't be a wise thing to do... in fact, it would be a little silly IMO.
    As was stated, the vast majority of downloadable software (shareware, freeware) for Mac OS comes in the .dmg format.
    The article never elaborates on what this "code bug" is or does, nor does it describe what a "vulnerable" machine entails. It really doesn't say much of anything, really.
    The most important line of the article I find is this:The second-most important line is this:The bolded suggestions should be more or less common sense, anyway.:black:
    I should have been more clear, my mistake. Ill stay away from .dmg when downloading from unknown sources.

    I was on the M-F honor roll for month : May 2007

  8. #8

    Aptmunich's Avatar
    Member Since
    Mar 09, 2004
    Location
    Munich
    Posts
    9,073
    Specs:
    Aluminium Macbook 2.4 Ghz 4GB RAM, SSD 24" Samsung Display, iPhone 4, iPad 2
    The workaround is to turn off the 'open "safe" files after downloading' option in safari.

    That stops dmg's from being accidently downloaded and launched without any user interaction.

  9. #9


    Member Since
    Aug 16, 2006
    Posts
    245
    Quote Originally Posted by Zoolook View Post
    I like the replies so far, I don't think there is any need for panic.

    1stly, a whole bunch of stuff as to happen before there is any serious risk. You have to download a .dmg from an untrustworthy source. Then after executing it and mounting the new files, your machine is potentially vulnerable or unstable. So between you executing the .dmg and any restart someone has to attack your machine, meaning getting around your firewall, knowing your IP address etc.
    Hmmm... how sure of this are you? It sounds to me from the article, that what they are referring to is a buffer overrun style attack, possibly in expanding (if that's what it does) or mounting the dmg file. A cleverly coded buffer overrun can result in pre-defined code being executed directly without any further interaction being required.

    You are implying that mounting a dmg could cause some kind of server to be temporarily installed and require someone to actively try to contact you at that moment. If a hacker can manage to run up a piece of code to do this, they can certainly manage to do a bit more than that!

    However, it would require a privilege escalation style attack before I'd be overly concerned about it and I don't know of any way of escalating privileges myself under OS X (although my knowledge is not comprehensive enough to state this categorically...)

    p.s. Aptmunich - thanks for that on the workaround, I guess that helps a little.

  10. #10

    Zoolook's Avatar
    Member Since
    Sep 24, 2006
    Location
    Brooklyn, New York
    Posts
    2,756
    Specs:
    15" MacBook Pro, i7 2.66Ghz, 8GB RAM, 512GB SSD; iPad 3, iPhone 5
    Quote Originally Posted by Jem View Post
    Hmmm... how sure of this are you? It sounds to me from the article, that what they are referring to is a buffer overrun style attack, possibly in expanding (if that's what it does) or mounting the dmg file. A cleverly coded buffer overrun can result in pre-defined code being executed directly without any further interaction being required.

    You are implying that mounting a dmg could cause some kind of server to be temporarily installed and require someone to actively try to contact you at that moment. If a hacker can manage to run up a piece of code to do this, they can certainly manage to do a bit more than that!

    However, it would require a privilege escalation style attack before I'd be overly concerned about it and I don't know of any way of escalating privileges myself under OS X (although my knowledge is not comprehensive enough to state this categorically...)
    Well I am not certain at all, and neither is anyone else by the looks of it.

    My point really is that any attack that requires the user to double click on something and then results in nothing more than a buffer over run, is hardly a major threat. I must admit I didn't know that some users had Safari set up to automatically execute DMG files as soon as they download.

    The bottom line is no OS is entirely secure. If all the hackers and trouble makers who mess up WindowsXP every day turned their attention to OS X, then there might be something to worry about.
    In the land of the blind, the one-eyed man is stoned to death.
    - Joan D. Vinge


  11. #11


    Member Since
    Aug 16, 2006
    Posts
    245
    Oh sure, I totally agree, no OS is entirely secure and no doubt as Apple gain market share so they will also gain at least a few exploits. Mind you I wouldn't down play a buffer overrun too much, they can be purposefully exploited to do nasty stuff like erasing files without the user even noticing.

    OK they're not going to destroy your entire system but they could do enough to cause regular users serious data loss. My most serious concern would really be if they managed to locate an existing privilege escalation loophole and could exploit that through the buffer overrun. Then your system is broken wide open.

    And therein lies one of the major advantages of OS X over Windows, in OS X you don't run as root so malicious code can't easily do much system-level harm without you authorizing it.

  12. #12

    fleurya's Avatar
    Member Since
    Nov 18, 2006
    Location
    Anytown, USA
    Posts
    4,935
    Specs:
    27" iMac 2.7GHz Core i5, iPhone 6, iPad Air 2, 4th gen Apple TV
    Quote Originally Posted by Jem View Post

    And therein lies one of the major advantages of OS X over Windows, in OS X you don't run as root so malicious code can't easily do much system-level harm without you authorizing it.
    Thankfully, Windows Vista will have this kind of required authorization as well. I've run RC 1 and 2 and I was kind of annoyed by always putting in my password, but appreciated the beefed up security.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ShellShock bug in OSX and 'nix
    By cptkrf in forum Security Awareness
    Replies: 51
    Last Post: 10-04-2014, 10:49 PM
  2. Heartbeat OpenSSL bug does not affect OSX.
    By cptkrf in forum Security Awareness
    Replies: 26
    Last Post: 04-27-2014, 08:59 PM
  3. Strange OSX Lion bug???
    By jim123321 in forum OS X - Operating System
    Replies: 1
    Last Post: 11-19-2011, 05:27 PM
  4. bug in OSX/iMac or Adobe software
    By kemizz in forum Images, Graphic Design, and Digital Photography
    Replies: 7
    Last Post: 11-19-2009, 03:15 AM
  5. Display bug on OSX
    By dougy in forum OS X - Operating System
    Replies: 6
    Last Post: 10-16-2009, 10:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •