On my homepage

http://www.mathematik.uni-ulm.de/numerik/staff/lehn/index_us.html

I am hosting an exploit for Safari on Mac OS X. It requires that in Safari the option has to be enabled that allows "secure files" to be lunched automatically. Many users have this option enabled.

In this case it is sufficient that if you click on a link an shell-script is executed. In my example the shell script only prints "Hallo Welt". But it also could send emails or delete the user's home directory.

There will be no warning.

In several German online sites it was reported about my exploit:


http://www.heise.de/newsticker/meldung/69854

http://www.macnews.de/news/74203

http://www.macwelt.de/news/macosx/336525/index.html

best regards from Ulm/Germany,

Michael

o dear , whatever next :eek:

not too sure what to make of these


"Smithers release the hounds"

That's scary. When did you tell Apple about it?

Hmmm this seems a lot like when there was that widget "virus" then Apple added the warning for downloading widgets.

That's scary. When did you tell Apple about it?

It is bug #4450856. My last bug has state "open" for almost one year. So I added a note asking them to have a look at my first bug after they are done with the current bug. Ok, this old bug was not critical, just annoying.

About publishing security holes in public. I think after the report of the first "virus" it was just a matter of time that someone would exploit this. It only took me 3 lines for a shell script, 3 tries and at most 15 minutes. Only if such issues are published as fast as possible people are warned. If I would no publish it Mac-user would have the wrong feeling that clicking on links is NOT dangerous. This would be fatal.

About how serious this thing is: The shell script could also delete your home directory and send Emails from your account. If you have the appropriate permissions it could also modify applications.

Loos like UNIX is coming back to bite Apple in the a**, so far all the bug exploits have been with Terminal.

http://www.heise.de/english/newsticker/news/69862

Loos like UNIX is coming back to bite Apple in the a**, so far all the bug exploits have been with Terminal.

the UNIX part of Mac OS X is the most safest part!

The problem is the part that allows that a downloaded file get automatically executed.

Without the UNIX part there would be holes like in Windows. You just connect to the internet and you get infected. WITHOUT CLICKING OR DOING ANYTHING.

We experience this here every day. And thanks to the UNIX part there soon will switch a legion a Ex-Linux-Geeks to Mac OS. Fixing whatever shows up :-)

Tried the example on the website. It's kinda scary, because the file has a correct-looking extension even though it opens in terminal.

Tried the example on the website. It's kinda scary, because the file has a correct-looking extension even though it opens in terminal.

In deed it is scary. So make sure to tell everybody to deactivate this option in Safari! That's the fastest and easiest way to protect yourself.

Of course, when you look at the file after opening the archive, it says that it's a Terminal document, even though the extension is .MOV.

Besides, the automatic opening of such files was disabled automatically quite a while ago (during Jaguar?) because of such an exploit.

Of course, when you look at the file after opening the archive, it says that it's a Terminal document, even though the extension is .MOV.

Besides, the automatic opening of such files was disabled automatically quite a while ago (during Jaguar?) because of such an exploit.

Actually many people told me that the option is disabled by default. But on all our Macs it was enabled. And there are controversial reports many claim that it was enabled on recently bought machines.

Of course, when you look at the file after opening the archive, it says that it's a Terminal document, even though the extension is .MOV.
Few users are going to doubt the iconic representation of the file. Very few people do a Get Info on everything that's downloaded.

Besides, the automatic opening of such files was disabled automatically quite a while ago (during Jaguar?) because of such an exploit.Then why, on a fresh install of OS X on my Intellimac, in a new user account, does it open automatically? That link opened Terminal and ran before I could do anything to stop it. Fresh install. New user account.

Actually many people told me that the option is disabled by default. But on all our Macs it was enabled. And there are controversial reports many claim that it was enabled on recently bought machines.
I just installed OS X on my 17" Intel iMac (or, rather, did a reinstall with the disks supplied with it). I see that the exploit works.

Similarly, in a new user account on my PMG5, I see that the exploit works.

So it is definitely not a universal truth that this is disabled.

And, regardless of the default setting... most people will enable it once they discover that they can. And therefore be vulnerable.

Loos like UNIX is coming back to bite Apple in the a**, so far all the bug exploits have been with Terminal.

The thats just because thats what programmers know, and thats what's easiest to churn out quickly to make a proof-of-concept. It's not unix that's biting Apple. It's their lack of properly auditing their code.

Not the first flaw nor the last, and I don't see how it would help anyone create a virus or worm--but it would lead to Trojans, and should be patched. Sounds pretty easy for Apple to do.

I've always had Open Safe Files disabled because it annoys me. Sometimes I want to keep the archive, sometimes not, and it annoyed me how the archive would always end up in the trash. I can see how many people would like Open Safe though, and I hope it's patched soon.

I'm pretty sure it IS on by default.

I'm pretty sure it IS on by default.Yes, confirmed. We also confirmed the flaw and the two workarounds.

I'm sorry, but the first thing I do in Safari when I use it for the first time on a new computer is to disable the automatic opening of downloaded files. There's just something about the computer doing all that stuff in the background that freaks me out a bit. I also like to have the confirmation that I properly downloaded the file and it opened fine.

But I guess it all works as a security fix, too.

Ha... I use tcsh as my default shell, so it just poops out after it launches. Still, scary stuff... they will have to change the "open" command to warn against, or simply restrict, shell scripts in order to fix this. The problem is not really with Safari ... it is with the way that OS X launches files in general. It allows you to have a benign-looking file be a shell script in disguise! :eek: If a solution isn't presented this week, I will be shocked.

I'm sorry, but the first thing I do in Safari when I use it for the first time on a new computer is to disable the automatic opening of downloaded files. There's just something about the computer doing all that stuff in the background that freaks me out a bit. I also like to have the confirmation that I properly downloaded the file and it opened fine.

But I guess it all works as a security fix, too.

that is what i have always done as well. Can't see why anyone would have it open safe files. Its just asking for trouble if you ask me.

Can't see why anyone would have it open safe files.
Since it seems to be the default setup on at least many, if not all, new Macs, it's not surprising that people would be set up that way and - for most users - be unaware that there's even an option to change the way things work.

Yeah I know about this one since ToastyX posted an example here http://forums.macrumors.com/showthread.php?t=181026. I was a little panicked and didn't know how to handle the situation I replied explaining how dangerous it was. Eventually I edited my replies since I thought it would give bad ideas to hackers.

I was hoping that this was the only place where this vulnerability was disclosed, and that Apple would have time to deal with it before the "news" started to spread.

But it seems that it was already repeated by others.

michaellehn, you seem to say that you discovered this issue (you say "my exploit")

Then how come I have a lower bug report number on Apple? (#4450231) That means that I reported the issue before you, and I'm not even the one that discovered it! Why are you so keen to disclose the news to everyone (media etc.) before sending the bug to Apple? Free publicity for your blog? To warn everyone to turn off "open safe files"? I guess it's the latter, but was it the best thing to do?

You wrote: I think after the report of the first "virus" it was just a matter of time that someone would exploit this.

Well it will happen if you tell hackers about the exploit! Was this known before?

I guess that one thing could indicate it was the "right" decision to disclose the issue to the public as quickly as possible.

That thing is: It looks like the Leap-A author knew about this bug... Why do I think that? The author seems to have specifically avoided to trigger the exploit: The file is in a format that Safari cannot decompress (.tar) so it gives a warning, and doesn't execute because of that.

So tell me why the author didn't try the least detectable option: putting it in a .zip? Because it would have triggered this exploit... So I guess the Leap-A author is a "friendly" hacker that wanted to warn us without doing too much damage.

Here's an interesting idea, add this line to your benign exploit:

defaults write com.apple.Safari AutoOpenSafeDownloads 0

This will turn off that maligned option in Safari automatically!

Well that's a bit more than quite disturbing. Much more so than Oompa or Inqtana. Apple needs to fix this, and quickly.

...
Then why, on a fresh install of OS X on my Intellimac, in a new user account, does it open automatically? That link opened Terminal and ran before I could do anything to stop it. Fresh install. New user account.
...

I'd like to know, as well. I just checked Safari, which I don't use, and it was wide open. It also bothers me that Apple ships Mac OS X without the firewall enabled.

Guys, use firefox, their bigger user base promises faster revealing of problems and faster fixes.

As a Hebrew reader, I can confirm that Safari has terrible problems with displaying right-to-left layouts (like it has terrible support for any right-to-left feature in any piece of software, including iWork), and therefore the pages look weird and not like the developer intended. However, using firefox (or Opera) fixes all that without a problem.

Mac Os X still has a long way to go in universal compatibility. I'm afraid Microsoft are way ahead of them in that department.

Oded S.

Interesting, I have Ventrilo Server running in a terminal 24/7, and that seemed to prevent execution of the script. It brought Ventrilo to the front, but didn't print the "hack" message.

Yes, confirmed. We also confirmed the flaw and the two workarounds.Ha... I use tcsh as my default shell, so it just poops out after it launches.Is this potentially another workaround?

<edit> Exploit still works. Hope they fix it.

ive got one that downloads and crashes your system by giving a kernel panic....

Fun :)

Would I still be at risk if I wasn't running an admin account?

Would I still be at risk if I wasn't running an admin account?

just go to preferences and de-select the open safe' downloads thing

Did this crash anyones machine? cause mine did, first time since i got the mac :S

lets hope apple fix safari

Would I still be at risk if I wasn't running an admin account?

Yes, if you had the Safe download checked. It could still delete your home folder. It would have the same permissions that you, as a user, would. It'd be like if you launched it manually, or you went into Terminal and typed the command itself.

Bottom line, turn off "Safe" downloading. Apple should remove the feature altogether, IMHO.

:mad:

Ha... I use tcsh as my default shell, so it just poops out after it launches. Still, scary stuff... they will have to change the "open" command to warn against, or simply restrict, shell scripts in order to fix this. The problem is not really with Safari ... it is with the way that OS X launches files in general. It allows you to have a benign-looking file be a shell script in disguise! :eek: If a solution isn't presented this week, I will be shocked.

just go to preferences and de-select the open safe' downloads thingOkay, I just want to be explicitly sure that I unchecked the correct item. Is this correct?

Would I still be at risk if I wasn't running an admin account?

The worm can potentially do everything you can do in person via mouse and keyboard as long as it does not require you to type in a password.

This can be a lot: deleting your own files, sending/reading emails,...

Okay, I just want to be explicitly sure that I unchecked the correct item. Is this correct?
Yes. No need to be explicit, though. Family forum and all... :)

tehehehe, someone cracked a funny.

Yes. No need to be explicit, though. Family forum and all... :)Ah-hah! Now I know the secret to your wit... I saw the previous, unedited comment you left! :D

Anyway, thanks for the confirmation.

thats the one dev ;)

Okay, I just want to be explicitly sure that I unchecked the correct item. Is this correct?Yes, devilot, you are now safe from this particular Safari security problem.

This seems about as dangerous as the recently discovered malware/trojan/virus. Simple solution is just to deselect "open safe files after download." From there it is more a social engineering trojan/malware/virus - "click on me, I'm just a picture of some naked celeb".

Don't get me wrong, I'm glad this was discovered. I think it is just another reason why the mac is safer (not immune) from many of the problems with windows. A bug like this comes out on windows and most would be "oh, it doesn't self propogate and you have to actually click to download - no biggie."

Heise reported, that the flaw is also in the Mail program (so giving a shell script the jpg ending and setting the open with to terminal and the encode it as a AppleDouble will make a executable script with a jpg-icon !!!)

Downloaded the test from heise... It worked ! Scary !!!!:eek:

It's neither a problem of Safari nor of Mail.
It's a flaw or at least an unwanted side-effect of OS X itself.
There is only one solution:
Don't ever open a file blindly if you don't know already what it is.
Check the file with Get Info and in Terminal:
`file filename` will give you more information about the file's type.

Apple shouldn't have the open "safe" files in the first place, that's just asking for trouble.

Why is this on Page 2????????

It's neither a problem of Safari nor of Mail.
It's a flaw or at least an unwanted side-effect of OS X itself.

Yup, it is.

There is only one solution:
Don't ever open a file blindly if you don't know already what it is.
Check the file with Get Info and in Terminal:
`file filename` will give you more information about the file's type.

This is in the most cases the solution (even in M$ Windows).

But it's an issue... and Apple should do something about it...

Maybe we Mac-users should realize that reality finally catched up with us...(Hello, Anti-Virus !)

It's been a while... Is Disinfectant still available on the Mac ?:rolleyes: ah, good old System 6 days !

This is in the most cases the solution (even in M$ Windows).

But it's an issue... and Apple should do something about it...

Maybe we Mac-users should realize that reality finally catched up with us...(Hello, Anti-Virus !)


Yes, the most important thing is to keep your eyes open. Antivirus - maybe, but don't rely on it blindly.
It is about time that even Mac-users start developing some consciousness for security issues.

Why is this on Page 2????????Because security issues tend to come and go without a serious risk to the Mac community and this, a proof-of-concept exposure of a flaw that we already know can easily be avoided, is another such case.

Because security issues tend to come and go without a serious risk to the Mac community and this, a proof-of-concept exposure of a flaw that we already know can easily be avoided, is another such case.

Hrm. I would argue for just the opposite of what MR has done with the past two exploits. This one ought to be on the front page because everyone needs to know that they should turn off the "Open safe files" option. With this publicly known, anyone can now easily create a web page exploiting the flaw. People should also be very wary of any mail attachment even if it "looks" harmless. People need to be aware of this, even if it means bad press for Apple (and hey, bad press should light a fire under them to get a fix out quickly).

In contrast, the previous exploit (the trojan) was waaaaaay overblown and misinterpreted by external press, so in retrospect a page two placement may have helped contain the unnecessary fire. This one was the lesser risk by far, and much more easily avoided.

Just my opinion, though. ;)

I'm sorry, but the first thing I do in Safari when I use it for the first time on a new computer is to disable the automatic opening of downloaded files.Same here (and on friends' Macs I help with), and I'm not sorry. :)

Enabling automatic anything related to the net is unnecessarily risky and that Apple sometimes makes it the default on the intended behalf of users is always dubious.

Guys, use firefox, their bigger user base promises faster revealing of problems and faster fixes.Bzzt, wrong answer.

I refuse to use Firefox on OS X, with its icky XUL interface and lack of support for things like Services and Keychain that make my browser-related activities much more efficient.

Apple shouldn't have the open "safe" files in the first place, that's just asking for trouble.

That's not true. It just means that the idea of what a "safe" file is needs to be re-evaluated.

if the exploit also works with Mail, would it not be possible to make a mass-mailing worm?


user downloads latestpics.zip
browser unpacks and runs script.
script mails itself with UNIX to Address Book contacts, and infects what it feels like.
contact gets benign looking email with image attached.
image is opened...


That's not true. It just means that the idea of what a "safe" file is needs to be re-evaluated.

indeed. I still want Safari to unpack archives and mount disk images I download automatically, assuming they really are archives and disk images.

Yes, the most important thing is to keep your eyes open. Antivirus - maybe, but don't rely on it blindly.
It is about time that even Mac-users start developing some consciousness for security issues.

Okay, this is "Blonde Treading Mac-Water" checking in with some VERY basic questions (after having read several news articles and all the posts in this thread about the Safari flaw).

When I bought my iBook G4/v.10.3.9 (Jan. 05), the "open safe files" option was unchecked. I only checked it after an Apple staffer recommended it in response to my confusion -- when I would download known software and files I was confronted with an on-screen challenge saying something along the lines of "Where do want to put this? What application do you want to open it with? Ya-da, ya-da."

The Safari "download safe files" option is UNchecked now, due to the latest news. However, I *still* don't know how to handle the on-screen challenge. I didn't know then, I don't know now. My questions:

1) How am I supposed to know what thingamy opens another thingamy and where something properly belongs when it's generated by a source other than myself?

2) With the aforementioned option unchecked, can I expect to see the challenge even when accepting updates from Apple?

[As much as I like my G4, I regard it with the same affection and attitude I have for a favorite hammer or my car: it's a tool. I don't want to build, re-build, or re-design the tool. I will maintain the tool and use it appropriately, keep up its certificates and licences, but I don't want to know the provenance of the wood in the hammer's handle or who attached my car's boot. All of which leads to my third and final question....]

3) Is there any hope for an ordinary, everyday Mac'er to just operate/use computing without being either a Luddite or an Uber-programmer?

:::sigh of slight discouragement:::

already the 2nd most discussed story on CNET (http://news.com.com/OS+X+flaw+exposes+Macs/2100-1002_3-6041685.html?tag=nefd.top), and climbing.

Man, our forums are a whole lot nicer!

anyone know how to lock down os x so applications and scripts can only EXECUTE/RUN from certain folders?

maybe there is a configuration file for this...

Mac OS X should prompt whether you want to download the file and where to save it, then if that save location does not permit execution of application or script you would get a warning saying that they app/script you are trying to run cannot run because it is not allowed from this location

Basically a container for downloaded files that can be used to determine what the file is by watching the system calls, i would imagine that all applications have a common systemcall that are not shared by generic files and the same goes with scripts.

This would give a heads up to the user...

already the 2nd most discussed story on CNET (http://news.com.com/OS+X+flaw+exposes+Macs/2100-1002_3-6041685.html?tag=nefd.top), and climbing.The most interesting point in the article:Apple is developing a patch for the flaw, a company representative told CNET News.com. "We're working on a fix so that this doesn't become something that could affect customers," the representative said, but could not give a delivery date for the update.
Meanwhile, here are some tips from Apple (http://docs.info.apple.com/article.html?artnum=108009) on safe practices in general, from last year.

And here I thought I could trust anyone or website on the "internet." My trust in all humanity is shattered. :(

Then again I am not that naive. ;) :D

This problem isn't only related to Safari, but to the fact that a program (script, etc.) can be launched without the user being warned about the risks. I don't think limiting programs to be launched from specific folders would really help or be a nice and simple solution.

The best solution, to me, would be that every time something is launched that was never launched before, then the user should be warned. OS X already have a system for this, it only needs to be more extensive (warn for shell scripts, AppleScripts, etc. as well), and provide more info : the name of the executable, where it is, who is the author, etc. so that we can make sure we trust the executable.

Or course, shell scripts called from command line by the user in the Terminal shouldn't be subject to that, since users calling commands from the Terminal should know what they do, but double-clicked or Safari opened programs should.

Its weird. My Mac came in today. Saw the flaw. Disabled the safe file option. Then tried to download Yahoo Messenger, it showed it like this on my desktop: ymsgr_2.5.3-osx_install.bin, When i double clicked it, it didn't know what application to use. When I downloaded it with the option checked, it showed the install GUI. Is there a way to install it without the option checked?

Then tried to download Yahoo Messenger, it showed it like this on my desktop: ymsgr_2.5.3-osx_install.bin,
The .bin extension normally points to a need for Stuffit Expander (or some other program that can decode Binhex).

My bug has state "dublicate":

http://www.mathematik.uni-ulm.de/~lehn/bugreport.png


So did Apple already know about it??

The best solution, to me, would be that every time something is launched that was never launched before, then the user should be warned. OS X already have a system for this, it only needs to be more extensive (warn for shell scripts, AppleScripts, etc. as well), and provide more info : the name of the executable, where it is, who is the author, etc. so that we can make sure we trust the executable.

sounds like a good idea, one i think could work as long as its possible to make sure the executable is unique. I see an issue if its possible for the executable to claim to be another application, as in, the executable tells the computer its itunes, so it runs without warning...

sounds like a good idea, one i think could work as long as its possible to make sure the executable is unique. I see an issue if its possible for the executable to claim to be another application, as in, the executable tells the computer its itunes, so it runs without warning...

Well, I sure hope this problem is take care of in Keychain Access ! It seems it does :

The trusted application list is actually a list of trusted application objects (objects with the opaque type SecTrustedApplicationRef). In addition to serving as a reference to the application, a trusted application object includes data that uniquely identifies the application, such as a cryptographic hash. The system can use this data to verify that the application has not been altered since the trusted application object was created. For example, when a trusted application requests access to an item in the keychain, the system checks this data before granting access.

http://developer.apple.com/documentation/Security/Conceptual/keychainServConcepts/index.html#//apple_ref/doc/uid/TP30000897

if the exploit also works with Mail, would it not be possible to make a mass-mailing worm?

It's possible to make a nice little spam zombie (for example, an SMTP relay on a nonstandard port) out a Mac with this one, because by default the firewall is not enabled.

Well, I sure hope this problem is take care of in Keychain Access ! It seems it does :

http://developer.apple.com/documentation/Security/Conceptual/keychainServConcepts/index.html#//apple_ref/doc/uid/TP30000897

Hmm, thats more about how applications are allowed access to the keychain, ie how its allowed to access your stored password... however it will not warn you about running a program which does not use keychains. I don't beleive itunes uses keychains, so it will not give a warning... I know photoshop and the likes don't use keychains and why would they... when those programs are updated you are never warned that the application was never run, because according to the system, everything is there to say it was ie, application data, prefrence files... ect...

Here's how to innoculate:

Open application Terminal, usually located in Applications/Utilities

From the Terminal menu, select Preferences...

Select button Execute this command (specify complete path):

type into this field: login

Close window, quit Terminal.

You are now safe from this particular exploit. (OS 10.3.9 verified)

Can someone confirm on 10.4?

It's a simple .term launch exploit. It's all above the radar and you can watch it happening.

This -- and the related iChat "vuln" -- is simply taking advantage of the fact that most of us run from an admin account. Then it launches a .term script and that's that.

We can also cut off the chance for the auto-launch of .term scripts by changing the default .term App to something like Chess (which I did).

Also, with Leap-A and relatives, the replication within application packages happens after the script runs a search for existing virus code. So one could simply insert dummy files with this code's name on it and prevent the spread. This reminds me of the Classic OS days where you could easily block a particular virus -- was it scores? -- by creating an invisible file in the System Folder with the same file name the virus generates, thus making it impossible for the virus to implant.

If a basic user does not need to run terminal can the application be deleted without harm to the system?:confused:

On my homepage

http://www.mathematik.uni-ulm.de/numerik/staff/lehn/index_us.html

I am hosting an exploit for Safari on Mac OS X. It requires that in Safari the option has to be enabled that allows "secure files" to be lunched automatically. Many users have this option enabled.

In this case it is sufficient that if you click on a link an shell-script is executed. In my example the shell script only prints "Hallo Welt". But it also could send emails or delete the user's home directory.

There will be no warning.

In several German online sites it was reported about my exploit:


http://www.heise.de/newsticker/meldung/69854

http://www.macnews.de/news/74203

http://www.macwelt.de/news/macosx/336525/index.html

best regards from Ulm/Germany,

Michael


Your famous now:

http://news.bbc.co.uk/1/hi/technology/4739432.stm

So far, no net-based exploits of the bug are known to be in existence

The risk to users from the virus is almost non-existent

Non existent eh? why all the fuss then?

Your famous now:

http://news.bbc.co.uk/1/hi/technology/4739432.stm

So far, no net-based exploits of the bug are known to be in existence

The risk to users from the virus is almost non-existent

Non existent eh? why all the fuss then?

It is not existing because of all the fuss. That's why I published it.

That's the way security flaw are treated in Linux. Tell people about it and tell how to protect from it. That's the fastest fix.

Microsoft goes the way: Don't tell anybody and hope nobody will notice it till the next patch day. Or they don't care and leave it to the Anti-Virus companies.

....from famous to Superstar, you made New Scientist

http://www.newscientist.com/channel/info-tech/dn8758.html

If a basic user does not need to run terminal can the application be deleted without harm to the system?:confused:

I thought about this also.

I would simply compress it with Stuffit rather than delete.

Non existent eh? why all the fuss then?

Like 1/4" of snow in Los Angeles.

Hmm, thats more about how applications are allowed access to the keychain, ie how its allowed to access your stored password...


Well I was pointing to this as a mechanism as one that could be used to make sure an executable is unique, to answer your concern. Sure, the concept of Keychain specifically is unrelated, but the mechanism for making sure your executable is secure and unaltered is the same.

I'm late into this thread... but anyway, I disabled open "safe" files in my Safari preferences, so I'm safe. I also took that online test that was posted and Quicktime couldn't open the file because it was not a recognized format, so I guess that means I'm safe. :)

My dad even called me "David, turn off my Safari! This new virus thing is all over the news!" You have to love the news... :rolleyes: But I made sure his iMac G5 was safe and the option was already disabled. :)

I'm late into this thread... but anyway, I disabled open "safe" files in my Safari preferences, so I'm safe. I also took that online test that was posted and Quicktime couldn't open the file because it was not a recognized format, so I guess that means I'm safe. :)

My dad even called me "David, turn off my Safari! This new virus thing is all over the news!" You have to love the news... :rolleyes: But I made sure his iMac G5 was safe and the option was already disabled. :)

That's all fine, but even with Safari protected, the underlying vuln still lurks in Terminal.

My bug has state "dublicate":

http://www.mathematik.uni-ulm.de/~lehn/bugreport.png


So did Apple already know about it??





.... BUT DO NOT FORGET .....









http://www.mathematik.uni-ulm.de/~lehn/bugreport2.png

Does deleting or compressing "terminal.app" protect in case something gets past Safari (assuming the user doesn't need it)?

I'm lost on Unix so maybe I am missing something.

Thanks

Does deleting or compressing "terminal.app" protect in case something gets past Safari (assuming the user doesn't need it)?

I'm lost on Unix so maybe I am missing something.

Thanks
The script, as I've seen it, requires Terminal to be able to open documents, so if you put it in a situation where it couldn't do that - by deleting it, by putting it on an unmounted disk image, by compressing it, or by running in a limited account with no access privileges to the Terminal application - then you would be safe.

Sounds a little drastic, though - my own tests tonight indicated that the exploit was easily disrupted by just renaming or moving the Terminal application, or by requiring a login prompt on Terminal's startup.

My bug has state "dublicate":

http://www.mathematik.uni-ulm.de/~lehn/bugreport.png


So did Apple already know about it??


This is answered earlier in this thread -- the user VL-Tone saw an example of the exact same vulnerability posted (by ToastyX) on Feb. 17. VL-Tone reported it to Apple shortly afterward:

michaellehn, you seem to say that you discovered this issue (you say "my exploit")

Then how come I have a lower bug report number on Apple? (#4450231) That means that I reported the issue before you, and I'm not even the one that discovered it! Why are you so keen to disclose the news to everyone (media etc.) before sending the bug to Apple? Free publicity for your blog? To warn everyone to turn off "open safe files"? I guess it's the latter, but was it the best thing to do?

So that would explain why your bug report was flagged as "duplicate."

This is answered earlier in this thread -- the user VL-Tone saw an example of the exact same vulnerability posted (by ToastyX) on Feb. 17. VL-Tone reported it to Apple shortly afterward:



So that would explain why your bug report was flagged as "duplicate."


Thanks!

Yeah I know about this one since ToastyX posted an example here http://forums.macrumors.com/showthread.php?t=181026. I was a little panicked and didn't know how to handle the situation I replied explaining how dangerous it was. Eventually I edited my replies since I thought it would give bad ideas to hackers.

I was hoping that this was the only place where this vulnerability was disclosed, and that Apple would have time to deal with it before the "news" started to spread.

But it seems that it was already repeated by others.

michaellehn, you seem to say that you discovered this issue (you say "my exploit")

Then how come I have a lower bug report number on Apple? (#4450231) That means that I reported the issue before you, and I'm not even the one that discovered it! Why are you so keen to disclose the news to everyone (media etc.) before sending the bug to Apple? Free publicity for your blog? To warn everyone to turn off "open safe files"? I guess it's the latter, but was it the best thing to do?


Well, I call it my exploit because I didn't know about any other exploit.


You wrote: I think after the report of the first "virus" it was just a matter of time that someone would exploit this.

Well it will happen if you tell hackers about the exploit! Was this known before?


So that's your opinion. Here is mine:

I will never give a company even the choice to keep a security flaw secret. BUT maybe I should have given them more time.

BUT
1) It is easy to reproduce and to modify my exploit into a serious problem
2) It is easy to protect yourself from it

So in my opinion telling people was the cheapest and fastest solution.

I published it and I took cake that this news gets spread fast.

Even if somebody would abuse the exploit I do not think that it could spread far. People are too careful now.

Anyway would it be better to wait until an AVC (Anti-Virus-Company) makes profit out of it? Mac OS X does not need such stuff!

It's neither a problem of Safari nor of Mail.
It's a flaw or at least an unwanted side-effect of OS X itself.
There is only one solution:
Don't ever open a file blindly if you don't know already what it is.
Check the file with Get Info and in Terminal:
`file filename` will give you more information about the file's type.

At the very least, it's a bad idea for Apple to have Safari default to opening "safe" files automatically (or at the very least be WAY more conservative about which files are safe). With this setting, the user doesn't even have to open a file manually, they just have to click on a link.

If a basic user does not need to run terminal can the application be deleted without harm to the system?:confused:

I wouldn't go that far... but you can ZIP it without harm to the system. At the Apple Stores, the Terminal is compressed in SITX format with a password placed on it. Makes it so you can't play with the system. :D:rolleyes:

I thought about this also.

I would simply compress it with Stuffit rather than delete.

How about removing the read/execute access?

Another idea would be if OS X could lower admin privileges to non-admin status when opening files downloaded from safari (or execute in lower admin privileges when in certain folders in case you are running as admin).

Expanding the the warning system when an app/script opens for first time is a good idea as well, but I would love to be able to prevent certain folders from executing an app/script as well. OS X should also monitor system calls from specific folders that way it could predict malicious behavior and prevent that app/script from having write access.

Hope fully apple will implement this along w/ other ideas.

Then again it all comes down to meta data, I really did like creator types... Damn extensions... Oh, and by switching to Intel things will get worse. hackers are much more experienced w/ x86 plus each register can be executable on x86 leading to overflows....

Yeah it was Apple's biggest mistake switiching to Intel, IBM are bringing out a new range of cpu's which are powerful and are stable in the performace-per-watt section.

Yeah it was Apple's biggest mistake switiching to Intel, IBM are bringing out a new range of cpu's which are powerful and are stable in the performace-per-watt section.Didn't we hear the samething about the G5 a few years back.:rolleyes:

Didn't we hear the samething about the G5 a few years back.:rolleyes:

Nothing is stopping Apple from having PPC and x86 lines... Universal Binaries take care of that.

In deed it is scary. So make sure to tell everybody to deactivate this option in Safari! That's the fastest and easiest way to protect yourself.

How do we go about doing that ?

How do we go about doing that ?


Safari Menu > Preferences > General

Uncheck 'Open "safe" files after downloading'

Thanks MM I’m surprised that Apple did not disable the option in Safari that permits downloads from executing without first asking the admin or user for permission. Having that option enabled by default is a big time security risk. Apple should have know that, O well everyone makes mistakes, at least now we know.

or by requiring a login prompt on Terminal's startup.

Sounds like a great idea! How do you do this?

Why don't they just make it so that you need to enter your admin password every time you open the Terminal. It would only be slightly inconvenient...

.

about a month ago i created a new admin user and switched my user to standard. it's really easy to do in System Preferences and hardly affects the way i use my Mac. the most noticable difference has been entering an admin user name and password when i wanted to mess with the applications folder. now i use my user applications folder for little things i want to try out that i usually don't find a use for and end of deleting anyway.

even before then i turned off safari's open safe files preference.

this thing is a lock box as far as i'm concerned.

Does this bug exist in Shiira??

:confused:

There was a Automator fix for this, I forgot where the site was, and I myself don't have it installed (but I installed it on my friends so they don't get anything bad)

I can recall what it does:

Using Automator it makes an Application that is named Terminal.app, you rename the old (and original) terminal to .Terminal.app (with the . at the beginning).

When a script launches the (automator) Terminal.app it asks if you would like to open the (original) Terminal app, and if you click yes, then it opens the real one.

:P

Terminal requiring a password would be very useful right about now

I have file extensions enabled in my finder and yet the test file still showed up as .mov, does anyone know why that might be?

Same with me. And when I opened it, I still got the HALLO WELT.

Which is still scary. Even if you don't have "Open secure files after downloading," you'll still unwittingly open that .mov or .doc or completely legitimate file you just downloaded, and then you're @*$%ed.

I have file extensions enabled in my finder and yet the test file still showed up as .mov, does anyone know why that might be?
That's the real security flaw. OS X relies on accurate file extensions to determine what is "safe" -- but in fact, so do we (the human users). Just turning off auto-open safe files in Safari prefs doesn't help if the file still looks completely harmless on the Desktop.

A system that requires a "Get Info" on every download doesn't qualify as safe in my book -- although this does seem to work. The example exploit at the top of this thread is, in fact, listed as "Kind: Terminal Document" in the Info window. But expecting any user to do this every time is silly: power users "won't have time" and retail users may not understand the issue.


Using Automator it makes an Application that is named Terminal.app, you rename the old (and original) terminal to .Terminal.app (with the . at the beginning).

When a script launches the (automator) Terminal.app it asks if you would like to open the (original) Terminal app, and if you click yes, then it opens the real one.
This sounds like a good idea, but it's not clear to me how one gets the file itself to open in Terminal automatically. Which is to say, it's easy to rename Terminal, create a script to ask whether to open Terminal, and then launch Terminal, but then what?

You'd have to File --> Open... the file from within Terminal, I guess?

The best solution would be one that checks the extension that the file displays against the "Kind" of file it is. If the file wants its visible name to end in a .xxx that looks like it isn't executable, when the "Kind" is, then we should get a warning of some sort.

Safari Menu > Preferences > General

Uncheck 'Open "safe" files after downloading'

I UN Checked the option in Safari’s control panel that says Open “Safe” file after downloading” then proceeded to go to a website that had a quicktime video to see if the settings applied. The video that I clicked on, downloaded on to my desktop and did not ask me for my permission to download, and then execute the video. I hope that this is a bug because I do not like the idea missolanious files having privileges to download executables on to my mac without asking for permission.

.