Multiple Security Vulerabilities Found In Apple's Disk Image Software

[MacRumors]

http://www.macrumors.com/images/macrumorsthreadlogo.gif

The "Month of Kernel Bugs" project has found two unpatched security vulnerabilities in the way Mac OS X handles .dmg files.

The first vulnerability, rated "highly critical" by security-firm Secunia, can lead to privilege escalation, denial of service, and system access by a remote user (if Safari's open "safe" files option is checked).

The second issue is similar in nature, in that a corrupted UDTO HFS+ .dmg (ex. bad sectors) can lead to a denial of service condition.

A workaround for both issues is to disable Safari's option to open "safe" files after downloading, and to not open any .dmg file from a source you do not trust.

The latest findings increase the total to four security bugs found in Apple's software since the beginning of the project this month (See also: Airport Driver Exploit , fpathconf() Exploit ). The project has also targeted Windows, Linux, and other popular BSD distributions, with a stated goal to "check how many unreported and unknown issues can be found in kernel code out there, using simple, yet effective tools deploying techniques such as fuzzing and 'stress testing'."

[Drizzt]

Can someone translate this for the layman?

[longofest]

Hey guys... didn't post this as FUD... just wanted to get the word out on the vulnerabilities, and to make sure everyone has that option disabled in Safari.

[longofest]

Quote:

Originally Posted by Drizzt

Can someone translate this for the layman?

Sorry about that... these security things can be a bit tech-heavy.

Both vulnerabilities can potentially allow someone to post a disk image (like what you download software on) on a website and craft it in such a way that they could remotely take over your computer. Since some pages can even be written so that you don't even have to click on a link to download a file, it is even more sinister since you may not even think you have downloaded the file.

In order to mitigate the risk until Apple posts a patch, you should either use another browser other than Safari, or go into Safari's preferences and turn off "automatically open safe files" option. Also, don't open any .dmg files that you don't trust.

[Dunepilot]

This'll be patched before we know it.

[x86isslow]

Is this only relevant for people who use Safari? I have similar auto-run operations in Adium (Accept Safe Files from Buddies) and Camino (Open safe files).

[k2k koos]

I'm glad there are people that do the right thing with what they find, report it so that the software companies can improve their code. No one will claim that
Apple's software is flawless, but it is very very solid. I wonder what they found in the Windows and Linux OS's. Probably a thing or two too.

[shawnce]

Quote:

Originally Posted by x86isslow

Is this only relevant for people who use Safari? I have similar auto-run operations in Adium (Accept Safe Files from Buddies) and Camino (Open safe files).

No it is not related to Safari.

It is related to opening a malicious disk image, which as you point out can automatically be opened by various pieces of software that are used to download or transmit files.

[SC68Cal]

There is always work to be done.

[Analog Kid]

Interesting that there's only one Windows flaw listed and a bunch of OS X and Linux bugs. Is that because of audience?

[swingerofbirch]

Is this why Apple lists safe in quotations marks, as to suggest sarcasm? lol......

[BlueRevolution]

Yeah, "safe" files are always a little suspect. If Apple would just have decent validation in place we'd be fine. It would also be nice to have some sort of intelligent system that can recognise files disguised as other files (shell scripts as JPEGs, for instance).

Quote:

Originally Posted by x86isslow

Is this only relevant for people who use Safari? I have similar auto-run operations in Adium (Accept Safe Files from Buddies) and Camino (Open safe files).

I wouldn't trust anything that says open safe files, but Adium's accept safe files should be okay. I leave it on because I'm not always around when people send me things, although it leads to those "you accepted the file, I know you're there" moments that are always slightly awkward.

[Counterfit]

Quote:

Originally Posted by k2k koos

I'm glad there are people that do the right thing with what they find, report it so that the software companies can improve their code.

I hope they reported it to Apple before releasing the info to the general public.

Quote:

No one will claim that Apple's software is flawless, but it is very very solid. I wonder what they found in the Windows and Linux OS's. Probably a thing or two too.

Careful with the return button.

Quote:

Originally Posted by Analog Kid

Interesting that there's only one Windows flaw listed and a bunch of OS X and Linux bugs. Is that because of audience?

Probably. They couldn't possibly only have found one bug in Windows in the span of a month.

[Westside guy]

Quote:

Originally Posted by Counterfit

I hope they reported it to Apple before releasing the info to the general public.

HAHAHAHAHAHAHAHA!!! Oh wait, like a responsible person you figured these guys were behaving responsibly - but they're not. They're grandstanding. They are probably not particularly interested in helping security, whatever they say they're doing - they're just trying to get some "me too" hacker cred (following the lead of the "month of browser exploits" project from a while back).

Their seems to be an element of resentment towards OS X among some of the Linux crowd because it's getting a lot of traction in, of all things, the Linux crowd. I suspect that has played a part in what bugs they've chosen to start off with.

Note that I'm not saying these aren't significant security issues - they most certainly are.

[FFTT]

This vulnerability would mostly affect those downloading .dmg installers
from unknown sources on P2P networks.

In that situation anyone can mis-label malware as a desirable application
just waiting for you to drop your guard.

It's quite simple really , if you're dowloading an application from an unknown
source and you authorize the installation of that application with your administrative password or drag install the application while logged on as administrator, you're asking for it.

[crees!]

Quote:

Originally Posted by longofest

Hey guys... didn't post this as FUD... just wanted to get the word out on the vulnerabilities, and to make sure everyone has that option disabled in Safari.

Quote:

Multiple Security Vulerabilities Found In Apple's Disk Image Software

Multiple? I only read 2 regarding disk images. Multiple makes me think like 7 or something.

[ero87]

Quote:

Originally Posted by crees!

Multiple? I only read 2 regarding disk images. Multiple makes me think like 7 or something.

umm... multiple. more than one.

[Jbook]

"vulerabilities"? its vulnerabilities...

[PODshady]

Quote:

Originally Posted by longofest

Hey guys... didn't post this as FUD... just wanted to get the word out on the vulnerabilities, and to make sure everyone has that option disabled in Safari.

Yeah... I have it disabled in Safari anyway because I find it very annoying when I have a ton of downloads going at once and then screens pop up opening the files... it is very distracting and gets in the way when I am doing other work while the files download.

[whooleytoo]

Quote:

Originally Posted by FFTT

It's quite simple really , if you're dowloading an application from an unknown
source and you authorize the installation of that application with your administrative password or drag install the application while logged on as administrator, you're asking for it.

Define an "unknnown source". Does that mean you'll never download any shareware/freeware again? Hell, even Apple shipped iPods with viruses on them. The point is, you just don't know if/when/where you're safe.

Which is why I've always thought the usual "you can't engineer for stupid users" is an easy, lazy cop-out.

[mkrishnan]

Good find. This is definitely good information. Hopefully it will allow Apple to continue to improve its security performance by patching these and also identifying any underlying common elements in how it handles disk images.

[pjo]

Quote:

Originally Posted by Counterfit

Quote:

Probably. They couldn't possibly only have found one bug in Windows in the span of a month.

Looking at the actual advisories, and exploits, I'd say no. Most of their advisories deal with "incorrect handling of corrupt data structures" in one filesystem or another (yes the dmg file can be regarded as a filesystem). This would point more to a somewhat common coding error that has been carried on through Linux, FreeBSD and hence OS X than to a witch hunt.

If they listed say, lots of buffer (over/under)flows, then maybe you could say they're targeting UN*X based OSes... given that most Windows flaws come from unchecked buffers AFAIK.

[FFTT]

Quote:

Originally Posted by whooleytoo

Define an "unknnown source". Does that mean you'll never download any shareware/freeware again? Hell, even Apple shipped iPods with viruses on them. The point is, you just don't know if/when/where you're safe.

Which is why I've always thought the usual "you can't engineer for stupid users" is an easy, lazy cop-out.

Generally you're pretty safe downloading from the software developer, Version Tracker, MacUpdate and so on.

It's when people download questionable applications from P2P servers, that
they put themselves at risk.

If something is asking for your administrative password, hopefully you know where it came from.

[rahrens]

There was a vulnerability, much publicized at the time, regarding Safari and Widgets, the fix for which was to uncheck that same box, disallowing the automatic opening of downloaded files.

Savvy Mac users have kept that check box unchecked ever since...

These may be new vulnerabilities, but they aren't as dangerous because of the earlier bug - at least for folks paying attention!

And yes, you are right, this is a grandstanding event, this month these guys are supposed to be releasing a vulnerability a day all month, and yeah, the first bug they released was about the Mac! Their initial statement was that manufacturers have been notified, but didn't specify just when, IIRC.

[whooleytoo]

Quote:

Originally Posted by FFTT

Generally you're pretty safe downloading from the software developer, Version Tracker, MacUpdate and so on.

Generally, you may be; but you just don't know. If the writer of a piece of malware (spyware in particular) is subtle enough in his methods, it would be very difficult to know if your machine is compromised or not; and hence it's difficult to know which sources are trustworthy or not.

Note, I'm not saying there's a lot of Mac spyware out there, just that our security is based too much on (in my opinion, unwarranted) trust.