Mac OS X Security Issue: Local Scripts

[MacRumors]

Infoworld reports on a new security vulnerability that affects Mac OS X/Safari.

The vulnerability involves the ability for Safari to run arbitrary local scripts on an end-user's computer. In order to accomplish this, a Disk Images must first be downloaded from the "attacking" website but can be tied to a single click.

A demonstration can be found at insecure.ws.

[PolarbearTed]

Quote:

Originally Posted by Macrumors

Infoworld reports on a new security vulnerability that affects Mac OS X/Safari.

The vulnerability involves the ability for Safari to run arbitrary local scripts on an end-user's computer. In order to accomplish this, a Disk Images must first be downloaded from the "attacking" website but can be tied to a single click.

A demonstration can be found at insecure.ws.

I just read this article on another site, but thanks for the link. I did the demonstration and it indeed is a vulnerability.

I altered some of my settings for safari as was suggested but I cannot find where to alter this setting:

- change the help helper in InternetConfig (better protection)

If anyone could point in me in the right direction, that'd be much appreciated!

Cheers,

PolarbearTed

[aethier]

anyways, most people tend to not exploit os x security holes, do to the little amount of people it would harm, we are deemed as a group not worth the effort of a virus...

aethier

[Krizoitz]

Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.

[nagromme]

No. But at least Apple's issues are fewer, and patched quicker, than in Windows.

Besides, this issue may not even be real. I'm just now trying the demonstration and it doesn

[Skiniftz]

Quote:

Originally Posted by Krizoitz

Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.

You don't call the ability to run a rm -Rf / on your Mac critical??

[Chip NoVaMac]

Oh great why not tell them all how to do it!

[Skiniftz]

Quote:

Originally Posted by Chip NoVaMac

Oh great why not tell them all how to do it!

If I wanted to be mean I'd post a script to email copies of itself to everyone in your mac address book launched from this exploit (it renders HTML using the Safari engine remember).

I can imagine it now - FREE XXX PR0N CLICK HERE!! *clickety*

[leftbanke7]

Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this.

[PolarbearTed]

I think you shouldn't look at it as such a bad thing, no operating system is going to be completely secure. So what, a couple of vulnerabilities come out every so often, but they are fewer and less dramatic then the worms and security issues some windows users need to deal with.

For those of you interested, I ran the script and it needs to be addressed, since dodgy stuff could be done. But follow the suggestions on the site.


PolarbearTed

[Lancetx]

Quote:

Originally Posted by leftbanke7

Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this.

It's not a "holier than thou" attitude, it's just how things really are. To quote an old phrase, if something is the truth then it ain't bragging. Despite the past week's events (which have been highly blown out of proportion BTW) I'll continue to take my chances with OS X over Windows any day of the week...

[Mudbug]

while this is unsettling at best, at lest the folks who took the time to make the test file had a sense of humor and named their .txt file "owned"

The only good thing about this is that it's REALLY easy to keep from happening.

[leftbanke7]

Quote:

Originally Posted by Lancetx

It's not a "holier than thou" attitude, it's just how things really are. To quote an old phrase, if something is the truth then it ain't bragging. Despite the past week's events (which have been highly blown out of proportion BTW) I'll continue to take my chances with OS X over Windows any day of the week...

Oh, I agree, OSX is a far superior OS than Windows however sometimes, as members of the Mac community, we try to rub it in to the other guys a little too much. For the longest time, the rally cry of many was that OSX had no viruses/trojans/etc and we hammered this point to death when a OSX vs Windows argument would arrise. It was only time before somebody decided to drop us down a peg or two and we are now seeing the beginnings of this. I say we still should tell the world about how great an OS Apple has but perhaps we shouldn't be so matter-of-fact about it.

[Skiniftz]

I don't know what would be worse - deleting data or emailing random iPhoto pics to random people on your address list...

[ryanw]

This is rediculous. Comeon .. you can disable the feature in Safari to auto open the .dmg files. This is just like posting an .EXE file that is a virus or trojan or something on a website and clicking on it and telling it to open.

This comes down to "THE WEB", not Safari, not OSX, not Apple. If you are clicking on things, you should know what you're clicking on. You could sign your life away or do extreamly illegal things in a few mouse clicks if you are just happily clicking away.

Do we need to start advertising in schools like they did in the 80s with "Don't take candy from strangers."? Now we'll have it say, "Don't click on links on stranger's websites."

[forrest]

I have used Apple's since the Apple II and have always felt safer than using a PC. However, just because we have a small user base does not mean we are not vulenerable. There are many people who despise the Mac OS and would love to exploit its security flaws. We are lucky that we have these people exposing these flaws prior to any harm being done. The whole Intego thing claiming to have found the first trojan was sketchy and ridiculus, but, it is a good thing that people are willing to write proof of concepts to better secure our beloved OS. It is the publicity of these holes that will only make the Mac OS more secure. And to end, a quote from the website which posted this poc.

Quote:

It is often like that with computer security problems, it's better to cut the problem at the root because you can never think of all the possibilities. Some things should be strictly forbidden (like executing code from within HTML, that's why Internet Explorer has sooo many problems: it uses language extensions, vb scripting and so on

I have been wary of Safari since its birth because of it's ability to run code, web integration is not needed. Keep the browser a browser and the computer harddrive private. Let users decide what is run on their computer, not some web programmer, not matter how noble their intentions.

[Spades]

This is the first one that I would call a vulnerability. It's pretty convoluted too. It looks like you have to download and automount the dmg before help runs and executes the script contained within. This is pretty hit and miss. Sometimes it works, sometimes it doesn't. The reason this is a vulnerability though is that a webpage can open an application external to the browser and tell it to perform an arbitrary command on the user's system. That part I do not like. Even if this particular attack has a decent chance of failing (but also a chance of succeeding), the arbitrary execution is a weak link just waiting to be exploited.

But, if you just disable the opening of "safe" files automatically, that will protect you for now. I just think it's only a matter of time before somebody exploits Help to do something really dangerous.

[peterjhill]

Quote:

Originally Posted by Skiniftz

You don't call the ability to run a rm -Rf / on your Mac critical??

It would not be as horrible as you think... Most people do not run Safari as root. Running that command would only delete things that you had write permission in. Now, doing:

rm -rf ~/ would surely piss a few people off.

[elmimmo]

Quote:

Originally Posted by ryanw

This is rediculous. Comeon .. you can disable the feature in Safari to auto open the .dmg files. This is just like posting an .EXE file that is a virus or trojan or something on a website and clicking on it and telling it to open.

There is NO way in Windows (no way that is not a bug) to bypass an alert window after clicking on a link that points to an .exe

Quote:

Originally Posted by peterjhill

It would not be as horrible as you think... Most people do not run Safari as root. Running that command would only delete things that you had write permission in.

Oh great... So you are implying that the script cannot delete my system, which I can reinstall anytime, only all my private documents, music, photos, etc... which cannot be "reinstalled" unless you've got a backup of the >100GB HDD that usually ship today. A really positive remark...

[Skiniftz]

Quote:

Originally Posted by peterjhill

It would not be as horrible as you think... Most people do not run Safari as root. Running that command would only delete things that you had write permission in. Now, doing:

rm -rf ~/ would surely piss a few people off.

rm -Rf / would do the same thing, except to all files you could delete, not just limited to your home folder. The OS can always be reinstalled. Your files and configs cannot be so easily.

[varmit]

Isn't this just running a program that will kill everything in the user folder. Still takes the user to click on it, it only affects the user and not the whole system, doesn't replicate to other computers.

But I like to know about these things, even though its manual download and start of the program. So its a like guessing if someones freeware open source stuff is not going to bight you.

[encro]

I would like to point out that this will happen with *ANY* browser or download manager on OS X and not just Safari.

It's rather clever actually

[corvus]

Quote:

Originally Posted by Skiniftz

If I wanted to be mean I'd post a script to email copies of itself to everyone in your mac address book launched from this exploit (it renders HTML using the Safari engine remember).

I can imagine it now - FREE XXX PR0N CLICK HERE!! *clickety*

your point exactly.

most viruses, etc, spread through the principles of social engineering. gullible, non-thinking sheepeople spread viruses.

anyone with a brain will never be caught by anything like this.

[hulugu]

Quote:

Originally Posted by leftbanke7

Oh, I agree, OSX is a far superior OS than Windows however sometimes, as members of the Mac community, we try to rub it in to the other guys a little too much...I say we still should tell the world about how great an OS Apple has but perhaps we shouldn't be so matter-of-fact about it.

Actually, I've been critical of Microsoft not just because of its vulnerabilities but because of their response which has often been to break the feature rather than fix the initial flaw.
Apple's response to these challenges, especially if quick and accurate will do more for my confidence than the supposed lack of flaws. Every OS has flaws, but it is the vendor's reponse to the flaws that is important.
Think of it this way, an OS is a cruiseship continually fired upon by an enemy of pirates and miscreants. Sometimes the OS will take a hit, but it is the response to that hit: defend the damaged section, seal the hull, put out the fire or ignore it, dog the hatches and hope it will go away, that decides the ultimate vulverability of the OS.
So far Microsoft has been telling passengers that the ship is fine, to ignore the smoke and the guy with the parrot who keeps drinking all the martinis.

[Computer_Phreak]

Quote:

Originally Posted by Krizoitz

Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.

Oh please... there are lots of companies that make their money by finding only vulnerabilities in Linux or Windows.... All of these flaws need to be addressed, no matter how seemingly trivial.

Take a look outside the mac realm, and you'll see security is a _huge_ issue.