Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
55,464
17,803
Infoworld reports on a new security vulnerability that affects Mac OS X/Safari.

The vulnerability involves the ability for Safari to run arbitrary local scripts on an end-user's computer. In order to accomplish this, a Disk Images must first be downloaded from the "attacking" website but can be tied to a single click.

A demonstration can be found at insecure.ws.
 

PolarbearTed

macrumors newbie
May 17, 2004
26
0
Macrumors said:
Infoworld reports on a new security vulnerability that affects Mac OS X/Safari.

The vulnerability involves the ability for Safari to run arbitrary local scripts on an end-user's computer. In order to accomplish this, a Disk Images must first be downloaded from the "attacking" website but can be tied to a single click.

A demonstration can be found at insecure.ws.

I just read this article on another site, but thanks for the link. I did the demonstration and it indeed is a vulnerability.

I altered some of my settings for safari as was suggested but I cannot find where to alter this setting:

- change the help helper in InternetConfig (better protection)

If anyone could point in me in the right direction, that'd be much appreciated!

Cheers,

PolarbearTed
 

aethier

macrumors 6502a
Feb 1, 2003
594
0
Montréal, Canada
anyways, most people tend to not exploit os x security holes, do to the little amount of people it would harm, we are deemed as a group not worth the effort of a virus...

aethier
 

Krizoitz

macrumors 68000
Apr 26, 2003
1,631
1,621
Tokyo, Japan
Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.
 

nagromme

macrumors G5
May 2, 2002
12,546
1,196
Testing it out now

No. But at least Apple's issues are fewer, and patched quicker, than in Windows.

Besides, this issue may not even be real. I'm just now trying the demonstration and it doesn
 

Skiniftz

macrumors 6502
Jan 18, 2004
282
1
Krizoitz said:
Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.
You don't call the ability to run a rm -Rf / on your Mac critical??
 

Skiniftz

macrumors 6502
Jan 18, 2004
282
1
Chip NoVaMac said:
Oh great why not tell them all how to do it!
If I wanted to be mean I'd post a script to email copies of itself to everyone in your mac address book launched from this exploit (it renders HTML using the Safari engine remember).

I can imagine it now - FREE XXX PR0N CLICK HERE!! *clickety*
 

leftbanke7

macrumors 6502a
Feb 4, 2004
746
1
West Valley City, Utah
Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this.
 

PolarbearTed

macrumors newbie
May 17, 2004
26
0
I think you shouldn't look at it as such a bad thing, no operating system is going to be completely secure. So what, a couple of vulnerabilities come out every so often, but they are fewer and less dramatic then the worms and security issues some windows users need to deal with.

For those of you interested, I ran the script and it needs to be addressed, since dodgy stuff could be done. But follow the suggestions on the site.


PolarbearTed
 

Attachments

  • screen.jpg
    screen.jpg
    66.7 KB · Views: 1,600

Lancetx

macrumors 68000
Aug 11, 2003
1,991
619
leftbanke7 said:
Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this.

It's not a "holier than thou" attitude, it's just how things really are. To quote an old phrase, if something is the truth then it ain't bragging. Despite the past week's events (which have been highly blown out of proportion BTW) I'll continue to take my chances with OS X over Windows any day of the week...
 

Mudbug

Administrator emeritus
Jun 28, 2002
3,848
1
North Central Colorado
while this is unsettling at best, at lest the folks who took the time to make the test file had a sense of humor and named their .txt file "owned"

The only good thing about this is that it's REALLY easy to keep from happening.
 

leftbanke7

macrumors 6502a
Feb 4, 2004
746
1
West Valley City, Utah
Lancetx said:
It's not a "holier than thou" attitude, it's just how things really are. To quote an old phrase, if something is the truth then it ain't bragging. Despite the past week's events (which have been highly blown out of proportion BTW) I'll continue to take my chances with OS X over Windows any day of the week...

Oh, I agree, OSX is a far superior OS than Windows however sometimes, as members of the Mac community, we try to rub it in to the other guys a little too much. For the longest time, the rally cry of many was that OSX had no viruses/trojans/etc and we hammered this point to death when a OSX vs Windows argument would arrise. It was only time before somebody decided to drop us down a peg or two and we are now seeing the beginnings of this. I say we still should tell the world about how great an OS Apple has but perhaps we shouldn't be so matter-of-fact about it.
 

Skiniftz

macrumors 6502
Jan 18, 2004
282
1
Evil Ideas

I don't know what would be worse - deleting data or emailing random iPhoto pics to random people on your address list...
 

ryanw

macrumors 6502
Oct 21, 2003
307
0
This is rediculous. Comeon .. you can disable the feature in Safari to auto open the .dmg files. This is just like posting an .EXE file that is a virus or trojan or something on a website and clicking on it and telling it to open.

This comes down to "THE WEB", not Safari, not OSX, not Apple. If you are clicking on things, you should know what you're clicking on. You could sign your life away or do extreamly illegal things in a few mouse clicks if you are just happily clicking away.

Do we need to start advertising in schools like they did in the 80s with "Don't take candy from strangers."? Now we'll have it say, "Don't click on links on stranger's websites."
 

forrest

macrumors newbie
May 17, 2004
1
0
This is a good thing.

I have used Apple's since the Apple II and have always felt safer than using a PC. However, just because we have a small user base does not mean we are not vulenerable. There are many people who despise the Mac OS and would love to exploit its security flaws. We are lucky that we have these people exposing these flaws prior to any harm being done. The whole Intego thing claiming to have found the first trojan was sketchy and ridiculus, but, it is a good thing that people are willing to write proof of concepts to better secure our beloved OS. It is the publicity of these holes that will only make the Mac OS more secure. And to end, a quote from the website which posted this poc.

It is often like that with computer security problems, it's better to cut the problem at the root because you can never think of all the possibilities. Some things should be strictly forbidden (like executing code from within HTML, that's why Internet Explorer has sooo many problems: it uses language extensions, vb scripting and so on

I have been wary of Safari since its birth because of it's ability to run code, web integration is not needed. Keep the browser a browser and the computer harddrive private. Let users decide what is run on their computer, not some web programmer, not matter how noble their intentions.
 

Spades

macrumors 6502
Oct 24, 2003
461
0
This is the first one that I would call a vulnerability. It's pretty convoluted too. It looks like you have to download and automount the dmg before help runs and executes the script contained within. This is pretty hit and miss. Sometimes it works, sometimes it doesn't. The reason this is a vulnerability though is that a webpage can open an application external to the browser and tell it to perform an arbitrary command on the user's system. That part I do not like. Even if this particular attack has a decent chance of failing (but also a chance of succeeding), the arbitrary execution is a weak link just waiting to be exploited.

But, if you just disable the opening of "safe" files automatically, that will protect you for now. I just think it's only a matter of time before somebody exploits Help to do something really dangerous.
 

peterjhill

macrumors 65816
Apr 25, 2002
1,095
0
Seattle, WA
Skiniftz said:
You don't call the ability to run a rm -Rf / on your Mac critical??


It would not be as horrible as you think... Most people do not run Safari as root. Running that command would only delete things that you had write permission in. Now, doing:

rm -rf ~/ would surely piss a few people off.
 

elmimmo

macrumors 6502
Apr 18, 2002
265
0
Spain
ryanw said:
This is rediculous. Comeon .. you can disable the feature in Safari to auto open the .dmg files. This is just like posting an .EXE file that is a virus or trojan or something on a website and clicking on it and telling it to open.
There is NO way in Windows (no way that is not a bug) to bypass an alert window after clicking on a link that points to an .exe
peterjhill said:
It would not be as horrible as you think... Most people do not run Safari as root. Running that command would only delete things that you had write permission in.
Oh great... So you are implying that the script cannot delete my system, which I can reinstall anytime, only all my private documents, music, photos, etc... which cannot be "reinstalled" unless you've got a backup of the >100GB HDD that usually ship today. A really positive remark...
 

Skiniftz

macrumors 6502
Jan 18, 2004
282
1
peterjhill said:
It would not be as horrible as you think... Most people do not run Safari as root. Running that command would only delete things that you had write permission in. Now, doing:

rm -rf ~/ would surely piss a few people off.

rm -Rf / would do the same thing, except to all files you could delete, not just limited to your home folder. The OS can always be reinstalled. Your files and configs cannot be so easily.
 

varmit

macrumors 68000
Aug 5, 2003
1,830
0
ummm

Isn't this just running a program that will kill everything in the user folder. Still takes the user to click on it, it only affects the user and not the whole system, doesn't replicate to other computers.

But I like to know about these things, even though its manual download and start of the program. So its a like guessing if someones freeware open source stuff is not going to bight you.
 

corvus

macrumors member
Mar 12, 2004
32
0
gullible, non-thinking sheepeople spread viruses

Skiniftz said:
If I wanted to be mean I'd post a script to email copies of itself to everyone in your mac address book launched from this exploit (it renders HTML using the Safari engine remember).

I can imagine it now - FREE XXX PR0N CLICK HERE!! *clickety*

your point exactly.

most viruses, etc, spread through the principles of social engineering. gullible, non-thinking sheepeople spread viruses.

anyone with a brain will never be caught by anything like this.
 

hulugu

macrumors 68000
Aug 13, 2003
1,834
16,455
quae tangit perit Trump
leftbanke7 said:
Oh, I agree, OSX is a far superior OS than Windows however sometimes, as members of the Mac community, we try to rub it in to the other guys a little too much...I say we still should tell the world about how great an OS Apple has but perhaps we shouldn't be so matter-of-fact about it.

Actually, I've been critical of Microsoft not just because of its vulnerabilities but because of their response which has often been to break the feature rather than fix the initial flaw.
Apple's response to these challenges, especially if quick and accurate will do more for my confidence than the supposed lack of flaws. Every OS has flaws, but it is the vendor's reponse to the flaws that is important.
Think of it this way, an OS is a cruiseship continually fired upon by an enemy of pirates and miscreants. Sometimes the OS will take a hit, but it is the response to that hit: defend the damaged section, seal the hull, put out the fire or ignore it, dog the hatches and hope it will go away, that decides the ultimate vulverability of the OS.
So far Microsoft has been telling passengers that the ship is fine, to ignore the smoke and the guy with the parrot who keeps drinking all the martinis.
 

Computer_Phreak

macrumors 6502
Jul 15, 2002
375
0
Krizoitz said:
Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.


Oh please... there are lots of companies that make their money by finding only vulnerabilities in Linux or Windows.... All of these flaws need to be addressed, no matter how seemingly trivial.

Take a look outside the mac realm, and you'll see security is a _huge_ issue.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.