Mac OS X Security Issue: Local Scripts

[benpatient]

bet we see another vague "security update" in software update that "adds internal functionality to safari" or something like that...

I just think its funny how upset people get about viruses and and security on windows machines...i have windows XP (not SP1, either) that has not been updated since installation. I turned off the software update feature all-together when i built the machine, and it's stayed off. I have updated the graphics drivers a couple of times, but really, i just turned the free version of zonealarm on at day 1, and i've had zero security issues to date. Once every 3-4 months i run an online virus check, and i've never had anything on my machine except spyware...which usually came from downloading something i shouldn't have, if you follow.

I sit on a cable connection all day long and somehow have never had to deal with a windows security problem.

maybe it's because i don't use IE or outlook? opera all the way, baby!

that said...i'm pretty surprised by how easy it was to find such a serious problem in OS X's security...think about this set of easily-scripted actions for a second, if you will:

delete all files in user/Pictures
delete all files in user/Movies
delete all files in user/Music
delete all files in user/Documents
search for folders containing "backup" or "archive", etc and delete them
empty trash.

X
n=n+1
create text document "ow[n+2]ned.n."
save in random folder
go to X

(yes, i know the syntax is wrong, but you get the idea, and i don't want to post the correct syntax, anyway)

point being, there's plenty you can do to cause severe damage without actually going outside the bounds of the "secure" core system. Most mac users aren't going to be like "yeah, it deleted all of my files from the last 2 years, all of my music, photos, and movies, and filled up my entire hard drive with 4k randomized junk files that there is no easy way to remove, but at least it didn't get to my kernel! Man, is OS X secure. I'm sure glad i don't have to press 'remove spyware' once a month like those PeeeCeee guys!"

 

[GroundLoop]

this could be very dangerous

While it is true that this will not self-propogate, it is still very dangerous.

First thing, did the latest security update fix the problem associated with the trojan warning on April 9th?

If not, I can only imagine malware writers out there trying to combine this with that trojan proof of concept so that a .dmg or .app posing as a .doc or .pdf is automounted and/or executed.

This is a very critical flaw that will likely be fixed within the next few days. Either way, it still bothers me.

Hickman

 

[dontmatter]

GRRR...

I thought I didn't buy windows....

 

[manu chao]

...unless you've got a backup of the >100GB HDD that usually ship today...

You don't have one???


Seriously, I always buy harddrives in pairs, one for using it, one for backing it up (plus a second independant back-up on a dedicated server).

 

[speakster]

What about...

Is this vulnerability only looking for items in your user folder?

If you had everything on a 2nd hard drive, would you be immune?

 

[GroundLoop]

Is this vulnerability only looking for items in your user folder?

If you had everything on a 2nd hard drive, would you be immune?

This vulnerability can delete anything that you have access to on your local machine at the time of execution. It can even delete info on mounted network drives with some clever programming.

Hickman

 

[Plastic Chicken]

A good thread on the topic:

http://forums.macnn.com/showthread.php?s=&threadid=213043&perpage=50&pagenumber=1

Conclusions:
The exploit is very serious. Remember, a malicious script would be a small file, so the dmg would download and mount very quickly.
Turning off "Open 'Safe' files after downloading" does NOT help, Safari mounts any disk prefixed with disk://
Someone filed a bug report on it two months ago.
It can affect more than safari because of the way the OS handles addresses.
The best solution, for now, is to download an app that will allow you to change the helper application for "help: " from HelpViewer to something such as Chess.

Also, from Slashdot it appears that the exploit only works on Panther...but don't count on it...

 

[jessefoxperry]

I just read this article on another site, but thanks for the link. I did the demonstration and it indeed is a vulnerability.

I altered some of my settings for safari as was suggested but I cannot find where to alter this setting:

- change the help helper in InternetConfig (better protection)

If anyone could point in me in the right direction, that'd be much appreciated!

Cheers,

PolarbearTed

isnt InternetConfig from OS9 days? oh well what they really meant was to change what application handles "help:". change it to something besides Help Viewer. http://www.clauss-net.de/misfox/misfox.html MisFox can do it. Just click on the "Protocol Helpers" tab. i used Address Book instead. anything will do. now click the example link and viola! nothing happens.

Edit: The MisFox site is in german but the program is in plain english

 

[visor]

Is it just me or do these sites seem hell bent on finding ANYthing wrong with OS X. Has anyone actually run across this as being a problem? Any of these supposed CRITICAL security flaws? Nope, didn't think so.

Well, unless you have valuable data on your system, it's not really critical. You might have to reinstall all apps, but else...

 

[macridah]

now that mac os x is gaining attention, groups out there are trying to prove that mac os x is not 100% protected from virus or attacks. This maybe try, but I bet mac os x is a lot more safer than windows or linux. Sure it's not 100% safe, but it's the safest OS out there.

 

[Flowbee]

that said...i'm pretty surprised by how easy it was to find such a serious problem in OS X's security...

Yeah... it only took 3 years.

 

[nagromme]

Flaws in OS X are nothing new. Some serious, some less so, some fixed quickly some less so, some appearing in the press all together in a bunch, some more spaced out. No OS is perfect and nobody (I hope) ever thought so.

Not of this approaches the grim reality of Windows--and NOT just because of target size, but because of fundamental and widespread problems on Microsoft's part.

OS X isn't perfect, just much, much better

Will we soon have to stop saying there are no Mac viruses? Will we soon have to say... there is ONE? Somebody has to be first! And when it happens, Macs will still be more secure than Windows.

 

[manu chao]

There is another vulnerability using telnet, which on the Mac exists with pretty much all browsers, on Windows and Linux apparently only with Opera (pre 7.5). Clicking a URL can write a file to everywhere you are allowed to write and can overwrite any file (without warning) whoose name and path is known.

http://www.heise.de/newsticker/meldung/47324 (German)

 

[visor]

Do we need to start advertising in schools like they did in the 80s with "Don't take candy from strangers."? Now we'll have it say, "Don't click on links on stranger's websites."

do you read the sourcecode of every page you visit?

 

[deepkid]

Thank you.

isnt InternetConfig from OS9 days? oh well what they really meant was to change what application handles "help:". change it to something besides Help Viewer. http://www.clauss-net.de/misfox/misfox.html MisFox can do it. Just click on the "Protocol Helpers" tab. i used Address Book instead. anything will do. now click the example link and viola! nothing happens.

Thank you very much. This is helpful and I've passed it on to all of the os x people I know.

 

[rt_brained]

Does anybody feel that this, in part, is the Mac community's fault? We go on blabbing how we have no viruses/trojan horses/etc and low and behold, we get two issues in a week. It is almost as we dared them to come up with these and now that they have arisen, we are pissed b/c it seems the world is picking apart the Mac OS. Perhaps had we not had this "holier than thou" attitude, we wouldn't be worrying about this.

For a while I thought I was the only one concerned about the same thing. I made the very same comment about too much flag waving. It's pure STUPIDITY to spout off about in a public forum like a child screaming, "You can't catch me, you can't catch me!"

If someone, say a switcher, wants to know if it's true that Macs never get viruses, I suggest pointing them to Apple's website or to their local Apple store.

This is a P.R. game we can all participate in. Lay low, don't talk about it, deny, deny, deny...and hopefully the problem will eventually die out for another 6 or 7 years.

 

[eddyg]

Attack!

This is a P.R. game we can all participate in. Lay low, don't talk about it, deny, deny, deny...and hopefully the problem will eventually die out for another 6 or 7 years.

I disagree, ignorance is not a good security model, let them attack, attack and attack. There will be flaws, so let's find them and get them fixed.

Let's not worry when a flaw is found, it's natural that there will be some, however they should mostly be less severe than what is found on Windows and also fewer of them.

Cheers, Edward.

 

[GroundLoop]

I disagree, ignorance is not a good security model, let them attack, attack and attack. There will be flaws, so let's find them and get them fixed.

Let's not worry when a flaw is found, it's natural that there will be some, however they should mostly be less severe than what is found on Windows and also fewer of them.

Cheers, Edward.

I would love to agree with you, but this is just too easy to exploit and delete all files that the user has permission to. Yes, the flaw will be fixed, but it is still very nasty.

Hickman

 

[ALoLA]

I make it a general practice not to auto-execute/open/extract anything that's downloaded, whether intentional or accidental. Just safer that way. Couldn't this problem be circumvented by simply unchecking the box "Open 'safe' files after downloading" in the General panel of Safari Preferences?

 

[Sailfish]

Remove the Help Viewer application from your System/Library/CoreServices folder.

Burn it to disk.

And/or change your permissions on the original to "yourname" and NO ACCESS for everything, lock it.

The program will be there, you or anything else can't run it.

Be sure to record the original permissions if you do this.

 

[Plastic Chicken]

I make it a general practice not to auto-execute/open/extract anything that's downloaded, whether intentional or accidental. Just safer that way. Couldn't this problem be circumvented by simply unchecking the box "Open 'safe' files after downloading" in the General panel of Safari Preferences?

As already stated: no.

 

[marco114]

YIKES! NO DISK IMAGE NEEDED!!!!!!

GO HERE AND BE AMAZED.. no disk image needed:
http://bronosky.com/pub/AppleScript.htm

NOTE THIS IS NOT HARMFUL.

 

[WiseWeasel]

Very Serious

This is much more serious than the articles let on. This security vulnerability in MacOS X affects all web browsers. There's a non-malicious example of the seriousness of the problem here:
http://bronosky.com/pub/AppleScript.htm
That just runs a harmless script (/usr/bin/du; exit) which scrolls a bunch of text and looks scary, but it could easily have been a script to wipe your home directory, and you could have had some serious data loss.

To fix the vulnerability, simply navigate to your [MacOS] X drive, go to the Library folder (not the one in your home folder, but the one in the root directory of your HD), and then to the Documentation folder, and rename the folder "Help" to something else (located at /Library/Documentation/Help). This will prevent people from linking to the script runner. This vulnerability is very serious, and doesn't even have to involve downloading a DMG. Once the "Help" folder is renamed, you won't be able to use the Mac Help center anymore, but at least you will not be at risk of having your data wiped by clicking on a link, or visiting a malicious site. DO THIS NOW!!!!!

[Edit] Damn, Marco114 beat me to it... [/Edit]

 

[centauratlas]

No. But at least Apple's issues are fewer, and patched quicker

They reported it to Apple 23/02/04. That is HARDLY quick. And it is very serious:

rm -rf /

would be a nightmare.

And security through obscurity is never successful for long. That is why notification to Apple, VERY QUICK fix from Apple, publication is a good techinque. When 2 months go by without a fix though, publication to force a fix is required because if one person has found it, others probably have too.

 

[MorganX]

Yeah... it only took 3 years.

Here's some vulnerabilities from 2001 through 2004:

2004-05-12: KAME Racoon Malformed ISAKMP Packet Denial of Service Vulnerability
2004-05-12: Racoon IKE Daemon Unauthorized X.509 Certificate
2004-05-11: Apple Mac OS X TrueBlueEnvironment Local Denial Of Service
2004-05-11: Apache Mod_SSL HTTP Request Remote Denial Of Service
2004-05-08: OpenSSL Denial of Service Vulnerabilities
2004-05-08: Sendmail Prescan() Variant Remote Buffer Overrun
2004-05-05: BSD Kernel ARP Cache Flooding Denial of Service Vulnerability
2004-05-04: Apple Mac OS X AppleFileServer Remote Buffer Overflow
2004-05-04: Apple Mac OS X CoreFoundation Unspecified Large Input
2004-05-03: Apple Mac OS X Server Administration Service Undisclosed Remote Buffer Overflow
2004-05-03: Apple QuickTime Sample-to-Chunk Integer Overflow
2004-04-08: OpenSSL ASN.1 Parsing Vulnerabilities
2004-04-07: Samba 'call_trans2open' Remote Buffer Overflow Vulnerability
2004-04-07: Libxml2 Remote URI Parsing Buffer Overrun Vulnerability
2004-04-06: TCPDump ISAKMP Decoding Routines Denial Of Service
2004-04-06: Apple Mac OS X Mail Undisclosed HTML Handling Vulnerability
2004-04-06: CUPS Unspecified Configuration Vulnerability
2004-03-29: TCPDump Malformed RADIUS Packet Denial Of Service
2004-03-29: TCPDump ISAKMP Decoding Routines Multiple Remote Buffer Overflow
2004-03-26: Multiple Vendor Internet Browser Cookie Path Argument Restriction Bypass Vulnerability
2004-03-09: RSync Daemon Mode Undisclosed Remote Heap Overflow
2004-03-06: Apple Safari Large JavaScript Array Handling Denial Of Service
2004-02-27: Apple Mac OS X Apple Filing Protocol Client Multiple
2004-02-24: Apple QuickTime/Darwin Streaming Server DESCRIBE Request Remote Denial of Service Vulnerability
2004-02-24: Apple Mac OS X PPPD Format String Memory Disclosure
2004-02-24: Multiple Apple Mac OS X Local And Remote Vulnerabilities
2004-01-27: Multiple Apple Mac OS X Operating System Component
2004-01-27: Apple Mac OS X TruBlueEnvironment Local Buffer Overflow
2004-01-20: Sendmail Ruleset Parsing Buffer Overflow Vulnerability
2004-01-12: Multiple Vendor Sun RPC xdr_array Buffer Overflow
2003-12-31: Apple MacOS X SecurityServer Daemon Local Denial Of Service Vulnerability
2003-12-23: Apple QuickTime/Darwin Streaming MP3Broadcaster ID3 Tag Handling Vulnerability
2003-12-22: Unix Shell Redirection Race Condition Vulnerability
2003-12-20: Apple MacOS X ASN.1 Decoding Unspecified Remote Denial Of Service Vulnerability
2003-12-20: Apple MacOS X fs_usage Unspecified Local Privilege Escalation Vulnerability
2003-12-20: Apple MacOS X AppleFileServer Unspecified Vulnerability
2003-12-20: Apple MacOS X DHCP Response Root Compromise Vulnerability
2003-12-20: Apple Mac OS X Panther Screen Effects Locking Latency
2003-12-20: MacOSX CD9660.Util Probe For Mounting Argument Local Buffer Overflow Vulnerability
2003-12-05: Apple Safari Web Browser Null Character Cookie Stealing
2003-12-05: AppleShare IP FTP Server RMD Command Denial Of Service
2003-12-05: OpenSSL Bad Version Oracle Side Channel Attack Vulnerability
2003-12-05: OpenSSL CBC Error Information Leakage Weakness
2003-11-20: Apple Mac OS X Jaguar/Panther Multiple Vulnerabilities
2003-11-19: Apple MacOS X Terminal sudo command Unauthorized Access
2003-11-05: Apple MacOS X Terminal Unspecified Unauthorized Access
2003-10-31: MacOS X Local Root Privilege Elevation Vulnerability
2003-10-29: Apple Mac OS X Multiple Vulnerabilities
2003-10-29: Apple Mac OS X 10.3 Unspecified Apple Quicktime Java
2003-10-28: Apple Mac OS X Insecure File Permissions Vulnerabilities
2003-10-28: Apple Mac OS X Core File Symbolic Link Vulnerability
2003-10-28: MacOS X Long Argv Value Kernel Buffer Overrun Vulnerability
2003-10-04: Multiple Vendor C Library realpath() Off-By-One Buffer Overflow Vulnerability
2003-09-27: Sendmail Address Prescan Memory Corruption Vulnerability
2003-09-23: Ntpd Remote Buffer Overflow Vulnerability
2003-09-04: Apache Web Server Linefeed Memory Allocation Denial Of Service Vulnerability
2003-07-28: MacOS X Third Party Application Screen Effects Password Protection Bypass Vulnerability
2003-07-24: Apple QuickTime/Darwin Streaming Server Script Source Disclosure Vulnerability
2003-07-24: Apple QuickTime/Darwin Streaming Server Directory Traversal
2003-07-24: Apple QuickTime/Darwin Streaming Server view_broadcast.cgi Denial of Service Vulnerability
2003-07-24: Apple QuickTime/Darwin Streaming Server parse_xml.cgi Source Disclosure Vulnerability
2003-07-24: Apple Mac OS X Server Workgroup Manager Undisclosed Insecure Account Creation Vulnerability
2003-07-22: CUPS File Descriptor Leakage Denial Of Service Vulnerability
2003-07-22: CUPS Image Filter Zero Width GIF Memory Corruption
2003-07-22: CUPS strncat() Function Call Buffer Overflow Vulnerability
Overflow Vulnerability
2003-06-25: Eric S. Raymond Fetchmail Multidrop Mode Email Header Parsing Heap Overflow Vulnerability
2003-06-13: Apple Mac OS X DSIMPORTEXPORT Information Disclosure Weakness
2003-06-10: BSD TCP/IP Broadcast Connection Check Vulnerability
2003-06-09: Apple AFP Server Arbitrary File Corruption Vulnerability
2003-06-09: Apple Mac OS X Server LDAP Authentication Clear Text Passwords Vulnerability
2003-05-23: Apple QuickTime/Darwin Streaming Server QTSSReflector Module Integer Overflow Vulnerability
2003-05-19: Apple MacOS X IPSec Policy By Port Bypass Vulnerability
2003-05-17: Apple Safari Common Name Certificate Validation Vulnerability
2003-05-15: Sudo Password Prompt Heap Overflow Vulnerability
2003-05-12: Apple AirPort Administrative Password Encryption Weakness
2003-05-06: OpenSSL ASN.1 Parsing Error Denial Of Service Vulnerability
2003-05-06: OpenSSL ASCII Representation Of Integers Buffer Overflow
2003-05-06: OpenSSL SSLv3 Session ID Buffer Overflow Vulnerability
2003-04-23: MacOS X DirectoryService Denial Of Service Vulnerability
2003-04-10: Apple MacOS X DropBox Folder Information Disclosure
2003-04-10: Apple MacOS X DirectoryService Privilege Escalation
2003-03-21: Apple Mac OS X Keychain Access Password Disclosure Weakness
2003-03-02: Multiple Vendor Sun RPC LibC TCP Time-Out Denial Of Service
2003-02-28: Apple QuickTime/Darwin Streaming Server parse_xml.cgi File Disclosure Vulnerability
2003-02-26: Apple QuickTime/Darwin Streaming Administration Server Parse_XML.CGI Directory Listing Vulnerability
2003-02-26: Apple Quicktime/Darwin MP3 Broadcaster Filename Buffer Overrun Vulnerability
2003-02-25: Apple MacOS Classic TruBlueEnvironment Environment Variable Privilege Escalation Vulnerability
2003-02-25: Apple File Protocol iDrive Administrator Login Weakness
2002-12-07: Apple Mac OS X Directory Kernel Panic Denial Of Service
2002-12-02: Multiple Vendor IPSec Implementation Denial of Service
2002-09-13: Mac OS X NetInfo Manager Unauthorized Access Vulnerability
2002-07-24: Apple MacOS iDisk Mail.APP Default Configuration Password Disclosure Vulnerability
2002-07-20: MacOS X SoftwareUpdate Arbitrary Package Installation Vulnerability
2002-05-18: MacOS X Sliplogin Buffer Overflow Vulnerability
2002-02-21: Apple MacOS 9 Classic Reverse DNS Lookup DoS Vulnerability
2002-02-08: Apple QuickTime Content-Type Remote Buffer Overflow
2002-01-18: Multiple Vendor FTP glob Expansion Vulnerability
2001-12-29: Apple Mac OS X PPP Authentication Credentials Disclosure
2001-10-31: MacOS 9.2 Local Internet Explorer Helper Application
2001-10-22: MacOS X NetInfo Manager Privilege Escalation Vulnerability
2001-10-09: Apple MacOS X Insecure Default Permissions Vulnerability
2001-09-11: Apple Macintosh OS X FBCIndex File Contents Disclosure
2001-09-11: Apple Macintosh OS X .DS_Store Directory Listing Disclosure
2001-09-04: Apple Mac OS X nidump Password File Disclosure Vulnerability
2001-08-15: Apple Open Firmware Insecure Password Vulnerability
2001-07-09: Windows 2000 Active Directory Authentication Vulnerability
2001-06-28: MacOS Personal Web Sharing Authentication DoS Vulnerability
2001-05-15: MacOS 9 Personal Web Sharing Remote DoS Vulnerability
2001-05-04: Apple MacOS Multiple Users Password Bypass Vulnerability
2001-03-15: rwhod Remote Denial of Service Vulnerability
2001-02-05: Crontab File Disclosure Vulnerability
2001-02-02: Apple Quicktime Plugin Remote Overflow Vulnerability
2001-01-25: FreeBSD ipfw Filtering Evasion Vulnerability

Because no one takes the time to exploit Apple vulnerabilites, doesn't mean it's not vulnerable. It means it's benefiting from obscurity. It may have fewer, but if you have 10 and patch them expediently, you're more secure than the one with 2 that doesn't patch for a long time. Unless you believe due to obscurity, you don't have to patch quickly. Currently how secure an OS is being measure by how fast it is patched once the vulnerability is known. Let's time this one...