More security problems bite Apple

jacobj · Feb 22, 2006

The BBC has an article detailing a "serious" flaw in OSX that would allow hackers in

article

Now I may not understand this fully, but as I read it this says that:

A user can download a file that claims to be, let's say, a JPG, but it is actually an application and that OSX will treat it as an application.

Now my understanding of OSX is that:

1. Unless you have rights to do so you cannot install applications.
2. Even if you are in the admin account it will ask you to confirm that you want to activate the application.

So, if you were expecting a JPG and get an app then on your head be it if you activate it.

How could Apple write an OS that can overcome this? The only other, more secure scenario I can imagine is that the OS checks the code and tells you that it is not particularly nice because of a list of reasons that it considers unwelcome. But that is asking TOO much in my opinion.

liketom · Feb 22, 2006

i see that on there too ,

apple are working on a fix - so no worrys

iMeowbot · Feb 22, 2006

jacobj said:
Now my understanding of OSX is that:

1. Unless you have rights to do so you cannot install applications.

That part really isn't true. You can download and run programs within your home directory at will. Privileges are only required to install software in shared directories, and to enable programs to run with elevated privileges (for example setuid root).

2. Even if you are in the admin account it will ask you to confirm that you want to activate the application.

That one's not really true either. If you double-click on a document and it would be opened with a new program, you will be asked the first time. You won't be asked if you launch the application itself.

stuartmingay · Feb 22, 2006

... the problem's not just that you download a file and find out it's an application, it's that by visiting a website a file could be forced onto your machine and then run without your intervention. The example given is a script that could delete all the files in your home folder and below. Very worrying!

Also, if you read the articles written by the guy who found this problem, if you download a file with a .jpg extension, it will always display a .jpg icon. However, because it's executable, double-clicking will start the terminal application and run whatever is in the file.

Stu

MisterMe · Feb 22, 2006

stuartmingay said:
... the problem's not just that you download a file and find out it's an application, it's that by visiting a website a file could be forced onto your machine and then run without your intervention. The example given is a script that could delete all the files in your home folder and below. Very worrying!

Also, if you read the articles written by the guy who found this problem, if you download a file with a .jpg extension, it will always display a .jpg icon. However, because it's executable, double-clicking will start the terminal application and run whatever is in the file.

Stu

Malware masquerading as a .jpg will still be flagged as executable. It is up to the user to ignore the warning, complete the download, and launch the malware. If the user has never launched the Terminal before, one can expect a warning that it is being launched for the first time. In the worse case scenario, there may be reason for serious concern. However, these types of exploits require the cooperation of a sufficiently dense user.

DeathChill · Feb 22, 2006

MisterMe said:
Malware masquerading as a .jpg will still be flagged as executable. It is up to the user to ignore the warning, complete the download, and launch the malware. If the user has never launched the Terminal before, one can expect a warning that it is being launched for the first time. In the worse case scenario, there may be reason for serious concern. However, these types of exploits require the cooperation of a sufficiently dense user.

This is where much of the Windows malware and viruses come from, but no Mac user ever seems to point that out. Windows just happens to have such a large install base that there are so many more dense users.

iMeowbot · Feb 22, 2006

MisterMe said:
Malware masquerading as a .jpg will still be flagged as executable. It is up to the user to ignore the warning, complete the download, and launch the malware.

Not with the "safe files" vulnerability. Safari is currently willing to believe that the script is not an application.

If the user has never launched the Terminal before, one can expect a warning that it is being launched for the first time.

Unfortunately that isn't happening. I just tested on both a fresh account, and an existing account on which I reset all the first-run warnings via lsregister. There was no prompt.

In the worse case scenario, there may be reason for serious concern. However, these types of exploits require the cooperation of a sufficiently dense user.

In this case, it only requires sufficiently dense bundled software.

YS2003 · Feb 22, 2006

Because of this type of virus tickling on Mac platform, I set up a new Admini account while demoting my original Admini to Standard user. Even though Mac asks me enter password before installing any program, I feel this extra hurdle (ie. typing in Admini name and its password) gives me an extra security against the potential malware in the future.

stoid · Feb 22, 2006

DeathChill said:
This is where much of the Windows malware and viruses come from, but no Mac user ever seems to point that out. Windows just happens to have such a large install base that there are so many more dense users.

However, I don't think that this is a virus either, maybe a worm in the best case scenario, but a worm that still requires user intervention to run it on each machine. This exploit is in an unexpected function of Mac OS X. Many Windows exploits are far more dangerous. The latest one they had with jpgs, was that an ACTUAL jpg could contain and execute code. This Mac trojan only references jpgs, because a person is most likely to open a jpg. There is no image information at all in the file.

novicew · Feb 22, 2006

Perhaps this may help.

pseudobrit · Feb 22, 2006

jacobj said:
Now I may not understand this fully, but as I read it this says that:

A user can download a file that claims to be, let's say, a JPG, but it is actually an application and that OSX will treat it as an application.

This is not an application. This is a .term script that exploits the fact that most of us log into OSX with an admin account. Then it uses the Terminal. You can watch all of this happening to your Mac if you were to launch the "virus". Everything still must be done above the table and that is thanks to the virtues of UNIX.

It's easy to beat the possibility of this happening:

https://forums.macrumors.com/showthread.php?p=2165460#post2165460

wasimyaqoob · Feb 22, 2006

I'm sure the guys at Apple are working to resolve the problem.

MrSmith · Feb 22, 2006

The article says:

"The operating system can also be made secure against the loophole by changing some preferences."

What preferences would these be?

pseudobrit · Feb 23, 2006

MrSmith said:
The article says:

"The operating system can also be made secure against the loophole by changing some preferences."

What preferences would these be?

Kill it at the root:

https://forums.macrumors.com/showthread.php?p=2165460#post2165460

Search

Search

More security problems bite Apple

jacobj

macrumors 65816

liketom

macrumors 601

iMeowbot

macrumors G3

stuartmingay

macrumors member

MisterMe

macrumors G4

DeathChill

macrumors 68000

iMeowbot

macrumors G3

YS2003

macrumors 68020

stoid

macrumors 601

novicew

macrumors member

pseudobrit

macrumors 68040

wasimyaqoob

macrumors 6502a

MrSmith

macrumors 68040

pseudobrit

macrumors 68040

Our Staff