Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Multiple Security Vulerabilities Found In Apple's Disk Image Software

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,561
13,187
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png

The "Month of Kernel Bugs" project has found two unpatched security vulnerabilities in the way Mac OS X handles .dmg files.

The first vulnerability, rated "highly critical" by security-firm Secunia, can lead to privilege escalation, denial of service, and system access by a remote user (if Safari's open "safe" files option is checked).

The second issue is similar in nature, in that a corrupted UDTO HFS+ .dmg (ex. bad sectors) can lead to a denial of service condition.

A workaround for both issues is to disable Safari's option to open "safe" files after downloading, and to not open any .dmg file from a source you do not trust.

The latest findings increase the total to four security bugs found in Apple's software since the beginning of the project this month (See also: Airport Driver Exploit , fpathconf() Exploit ). The project has also targeted Windows, Linux, and other popular BSD distributions, with a stated goal to "check how many unreported and unknown issues can be found in kernel code out there, using simple, yet effective tools deploying techniques such as fuzzing and 'stress testing'."
 

longofest

Editor emeritus
Jul 10, 2003
2,863
1,469
Falls Church, VA
Hey guys... didn't post this as FUD... just wanted to get the word out on the vulnerabilities, and to make sure everyone has that option disabled in Safari.
 
Comment

longofest

Editor emeritus
Jul 10, 2003
2,863
1,469
Falls Church, VA
Can someone translate this for the layman?

Sorry about that... these security things can be a bit tech-heavy.

Both vulnerabilities can potentially allow someone to post a disk image (like what you download software on) on a website and craft it in such a way that they could remotely take over your computer. Since some pages can even be written so that you don't even have to click on a link to download a file, it is even more sinister since you may not even think you have downloaded the file.

In order to mitigate the risk until Apple posts a patch, you should either use another browser other than Safari, or go into Safari's preferences and turn off "automatically open safe files" option. Also, don't open any .dmg files that you don't trust.
 
Comment

x86isslow

macrumors 6502a
Aug 10, 2003
889
10
USA
Is this only relevant for people who use Safari? I have similar auto-run operations in Adium (Accept Safe Files from Buddies) and Camino (Open safe files).
 
Comment

k2k koos

macrumors 6502a
Good!

I'm glad there are people that do the right thing with what they find, report it so that the software companies can improve their code. No one will claim that
Apple's software is flawless, but it is very very solid. I wonder what they found in the Windows and Linux OS's. Probably a thing or two too.
 
Comment

shawnce

macrumors 65816
Jun 1, 2004
1,442
0
Is this only relevant for people who use Safari? I have similar auto-run operations in Adium (Accept Safe Files from Buddies) and Camino (Open safe files).

No it is not related to Safari.

It is related to opening a malicious disk image, which as you point out can automatically be opened by various pieces of software that are used to download or transmit files.
 
Comment

Analog Kid

macrumors 603
Mar 4, 2003
5,687
4,277
Interesting that there's only one Windows flaw listed and a bunch of OS X and Linux bugs. Is that because of audience?
 
Comment

swingerofbirch

macrumors 68040
Is this why Apple lists safe in quotations marks, as to suggest sarcasm? lol......
 

Attachments

  • Picture 1444.png
    Picture 1444.png
    84.8 KB · Views: 225
Comment

BlueRevolution

macrumors 603
Jul 26, 2004
6,054
2
Montreal, QC
Yeah, "safe" files are always a little suspect. If Apple would just have decent validation in place we'd be fine. It would also be nice to have some sort of intelligent system that can recognise files disguised as other files (shell scripts as JPEGs, for instance).

Is this only relevant for people who use Safari? I have similar auto-run operations in Adium (Accept Safe Files from Buddies) and Camino (Open safe files).

I wouldn't trust anything that says open safe files, but Adium's accept safe files should be okay. I leave it on because I'm not always around when people send me things, although it leads to those "you accepted the file, I know you're there" moments that are always slightly awkward.
 
Comment

Counterfit

macrumors G3
Aug 20, 2003
8,195
0
sitting on your shoulder
I'm glad there are people that do the right thing with what they find, report it so that the software companies can improve their code.
I hope they reported it to Apple before releasing the info to the general public.
No one will claim that Apple's software is flawless, but it is very very solid. I wonder what they found in the Windows and Linux OS's. Probably a thing or two too.

Careful with the return button. ;)
Analog Kid said:
Interesting that there's only one Windows flaw listed and a bunch of OS X and Linux bugs. Is that because of audience?
Probably. They couldn't possibly only have found one bug in Windows in the span of a month.
 
Comment

Westside guy

macrumors 603
Oct 15, 2003
5,771
2,968
The soggy side of the Pacific NW
I hope they reported it to Apple before releasing the info to the general public.

HAHAHAHAHAHAHAHA!!! Oh wait, like a responsible person you figured these guys were behaving responsibly - but they're not. They're grandstanding. They are probably not particularly interested in helping security, whatever they say they're doing - they're just trying to get some "me too" hacker cred (following the lead of the "month of browser exploits" project from a while back).

Their seems to be an element of resentment towards OS X among some of the Linux crowd because it's getting a lot of traction in, of all things, the Linux crowd. :) I suspect that has played a part in what bugs they've chosen to start off with.

Note that I'm not saying these aren't significant security issues - they most certainly are.
 
Comment

FFTT

macrumors 68030
Apr 17, 2004
2,952
1
A Stoned Throw From Ground Zero
This vulnerability would mostly affect those downloading .dmg installers
from unknown sources on P2P networks.

In that situation anyone can mis-label malware as a desirable application
just waiting for you to drop your guard.

It's quite simple really , if you're dowloading an application from an unknown
source and you authorize the installation of that application with your administrative password or drag install the application while logged on as administrator, you're asking for it.
 
Comment

crees!

macrumors 68000
Jun 14, 2003
1,921
29
MD/VA/DC
Hey guys... didn't post this as FUD... just wanted to get the word out on the vulnerabilities, and to make sure everyone has that option disabled in Safari.

Multiple Security Vulerabilities Found In Apple's Disk Image Software
Multiple? I only read 2 regarding disk images. Multiple makes me think like 7 or something.
 
Comment

PODshady

macrumors member
Oct 23, 2006
81
1
St Louis
Hey guys... didn't post this as FUD... just wanted to get the word out on the vulnerabilities, and to make sure everyone has that option disabled in Safari.

Yeah... I have it disabled in Safari anyway because I find it very annoying when I have a ton of downloads going at once and then screens pop up opening the files... it is very distracting and gets in the way when I am doing other work while the files download.
 
Comment

whooleytoo

macrumors 604
Aug 2, 2002
6,585
674
Cork, Ireland.
It's quite simple really , if you're dowloading an application from an unknown
source and you authorize the installation of that application with your administrative password or drag install the application while logged on as administrator, you're asking for it.

Define an "unknnown source". Does that mean you'll never download any shareware/freeware again? Hell, even Apple shipped iPods with viruses on them. The point is, you just don't know if/when/where you're safe.

Which is why I've always thought the usual "you can't engineer for stupid users" is an easy, lazy cop-out.
 
Comment

mkrishnan

Moderator emeritus
Jan 9, 2004
29,776
12
Grand Rapids, MI, USA
Good find. This is definitely good information. Hopefully it will allow Apple to continue to improve its security performance by patching these and also identifying any underlying common elements in how it handles disk images.
 
Comment

pjo

macrumors regular
Feb 20, 2006
124
1
Interesting that there's only one Windows flaw listed and a bunch of OS X and Linux bugs. Is that because of audience?

Probably. They couldn't possibly only have found one bug in Windows in the span of a month.

Looking at the actual advisories, and exploits, I'd say no. Most of their advisories deal with "incorrect handling of corrupt data structures" in one filesystem or another (yes the dmg file can be regarded as a filesystem). This would point more to a somewhat common coding error that has been carried on through Linux, FreeBSD and hence OS X than to a witch hunt.

If they listed say, lots of buffer (over/under)flows, then maybe you could say they're targeting UN*X based OSes... given that most Windows flaws come from unchecked buffers AFAIK.
 
Comment

FFTT

macrumors 68030
Apr 17, 2004
2,952
1
A Stoned Throw From Ground Zero
Define an "unknnown source". Does that mean you'll never download any shareware/freeware again? Hell, even Apple shipped iPods with viruses on them. The point is, you just don't know if/when/where you're safe.

Which is why I've always thought the usual "you can't engineer for stupid users" is an easy, lazy cop-out.

Generally you're pretty safe downloading from the software developer, Version Tracker, MacUpdate and so on.

It's when people download questionable applications from P2P servers, that
they put themselves at risk.

If something is asking for your administrative password, hopefully you know where it came from.
 
Comment

rahrens

macrumors member
Sep 21, 2006
83
0
People's Republic Of Maryland
not new fix

There was a vulnerability, much publicized at the time, regarding Safari and Widgets, the fix for which was to uncheck that same box, disallowing the automatic opening of downloaded files.

Savvy Mac users have kept that check box unchecked ever since...

These may be new vulnerabilities, but they aren't as dangerous because of the earlier bug - at least for folks paying attention!

And yes, you are right, this is a grandstanding event, this month these guys are supposed to be releasing a vulnerability a day all month, and yeah, the first bug they released was about the Mac! Their initial statement was that manufacturers have been notified, but didn't specify just when, IIRC.
 
Comment

whooleytoo

macrumors 604
Aug 2, 2002
6,585
674
Cork, Ireland.
Generally you're pretty safe downloading from the software developer, Version Tracker, MacUpdate and so on.

Generally, you may be; but you just don't know. If the writer of a piece of malware (spyware in particular) is subtle enough in his methods, it would be very difficult to know if your machine is compromised or not; and hence it's difficult to know which sources are trustworthy or not.

Note, I'm not saying there's a lot of Mac spyware out there, just that our security is based too much on (in my opinion, unwarranted) trust.
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.