Safari Security Flaw Reported

[michaellehn]

On my homepage

http://www.mathematik.uni-ulm.de/numerik/staff/lehn/index_us.html

I am hosting an exploit for Safari on Mac OS X. It requires that in Safari the option has to be enabled that allows "secure files" to be lunched automatically. Many users have this option enabled.

In this case it is sufficient that if you click on a link an shell-script is executed. In my example the shell script only prints "Hallo Welt". But it also could send emails or delete the user's home directory.

There will be no warning.

In several German online sites it was reported about my exploit:


http://www.heise.de/newsticker/meldung/69854

http://www.macnews.de/news/74203

http://www.macwelt.de/news/macosx/336525/index.html

best regards from Ulm/Germany,

Michael

 

[liketom]

o dear , whatever next

not too sure what to make of these


"Smithers release the hounds"

 

[gekko513]

That's scary. When did you tell Apple about it?

 

[Benjamindaines]

Hmmm this seems a lot like when there was that widget "virus" then Apple added the warning for downloading widgets.

 

[michaellehn]

That's scary. When did you tell Apple about it?

It is bug #4450856. My last bug has state "open" for almost one year. So I added a note asking them to have a look at my first bug after they are done with the current bug. Ok, this old bug was not critical, just annoying.

About publishing security holes in public. I think after the report of the first "virus" it was just a matter of time that someone would exploit this. It only took me 3 lines for a shell script, 3 tries and at most 15 minutes. Only if such issues are published as fast as possible people are warned. If I would no publish it Mac-user would have the wrong feeling that clicking on links is NOT dangerous. This would be fatal.

About how serious this thing is: The shell script could also delete your home directory and send Emails from your account. If you have the appropriate permissions it could also modify applications.

 

[Benjamindaines]

Loos like UNIX is coming back to bite Apple in the a**, so far all the bug exploits have been with Terminal.

 

[michaellehn]

Here an article in English:

http://www.heise.de/english/newsticker/news/69862

 

[michaellehn]

Loos like UNIX is coming back to bite Apple in the a**, so far all the bug exploits have been with Terminal.

the UNIX part of Mac OS X is the most safest part!

The problem is the part that allows that a downloaded file get automatically executed.

Without the UNIX part there would be holes like in Windows. You just connect to the internet and you get infected. WITHOUT CLICKING OR DOING ANYTHING.

We experience this here every day. And thanks to the UNIX part there soon will switch a legion a Ex-Linux-Geeks to Mac OS. Fixing whatever shows up

 

[After G]

Tried the example on the website. It's kinda scary, because the file has a correct-looking extension even though it opens in terminal.

 

[michaellehn]

Tried the example on the website. It's kinda scary, because the file has a correct-looking extension even though it opens in terminal.

In deed it is scary. So make sure to tell everybody to deactivate this option in Safari! That's the fastest and easiest way to protect yourself.

 

[bousozoku]

Of course, when you look at the file after opening the archive, it says that it's a Terminal document, even though the extension is .MOV.

Besides, the automatic opening of such files was disabled automatically quite a while ago (during Jaguar?) because of such an exploit.

 

[michaellehn]

Of course, when you look at the file after opening the archive, it says that it's a Terminal document, even though the extension is .MOV.

Besides, the automatic opening of such files was disabled automatically quite a while ago (during Jaguar?) because of such an exploit.

Actually many people told me that the option is disabled by default. But on all our Macs it was enabled. And there are controversial reports many claim that it was enabled on recently bought machines.

 

[jsw]

Of course, when you look at the file after opening the archive, it says that it's a Terminal document, even though the extension is .MOV.

Few users are going to doubt the iconic representation of the file. Very few people do a Get Info on everything that's downloaded.

Besides, the automatic opening of such files was disabled automatically quite a while ago (during Jaguar?) because of such an exploit.

Then why, on a fresh install of OS X on my Intellimac, in a new user account, does it open automatically? That link opened Terminal and ran before I could do anything to stop it. Fresh install. New user account.

Actually many people told me that the option is disabled by default. But on all our Macs it was enabled. And there are controversial reports many claim that it was enabled on recently bought machines.

I just installed OS X on my 17" Intel iMac (or, rather, did a reinstall with the disks supplied with it). I see that the exploit works.

Similarly, in a new user account on my PMG5, I see that the exploit works.

So it is definitely not a universal truth that this is disabled.

And, regardless of the default setting... most people will enable it once they discover that they can. And therefore be vulnerable.

 

[longofest]

Loos like UNIX is coming back to bite Apple in the a**, so far all the bug exploits have been with Terminal.

The thats just because thats what programmers know, and thats what's easiest to churn out quickly to make a proof-of-concept. It's not unix that's biting Apple. It's their lack of properly auditing their code.

 

[nagromme]

Not the first flaw nor the last, and I don't see how it would help anyone create a virus or worm--but it would lead to Trojans, and should be patched. Sounds pretty easy for Apple to do.

I've always had Open Safe Files disabled because it annoys me. Sometimes I want to keep the archive, sometimes not, and it annoyed me how the archive would always end up in the trash. I can see how many people would like Open Safe though, and I hope it's patched soon.

I'm pretty sure it IS on by default.

 

[Doctor Q]

I'm pretty sure it IS on by default.

Yes, confirmed. We also confirmed the flaw and the two workarounds.

 

[Warbrain]

I'm sorry, but the first thing I do in Safari when I use it for the first time on a new computer is to disable the automatic opening of downloaded files. There's just something about the computer doing all that stuff in the background that freaks me out a bit. I also like to have the confirmation that I properly downloaded the file and it opened fine.

But I guess it all works as a security fix, too.

 

[jon_010101]

Ha... I use tcsh as my default shell, so it just poops out after it launches. Still, scary stuff... they will have to change the "open" command to warn against, or simply restrict, shell scripts in order to fix this. The problem is not really with Safari ... it is with the way that OS X launches files in general. It allows you to have a benign-looking file be a shell script in disguise! If a solution isn't presented this week, I will be shocked.

 

[eva01]

I'm sorry, but the first thing I do in Safari when I use it for the first time on a new computer is to disable the automatic opening of downloaded files. There's just something about the computer doing all that stuff in the background that freaks me out a bit. I also like to have the confirmation that I properly downloaded the file and it opened fine.

But I guess it all works as a security fix, too.

that is what i have always done as well. Can't see why anyone would have it open safe files. Its just asking for trouble if you ask me.

 

[jsw]

Can't see why anyone would have it open safe files.

Since it seems to be the default setup on at least many, if not all, new Macs, it's not surprising that people would be set up that way and - for most users - be unaware that there's even an option to change the way things work.

 

[VL-Tone]

Yeah I know about this one since ToastyX posted an example here https://forums.macrumors.com/threads/181026/. I was a little panicked and didn't know how to handle the situation I replied explaining how dangerous it was. Eventually I edited my replies since I thought it would give bad ideas to hackers.

I was hoping that this was the only place where this vulnerability was disclosed, and that Apple would have time to deal with it before the "news" started to spread.

But it seems that it was already repeated by others.

michaellehn, you seem to say that you discovered this issue (you say "my exploit")

Then how come I have a lower bug report number on Apple? (#4450231) That means that I reported the issue before you, and I'm not even the one that discovered it! Why are you so keen to disclose the news to everyone (media etc.) before sending the bug to Apple? Free publicity for your blog? To warn everyone to turn off "open safe files"? I guess it's the latter, but was it the best thing to do?

You wrote: I think after the report of the first "virus" it was just a matter of time that someone would exploit this.

Well it will happen if you tell hackers about the exploit! Was this known before?

I guess that one thing could indicate it was the "right" decision to disclose the issue to the public as quickly as possible.

That thing is: It looks like the Leap-A author knew about this bug... Why do I think that? The author seems to have specifically avoided to trigger the exploit: The file is in a format that Safari cannot decompress (.tar) so it gives a warning, and doesn't execute because of that.

So tell me why the author didn't try the least detectable option: putting it in a .zip? Because it would have triggered this exploit... So I guess the Leap-A author is a "friendly" hacker that wanted to warn us without doing too much damage.

Here's an interesting idea, add this line to your benign exploit:

defaults write com.apple.Safari AutoOpenSafeDownloads 0

This will turn off that maligned option in Safari automatically!

 

[GeeYouEye]

Well that's a bit more than quite disturbing. Much more so than Oompa or Inqtana. Apple needs to fix this, and quickly.

 

[bousozoku]

...
Then why, on a fresh install of OS X on my Intellimac, in a new user account, does it open automatically? That link opened Terminal and ran before I could do anything to stop it. Fresh install. New user account.
...

I'd like to know, as well. I just checked Safari, which I don't use, and it was wide open. It also bothers me that Apple ships Mac OS X without the firewall enabled.

 

[odedia]

Guys, use firefox, their bigger user base promises faster revealing of problems and faster fixes.

As a Hebrew reader, I can confirm that Safari has terrible problems with displaying right-to-left layouts (like it has terrible support for any right-to-left feature in any piece of software, including iWork), and therefore the pages look weird and not like the developer intended. However, using firefox (or Opera) fixes all that without a problem.

Mac Os X still has a long way to go in universal compatibility. I'm afraid Microsoft are way ahead of them in that department.

Oded S.

 

[Nermal]

Interesting, I have Ventrilo Server running in a terminal 24/7, and that seemed to prevent execution of the script. It brought Ventrilo to the front, but didn't print the "hack" message.