ITASOR said:
That's not true. It just means that the idea of what a "safe" file is needs to be re-evaluated.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Safari Security Flaw Reported
- Thread starter michaellehn
- Start date
- Sort by reaction score
That's not true. It just means that the idea of what a "safe" file is needs to be re-evaluated.
if the exploit also works with Mail, would it not be possible to make a mass-mailing worm?
indeed. I still want Safari to unpack archives and mount disk images I download automatically, assuming they really are archives and disk images.
- user downloads latestpics.zip
- browser unpacks and runs script.
- script mails itself with UNIX to Address Book contacts, and infects what it feels like.
- contact gets benign looking email with image attached.
- image is opened...
gunnmjk said:
indeed. I still want Safari to unpack archives and mount disk images I download automatically, assuming they really are archives and disk images.
lexfuzo said:
Okay, this is "Blonde Treading Mac-Water" checking in with some VERY basic questions (after having read several news articles and all the posts in this thread about the Safari flaw).
When I bought my iBook G4/v.10.3.9 (Jan. 05), the "open safe files" option was unchecked. I only checked it after an Apple staffer recommended it in response to my confusion -- when I would download known software and files I was confronted with an on-screen challenge saying something along the lines of "Where do want to put this? What application do you want to open it with? Ya-da, ya-da."
The Safari "download safe files" option is UNchecked now, due to the latest news. However, I *still* don't know how to handle the on-screen challenge. I didn't know then, I don't know now. My questions:
1) How am I supposed to know what thingamy opens another thingamy and where something properly belongs when it's generated by a source other than myself?
2) With the aforementioned option unchecked, can I expect to see the challenge even when accepting updates from Apple?
[As much as I like my G4, I regard it with the same affection and attitude I have for a favorite hammer or my car: it's a tool. I don't want to build, re-build, or re-design the tool. I will maintain the tool and use it appropriately, keep up its certificates and licences, but I don't want to know the provenance of the wood in the hammer's handle or who attached my car's boot. All of which leads to my third and final question....]
3) Is there any hope for an ordinary, everyday Mac'er to just operate/use computing without being either a Luddite or an Uber-programmer?
:::sigh of slight discouragement:::
some ideas for apple...
anyone know how to lock down os x so applications and scripts can only EXECUTE/RUN from certain folders?
maybe there is a configuration file for this...
Mac OS X should prompt whether you want to download the file and where to save it, then if that save location does not permit execution of application or script you would get a warning saying that they app/script you are trying to run cannot run because it is not allowed from this location
Basically a container for downloaded files that can be used to determine what the file is by watching the system calls, i would imagine that all applications have a common systemcall that are not shared by generic files and the same goes with scripts.
This would give a heads up to the user...
anyone know how to lock down os x so applications and scripts can only EXECUTE/RUN from certain folders?
maybe there is a configuration file for this...
Mac OS X should prompt whether you want to download the file and where to save it, then if that save location does not permit execution of application or script you would get a warning saying that they app/script you are trying to run cannot run because it is not allowed from this location
Basically a container for downloaded files that can be used to determine what the file is by watching the system calls, i would imagine that all applications have a common systemcall that are not shared by generic files and the same goes with scripts.
This would give a heads up to the user...
The most interesting point in the article:mcgarry said:
Meanwhile, here are some tips from Apple on safe practices in general, from last year.
And here I thought I could trust anyone or website on the "internet." My trust in all humanity is shattered. 
Then again I am not that naive.
Then again I am not that naive.
Simple solution
This problem isn't only related to Safari, but to the fact that a program (script, etc.) can be launched without the user being warned about the risks. I don't think limiting programs to be launched from specific folders would really help or be a nice and simple solution.
The best solution, to me, would be that every time something is launched that was never launched before, then the user should be warned. OS X already have a system for this, it only needs to be more extensive (warn for shell scripts, AppleScripts, etc. as well), and provide more info : the name of the executable, where it is, who is the author, etc. so that we can make sure we trust the executable.
Or course, shell scripts called from command line by the user in the Terminal shouldn't be subject to that, since users calling commands from the Terminal should know what they do, but double-clicked or Safari opened programs should.
This problem isn't only related to Safari, but to the fact that a program (script, etc.) can be launched without the user being warned about the risks. I don't think limiting programs to be launched from specific folders would really help or be a nice and simple solution.
The best solution, to me, would be that every time something is launched that was never launched before, then the user should be warned. OS X already have a system for this, it only needs to be more extensive (warn for shell scripts, AppleScripts, etc. as well), and provide more info : the name of the executable, where it is, who is the author, etc. so that we can make sure we trust the executable.
Or course, shell scripts called from command line by the user in the Terminal shouldn't be subject to that, since users calling commands from the Terminal should know what they do, but double-clicked or Safari opened programs should.
Its weird. My Mac came in today. Saw the flaw. Disabled the safe file option. Then tried to download Yahoo Messenger, it showed it like this on my desktop: ymsgr_2.5.3-osx_install.bin, When i double clicked it, it didn't know what application to use. When I downloaded it with the option checked, it showed the install GUI. Is there a way to install it without the option checked?
Was this BUG KNOWN TO APPLE !?!?!?!
My bug has state "dublicate":
So did Apple already know about it??
My bug has state "dublicate":
So did Apple already know about it??
latourfl said:
sounds like a good idea, one i think could work as long as its possible to make sure the executable is unique. I see an issue if its possible for the executable to claim to be another application, as in, the executable tells the computer its itunes, so it runs without warning...
twitsami said:
Well, I sure hope this problem is take care of in Keychain Access ! It seems it does :
apple.com said:
http://developer.apple.com/document...pts/index.html#//apple_ref/doc/uid/TP30000897
latourfl said:
Hmm, thats more about how applications are allowed access to the keychain, ie how its allowed to access your stored password... however it will not warn you about running a program which does not use keychains. I don't beleive itunes uses keychains, so it will not give a warning... I know photoshop and the likes don't use keychains and why would they... when those programs are updated you are never warned that the application was never run, because according to the system, everything is there to say it was ie, application data, prefrence files... ect...
Here's how to innoculate:
Open application Terminal, usually located in Applications/Utilities
From the Terminal menu, select Preferences...
Select button Execute this command (specify complete path):
type into this field: login
Close window, quit Terminal.
You are now safe from this particular exploit. (OS 10.3.9 verified)
Can someone confirm on 10.4?
Open application Terminal, usually located in Applications/Utilities
From the Terminal menu, select Preferences...
Select button Execute this command (specify complete path):
type into this field: login
Close window, quit Terminal.
You are now safe from this particular exploit. (OS 10.3.9 verified)
Can someone confirm on 10.4?
It's a simple .term launch exploit. It's all above the radar and you can watch it happening.
This -- and the related iChat "vuln" -- is simply taking advantage of the fact that most of us run from an admin account. Then it launches a .term script and that's that.
We can also cut off the chance for the auto-launch of .term scripts by changing the default .term App to something like Chess (which I did).
Also, with Leap-A and relatives, the replication within application packages happens after the script runs a search for existing virus code. So one could simply insert dummy files with this code's name on it and prevent the spread. This reminds me of the Classic OS days where you could easily block a particular virus -- was it scores? -- by creating an invisible file in the System Folder with the same file name the virus generates, thus making it impossible for the virus to implant.
This -- and the related iChat "vuln" -- is simply taking advantage of the fact that most of us run from an admin account. Then it launches a .term script and that's that.
We can also cut off the chance for the auto-launch of .term scripts by changing the default .term App to something like Chess (which I did).
Also, with Leap-A and relatives, the replication within application packages happens after the script runs a search for existing virus code. So one could simply insert dummy files with this code's name on it and prevent the spread. This reminds me of the Classic OS days where you could easily block a particular virus -- was it scores? -- by creating an invisible file in the System Folder with the same file name the virus generates, thus making it impossible for the virus to implant.
Delete terminal
If a basic user does not need to run terminal can the application be deleted without harm to the system?
If a basic user does not need to run terminal can the application be deleted without harm to the system?
michaellehn said:
Your famous now:
http://news.bbc.co.uk/1/hi/technology/4739432.stm
So far, no net-based exploits of the bug are known to be in existence
The risk to users from the virus is almost non-existent
Non existent eh? why all the fuss then?
MacSA said:
It is not existing because of all the fuss. That's why I published it.
That's the way security flaw are treated in Linux. Tell people about it and tell how to protect from it. That's the fastest fix.
Microsoft goes the way: Don't tell anybody and hope nobody will notice it till the next patch day. Or they don't care and leave it to the Anti-Virus companies.
....from famous to Superstar, you made New Scientist
http://www.newscientist.com/channel/info-tech/dn8758.html
http://www.newscientist.com/channel/info-tech/dn8758.html
Passante said:If a basic user does not need to run terminal can the application be deleted without harm to the system?
I thought about this also.
I would simply compress it with Stuffit rather than delete.
twitsami said:
Well I was pointing to this as a mechanism as one that could be used to make sure an executable is unique, to answer your concern. Sure, the concept of Keychain specifically is unrelated, but the mechanism for making sure your executable is secure and unaltered is the same.
I'm late into this thread... but anyway, I disabled open "safe" files in my Safari preferences, so I'm safe. I also took that online test that was posted and Quicktime couldn't open the file because it was not a recognized format, so I guess that means I'm safe.
My dad even called me "David, turn off my Safari! This new virus thing is all over the news!" You have to love the news... But I made sure his iMac G5 was safe and the option was already disabled.
My dad even called me "David, turn off my Safari! This new virus thing is all over the news!" You have to love the news...
But I made sure his iMac G5 was safe and the option was already disabled.