Safari Security Flaw Reported

[pseudobrit]

I'm late into this thread... but anyway, I disabled open "safe" files in my Safari preferences, so I'm safe. I also took that online test that was posted and Quicktime couldn't open the file because it was not a recognized format, so I guess that means I'm safe.

My dad even called me "David, turn off my Safari! This new virus thing is all over the news!" You have to love the news... But I made sure his iMac G5 was safe and the option was already disabled.

That's all fine, but even with Safari protected, the underlying vuln still lurks in Terminal.

 

[michaellehn]

One

My bug has state "dublicate":

So did Apple already know about it??

.... BUT DO NOT FORGET .....

 

[jghMac]

But...

Does deleting or compressing "terminal.app" protect in case something gets past Safari (assuming the user doesn't need it)?

I'm lost on Unix so maybe I am missing something.

Thanks

 

[jcdenton]

Does deleting or compressing "terminal.app" protect in case something gets past Safari (assuming the user doesn't need it)?

I'm lost on Unix so maybe I am missing something.

Thanks

The script, as I've seen it, requires Terminal to be able to open documents, so if you put it in a situation where it couldn't do that - by deleting it, by putting it on an unmounted disk image, by compressing it, or by running in a limited account with no access privileges to the Terminal application - then you would be safe.

Sounds a little drastic, though - my own tests tonight indicated that the exploit was easily disrupted by just renaming or moving the Terminal application, or by requiring a login prompt on Terminal's startup.

 

[jamiec]

My bug has state "dublicate":

So did Apple already know about it??

This is answered earlier in this thread -- the user VL-Tone saw an example of the exact same vulnerability posted (by ToastyX) on Feb. 17. VL-Tone reported it to Apple shortly afterward:

michaellehn, you seem to say that you discovered this issue (you say "my exploit")

Then how come I have a lower bug report number on Apple? (#4450231) That means that I reported the issue before you, and I'm not even the one that discovered it! Why are you so keen to disclose the news to everyone (media etc.) before sending the bug to Apple? Free publicity for your blog? To warn everyone to turn off "open safe files"? I guess it's the latter, but was it the best thing to do?

So that would explain why your bug report was flagged as "duplicate."

 

[michaellehn]

This is answered earlier in this thread -- the user VL-Tone saw an example of the exact same vulnerability posted (by ToastyX) on Feb. 17. VL-Tone reported it to Apple shortly afterward:



So that would explain why your bug report was flagged as "duplicate."

Thanks!

 

[michaellehn]

Yeah I know about this one since ToastyX posted an example here https://forums.macrumors.com/threads/181026/. I was a little panicked and didn't know how to handle the situation I replied explaining how dangerous it was. Eventually I edited my replies since I thought it would give bad ideas to hackers.

I was hoping that this was the only place where this vulnerability was disclosed, and that Apple would have time to deal with it before the "news" started to spread.

But it seems that it was already repeated by others.

michaellehn, you seem to say that you discovered this issue (you say "my exploit")

Then how come I have a lower bug report number on Apple? (#4450231) That means that I reported the issue before you, and I'm not even the one that discovered it! Why are you so keen to disclose the news to everyone (media etc.) before sending the bug to Apple? Free publicity for your blog? To warn everyone to turn off "open safe files"? I guess it's the latter, but was it the best thing to do?

Well, I call it my exploit because I didn't know about any other exploit.

You wrote: I think after the report of the first "virus" it was just a matter of time that someone would exploit this.

Well it will happen if you tell hackers about the exploit! Was this known before?

So that's your opinion. Here is mine:

I will never give a company even the choice to keep a security flaw secret. BUT maybe I should have given them more time.

BUT
1) It is easy to reproduce and to modify my exploit into a serious problem
2) It is easy to protect yourself from it

So in my opinion telling people was the cheapest and fastest solution.

I published it and I took cake that this news gets spread fast.

Even if somebody would abuse the exploit I do not think that it could spread far. People are too careful now.

Anyway would it be better to wait until an AVC (Anti-Virus-Company) makes profit out of it? Mac OS X does not need such stuff!

 

[milo]

It's neither a problem of Safari nor of Mail.
It's a flaw or at least an unwanted side-effect of OS X itself.
There is only one solution:
Don't ever open a file blindly if you don't know already what it is.
Check the file with Get Info and in Terminal:
`file filename` will give you more information about the file's type.

At the very least, it's a bad idea for Apple to have Safari default to opening "safe" files automatically (or at the very least be WAY more conservative about which files are safe). With this setting, the user doesn't even have to open a file manually, they just have to click on a link.

 

[Mechcozmo]

If a basic user does not need to run terminal can the application be deleted without harm to the system?

I wouldn't go that far... but you can ZIP it without harm to the system. At the Apple Stores, the Terminal is compressed in SITX format with a password placed on it. Makes it so you can't play with the system.

 

[backdraft]

I thought about this also.

I would simply compress it with Stuffit rather than delete.

How about removing the read/execute access?

Another idea would be if OS X could lower admin privileges to non-admin status when opening files downloaded from safari (or execute in lower admin privileges when in certain folders in case you are running as admin).

Expanding the the warning system when an app/script opens for first time is a good idea as well, but I would love to be able to prevent certain folders from executing an app/script as well. OS X should also monitor system calls from specific folders that way it could predict malicious behavior and prevent that app/script from having write access.

Hope fully apple will implement this along w/ other ideas.

Then again it all comes down to meta data, I really did like creator types... Damn extensions... Oh, and by switching to Intel things will get worse. hackers are much more experienced w/ x86 plus each register can be executable on x86 leading to overflows....

 

[wasimyaqoob]

Yeah it was Apple's biggest mistake switiching to Intel, IBM are bringing out a new range of cpu's which are powerful and are stable in the performace-per-watt section.

 

[MacNut]

Yeah it was Apple's biggest mistake switiching to Intel, IBM are bringing out a new range of cpu's which are powerful and are stable in the performace-per-watt section.

Didn't we hear the samething about the G5 a few years back.

 

[Mechcozmo]

Didn't we hear the samething about the G5 a few years back.

Nothing is stopping Apple from having PPC and x86 lines... Universal Binaries take care of that.

 

[XFce]

In deed it is scary. So make sure to tell everybody to deactivate this option in Safari! That's the fastest and easiest way to protect yourself.

How do we go about doing that ?

 

[Marky_Mark]

How do we go about doing that ?

Safari Menu > Preferences > General

Uncheck 'Open "safe" files after downloading'

 

[XFce]

Thanks MM I’m surprised that Apple did not disable the option in Safari that permits downloads from executing without first asking the admin or user for permission. Having that option enabled by default is a big time security risk. Apple should have know that, O well everyone makes mistakes, at least now we know.

 

[Eraserhead]

or by requiring a login prompt on Terminal's startup.

Sounds like a great idea! How do you do this?

 

[GaseousPlatypus]

Why don't they just make it so that you need to enter your admin password every time you open the Terminal. It would only be slightly inconvenient...

 

[Leondunkleyc]

.

 

[ifjake]

about a month ago i created a new admin user and switched my user to standard. it's really easy to do in System Preferences and hardly affects the way i use my Mac. the most noticable difference has been entering an admin user name and password when i wanted to mess with the applications folder. now i use my user applications folder for little things i want to try out that i usually don't find a use for and end of deleting anyway.

even before then i turned off safari's open safe files preference.

this thing is a lock box as far as i'm concerned.

 

[Dr. No]

Does this bug exist in Shiira??

 

[Ender at Eros]

There was a Automator fix for this, I forgot where the site was, and I myself don't have it installed (but I installed it on my friends so they don't get anything bad)

I can recall what it does:

Using Automator it makes an Application that is named Terminal.app, you rename the old (and original) terminal to .Terminal.app (with the . at the beginning).

When a script launches the (automator) Terminal.app it asks if you would like to open the (original) Terminal app, and if you click yes, then it opens the real one.

 

[SC68Cal]

Terminal requiring a password would be very useful right about now

 

[cleanup]

I have file extensions enabled in my finder and yet the test file still showed up as .mov, does anyone know why that might be?

Same with me. And when I opened it, I still got the HALLO WELT.

Which is still scary. Even if you don't have "Open secure files after downloading," you'll still unwittingly open that .mov or .doc or completely legitimate file you just downloaded, and then you're @*$%ed.

 

[idea_hamster]

I have file extensions enabled in my finder and yet the test file still showed up as .mov, does anyone know why that might be?

That's the real security flaw. OS X relies on accurate file extensions to determine what is "safe" -- but in fact, so do we (the human users). Just turning off auto-open safe files in Safari prefs doesn't help if the file still looks completely harmless on the Desktop.

A system that requires a "Get Info" on every download doesn't qualify as safe in my book -- although this does seem to work. The example exploit at the top of this thread is, in fact, listed as "Kind: Terminal Document" in the Info window. But expecting any user to do this every time is silly: power users "won't have time" and retail users may not understand the issue.

Using Automator it makes an Application that is named Terminal.app, you rename the old (and original) terminal to .Terminal.app (with the . at the beginning).

When a script launches the (automator) Terminal.app it asks if you would like to open the (original) Terminal app, and if you click yes, then it opens the real one.

This sounds like a good idea, but it's not clear to me how one gets the file itself to open in Terminal automatically. Which is to say, it's easy to rename Terminal, create a script to ask whether to open Terminal, and then launch Terminal, but then what?

You'd have to File --> Open... the file from within Terminal, I guess?

The best solution would be one that checks the extension that the file displays against the "Kind" of file it is. If the file wants its visible name to end in a .xxx that looks like it isn't executable, when the "Kind" is, then we should get a warning of some sort.