Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Threat from Adobe AIR on OSX?!?!?

T

technogeek

macrumors member
Original poster
Jun 5, 2007
34
0
When investigating the new Adobe Media Player, I discovered this disturbing system behavior.

To run AMP, you have to install Adobe AIR first. You go to http://get.adobe.com/amp/ and hit "Install Now" (which is Flash content btw). The usual behavior for installing apps is that a *.dmg file appears in your Downloads directory (whatever you have set that to), and if you have chosen "Open Safe Applications" or the equivalent in your Web browser (I use OmniWeb), the *.dmg will be mounted and there you will see either the app itself, or an intaller.

What happens in this case, though, is that the Flash window says, “Adobe AIR Installer: INstalling this application requires Adobe AIR, which will also be downloaded and installed. Press yes to continue.” After a moment, an app automatically launches to install AMP. This app is located in
“/private/var/folders/st/stI75rVOGHylzp56-M2VD++++TI/-Tmp-/airW2sAR6/Adobe\ AIR\ Installer.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Resources/Adobe\ AIR\ Application\ Installer.app”.

This is obviously a huge security hole unless I’ve missed something. Clicking on a web link launches an app without any further consent by the user. And there are other application files in the /private/var/folders/ directory; these are all owned by the user and could be modified by the automatically launched app. The possibilities are endless for mischief.

Please tell me I’ve missed some component of the system that prevents such mischief.
 
I also had to given an admin username and password

technogeek said:
and if you have chosen "Open Safe Applications"
Click to expand...

Who has this option selected anyway, just asking for trouble. Although IMO they should remove the word Safe from the option as it implies that the OS knows it is safe rather than it just guessing based on file extension.
 
I have Open Safe Stuff enabled and I was still asked for a password. Though it did appear to start installing before that, but I don't think it actually was.
 
Eraserhead said:
I have Open Safe Stuff enabled and I was still asked for a password. Though it did appear to start installing before that, but I don't think it actually was.
Click to expand...

People are missing the point. The security threat is not from Adobe. It is all very fine that Adobe's Flash file asks for consent, and that the AMP installer asks for a password.

The point is that OS X doesn't require me to consent to have the AMP installer launched. There is no way that a downloaded file should be even opened --- let alone executed --- by OS X, since I have "Open files in 'safe' applications" turned OFF in OmniWeb.

What it means is that someone could craft malicious Flash code that causes a file to be downloaded and executed without any action on the user's part. This automatically downloaded and executed file would have only the user's permissions, but the point is that OS X is placing other user-writable executable downloaded code into the same /private/var/folders cache. The malicious program could maliciously alter these other executables and run them as well in the users permission space.

The malicious code could prompt for an administrator password which would most likely be granted, gaining root access.
 
technogeek said:
People are missing the point. The security threat is not from Adobe. It is all very fine that Adobe's Flash file asks for consent, and that the AMP installer asks for a password.

The point is that OS X doesn't require me to consent to have the AMP installer launched. There is no way that a downloaded file should be even opened --- let alone executed --- by OS X, since I have "Open files in 'safe' applications" turned OFF in OmniWeb.

What it means is that someone could craft malicious Flash code that causes a file to be downloaded and executed without any action on the user's part. This automatically downloaded and executed file would have only the user's permissions, but the point is that OS X is placing other user-writable executable downloaded code into the same /private/var/folders cache. The malicious program could maliciously alter these other executables and run them as well in the users permission space.

The malicious code could prompt for an administrator password which would most likely be granted, gaining root access.
Click to expand...

The installer is asking for your security information so that it can get around the protections of the OS. Without asking for that information it would not be able to install itself as it would not have the permissions necessary to do so.
 
technogeek said:
People are missing the point. The security threat is not from Adobe. It is all very fine that Adobe's Flash file asks for consent, and that the AMP installer asks for a password.

The point is that OS X doesn't require me to consent to have the AMP installer launched. There is no way that a downloaded file should be even opened --- let alone executed --- by OS X, since I have "Open files in 'safe' applications" turned OFF in OmniWeb.

What it means is that someone could craft malicious Flash code that causes a file to be downloaded and executed without any action on the user's part. This automatically downloaded and executed file would have only the user's permissions, but the point is that OS X is placing other user-writable executable downloaded code into the same /private/var/folders cache. The malicious program could maliciously alter these other executables and run them as well in the users permission space.

The malicious code could prompt for an administrator password which would most likely be granted, gaining root access.
Click to expand...

How can that be so if it's asking for permission to install?,if you don't put in your password it cant/wont install
 
It's actually not the application asking for credentials, it's the request that it makes to the OS that in turn causes the OS to request your credentials. The OS "senses" a possible problem and automatically asks you to confirm it's ok by forcing you to authenticate yourself.
 
there is more than one way to install app on OSX, dmg is only one of them.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back