Security Threat from Adobe AIR on OSX?!?!?

Discussion in 'macOS' started by technogeek, Apr 10, 2008.

  1. technogeek macrumors member

    Joined:
    Jun 5, 2007
    #1
    When investigating the new Adobe Media Player, I discovered this disturbing system behavior.

    To run AMP, you have to install Adobe AIR first. You go to http://get.adobe.com/amp/ and hit "Install Now" (which is Flash content btw). The usual behavior for installing apps is that a *.dmg file appears in your Downloads directory (whatever you have set that to), and if you have chosen "Open Safe Applications" or the equivalent in your Web browser (I use OmniWeb), the *.dmg will be mounted and there you will see either the app itself, or an intaller.

    What happens in this case, though, is that the Flash window says, “Adobe AIR Installer: INstalling this application requires Adobe AIR, which will also be downloaded and installed. Press yes to continue.” After a moment, an app automatically launches to install AMP. This app is located in
    “/private/var/folders/st/stI75rVOGHylzp56-M2VD++++TI/-Tmp-/airW2sAR6/Adobe\ AIR\ Installer.app/Contents/Frameworks/Adobe\ AIR.framework/Versions/1.0/Resources/Adobe\ AIR\ Application\ Installer.app”.

    This is obviously a huge security hole unless I’ve missed something. Clicking on a web link launches an app without any further consent by the user. And there are other application files in the /private/var/folders/ directory; these are all owned by the user and could be modified by the automatically launched app. The possibilities are endless for mischief.

    Please tell me I’ve missed some component of the system that prevents such mischief.
     
  2. Eraserhead macrumors G4

    Eraserhead

    Joined:
    Nov 3, 2005
    Location:
    UK
    #2
    You had to type in your password to actually install it...

    At least I did.
     
  3. Eidorian macrumors Penryn

    Eidorian

    Joined:
    Mar 23, 2005
    Location:
    Indianapolis
    #3
    I was prompted at least twice during installation.
     
  4. xUKHCx Administrator emeritus

    xUKHCx

    Joined:
    Jan 15, 2006
    Location:
    The Kop
    #4
    I also had to given an admin username and password

    Who has this option selected anyway, just asking for trouble. Although IMO they should remove the word Safe from the option as it implies that the OS knows it is safe rather than it just guessing based on file extension.
     
  5. Eraserhead macrumors G4

    Eraserhead

    Joined:
    Nov 3, 2005
    Location:
    UK
    #5
    I have Open Safe Stuff enabled and I was still asked for a password. Though it did appear to start installing before that, but I don't think it actually was.
     
  6. technogeek thread starter macrumors member

    Joined:
    Jun 5, 2007
    #6
    People are missing the point. The security threat is not from Adobe. It is all very fine that Adobe's Flash file asks for consent, and that the AMP installer asks for a password.

    The point is that OS X doesn't require me to consent to have the AMP installer launched. There is no way that a downloaded file should be even opened --- let alone executed --- by OS X, since I have "Open files in 'safe' applications" turned OFF in OmniWeb.

    What it means is that someone could craft malicious Flash code that causes a file to be downloaded and executed without any action on the user's part. This automatically downloaded and executed file would have only the user's permissions, but the point is that OS X is placing other user-writable executable downloaded code into the same /private/var/folders cache. The malicious program could maliciously alter these other executables and run them as well in the users permission space.

    The malicious code could prompt for an administrator password which would most likely be granted, gaining root access.
     
  7. saltyzoo macrumors 65816

    saltyzoo

    Joined:
    Oct 4, 2007
    #7
    The installer is asking for your security information so that it can get around the protections of the OS. Without asking for that information it would not be able to install itself as it would not have the permissions necessary to do so.
     
  8. Neil321 macrumors 68040

    Neil321

    Joined:
    Nov 6, 2007
    Location:
    Britain, Avatar Created By Bartelby
    #8
    How can that be so if it's asking for permission to install?,if you don't put in your password it cant/wont install
     
  9. Eraserhead macrumors G4

    Eraserhead

    Joined:
    Nov 3, 2005
    Location:
    UK
    #9
    This could always happen, there is nothing Apple can do to fix it completely.
     
  10. saltyzoo macrumors 65816

    saltyzoo

    Joined:
    Oct 4, 2007
    #10
    It's actually not the application asking for credentials, it's the request that it makes to the OS that in turn causes the OS to request your credentials. The OS "senses" a possible problem and automatically asks you to confirm it's ok by forcing you to authenticate yourself.
     
  11. clevin macrumors G3

    clevin

    Joined:
    Aug 6, 2006
    #11
    there is more than one way to install app on OSX, dmg is only one of them.
     

Share This Page