Vunerablity found in Leopard Mail.app

Discussion in 'macOS' started by RedTomato, Nov 20, 2007.

  1. RedTomato macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #1
    According to The Register, a large vulnerability has been found in Leopard's mail.app allowing attackers to run malicious code on a victim's machine by disguising an executable program as an image or other type of innocuous file.

    It uses a security hole that was fixed in OSX 10.4 Tiger in March 2006, but seems to have been re-opened in OSX 10.5 Leopard.

    There is a demo of how the bug works at Heise Security.

    It works by the attacker sending you an email with an attachment that claims to be a safe file eg a .jpg, but is actually an executable program. A user can become infected simply by clicking on an attachment that looks like a jpeg image.

    A patched version of Tiger will flag up this kind of file as possibly unsafe. Leopard does not, and will run it automatically.

    Register article
     
  2. xUKHCx Administrator emeritus

    xUKHCx

    Joined:
    Jan 15, 2006
    Location:
    The Kop
    #2
    Interesting, i just tested mine on 10.5.1 and

    Wonder how they managed to reopen it without knowing. This is a poor inditement on their security controls.
     
  3. arkitect macrumors 601

    arkitect

    Joined:
    Sep 5, 2005
    Location:
    Bath, United Kingdom
    #3
    Me = paranoid. :D

    So I received the email from Heise… with attachment Heise.jpg

    Is it safe to follow their instructions and open the attachment? :p
     
  4. xUKHCx Administrator emeritus

    xUKHCx

    Joined:
    Jan 15, 2006
    Location:
    The Kop
    #4
    I did :eek:
     
  5. arkitect macrumors 601

    arkitect

    Joined:
    Sep 5, 2005
    Location:
    Bath, United Kingdom
    #5
    I was about to click on it when I thought to myself:

    "Hmmmmmm: Here I am carelessly about to open an attachment from an unverified (to me) source… :eek::eek:"

    Hopefully Apple, Inc. close this quickly. As you said, "a poor inditement on their security controls."
     
  6. xUKHCx Administrator emeritus

    xUKHCx

    Joined:
    Jan 15, 2006
    Location:
    The Kop
    #6
    I thought that but then i also thought this is a second machine with a full backup so I just pressed it.

    Nothing much happens not really worth doing it.
     
  7. arkitect macrumors 601

    arkitect

    Joined:
    Sep 5, 2005
    Location:
    Bath, United Kingdom
    #7
    Then I shall take your word for it and desist from opening. :D
     
  8. psonice macrumors 6502a

    Joined:
    Jul 22, 2005
    #8
    The point of opening the attachment is just to prove that the vulnerability exists. I'm not on a mac at present, but I'd imagine it just displays a notice saying "you are vulnerable" or similar.

    Has anyone tried it on 10.4.11 to see if the problem has been reintroduced there?

    Also, I think this should really be on the front page of mac rumours, as it's a potentially nasty problem.
     
  9. psonice macrumors 6502a

    Joined:
    Jul 22, 2005
    #9
    Oh, one other thing - this issue doesn't mean that your system can be totally compromised by one of these attachments. I think that anything that wanted to change the system in any way or install something permanent wouldn't have rights to do it - i.e. it would still ask for your password. And you'd have to be pretty stupid to give your password over to a picture!

    If somebody finds a local privilege escalation bug (which does happen fairly often), then the two combined would be a BIG risk as the code would run without any warning and then gain access to the system without your password. Hurry up with a fix apple!
     
  10. RedTomato thread starter macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #10
    I ran the demo on a system running 10.3.9

    Email arrives from heise with dodgy .jpg attachment.

    Click on .jpg attachment.

    OSX flags up a warning:

    "The attachment “Heise.jpg” is an application. Since applications can contain viruses or be harmful to your computer, be sure this attachment is from a trustworthy sender before saving or opening it."

    I gather this is the correct behavior, warning me that what appears to be a .jpg is in fact an application.

    (I ignored the warning and opened the file. It just opened a Terminal window and activated a file listing, and then at the end, displayed a warning that the system was vulnerable)

    I don't have a Leopard system to test this on, but my understanding is that in Leopard, Mail.app opens the .jpg automatically and runs it with no warning.

    Can xUKHCx confirm that he received no warning?

    EDIT: why isn't this thread appearing in the Mac Software threads box on the front page?
     
  11. psonice macrumors 6502a

    Joined:
    Jul 22, 2005
    #11
    You're getting the correct warning there yes. It should do the same on leopard, and apparently it DOES warn you, but only 10% of the time (the rest of the time it just runs). People have confirmed that on the comments to the original story at the register.
     
  12. RedTomato thread starter macrumors 68040

    RedTomato

    Joined:
    Mar 4, 2005
    Location:
    .. London ..
    #12
    Most apple users that I know would indeed type in their password if a .jpg asked for it.

    I'm not calling them stupid - some are more intelligent than me. It's just that computers are not one of the core focuses of their life like it is for you and me.
     
  13. Veri macrumors 6502a

    Joined:
    Sep 23, 2007
    #13
    The script which executes could just edit ~/Library/Preferences/loginwindow.plist to change login items, no? Which means it could install a binary that runs wherever you're logged in, that turns your machine into a zombie for sending spam / launching DDoS / searching for personal data / whatever, and spreads by trolling your address book and sending e-mail. By initiating outgoing connection to some control server, any incoming firewall rules are bypassed (Little Snitch may be your friend here). A real trojan would also automatically extract and pop up a JPEG so, to the user, it looked like you were simply opening a JPEG.

    Just because something hasn't obtained root, it doesn't mean it's harmless. Mac users are lucky in that their platform hasn't reached the critical mass needed for such things to be profitable. It seems both MS and Apple have got on the "ignore MIME type + extension combination and find some other clever way to decide what program to run" bandwagon, and it's got them both in trouble. If a .jpg doesn't have MIME type image/jpeg or there is any indication to override default JPEG viewing behaviour, something's awry and Mail should respond to opening of the attachment by displaying a facepalm.
     
  14. psonice macrumors 6502a

    Joined:
    Jul 22, 2005
    #14
    Hmm.. I'd have to say giving your password over to open a picture counts as stupid. Not to say that I wouldn't do something equally stupid if I was working on something I'm not so familiar with mind, so I certainly accept your point :)

    Sometimes though, making that stupid mistake is the best way to learn. Admittedly, having to change all your bank accounts or something would be a bit harsh, but it sure would make you learn a bit about security!
     
  15. psonice macrumors 6502a

    Joined:
    Jul 22, 2005
    #15
    I'd have thought that it would require permission before setting something to run at login. If not, that's another security flaw really. Even if not though, it could certainly sit there firing out spam or whatever, and it would presumably have access to your files. Or would the mail.app sandboxing prevent that too?

    Can somebody modify the script a little and get it to make a few changes to see what can be done?

    Re. the file extension thing - I actually think file extensions are a bad idea. Back in the olden days on the amiga, the OS would scan files to determine the file type. You didn't need extensions at all. The file icon shows you what the file is with no potential misleading labels (at least not easily).
     
  16. Veri macrumors 6502a

    Joined:
    Sep 23, 2007
    #16
    I've just modified the script to successfully write to ~/Library/Preferences/loginwindow.plist, and to /Applications (in the admin group), so there seems to be no sandboxing that prevents filesystem writes. Even though the original demo executed ls, I was feeling hopeful for a moment :(.

    While it might be good as an extra check, detecting filetypes in this way is heuristic and resource-intensive; also consider that with IMAP, you might not even have downloaded the attachment when you're reading the text part. There's an argument for having filetype as part of metadata rather than extension, e.g. MIME types, but this goes against the (annoying, but highly interoperable) Unix "everything is a stream of bytes" philosophy.
     
  17. xUKHCx Administrator emeritus

    xUKHCx

    Joined:
    Jan 15, 2006
    Location:
    The Kop
    #17
    See the second post.


    Oddly enough, the first time I opened the attachment I didn't get any warning but I just went and did it again and this time I received the following box.

    Picture 1.png

    Now I cant remember if the first time i opened it if that was on my iMac or the macbook. When I get home later on (in about 10 hours) I will try it on my iMac and see what happens. But I am adamant that the first time I opened it I received no such warning.
     
  18. arkitect macrumors 601

    arkitect

    Joined:
    Sep 5, 2005
    Location:
    Bath, United Kingdom
    #18
    So I couldn't resist…

    My poor vulnerable MacPro…

    Ran without a warning. :eek: :(
     

    Attached Files:

  19. xUKHCx Administrator emeritus

    xUKHCx

    Joined:
    Jan 15, 2006
    Location:
    The Kop
    #19
    try running it again after a log out and a log in again, because you might get a warning the second time like I did.
     
  20. psonice macrumors 6502a

    Joined:
    Jul 22, 2005
    #20
    The original report said that the warning DOES appear, but not every time. When they repeated the test, they were warned perhaps 10% of the time, which suggests that the fix is "there" but some kind of bug is stopping it working randomly. No idea if it needs a log off or a reboot or whatever to stop/start working.
     
  21. nemex macrumors regular

    nemex

    Joined:
    Nov 14, 2007
    Location:
    Mexico
    #21
    Well I did get the message with the jpg attachement, I double clicked on in to open and the first time the script ran in Terminal. Right after that, I did opened it again, and the pop up warning showed up saying:

    “Heise.jpg” may be an application. It was attached to a mail message and will be opened by Terminal. Are you sure you want to open it?​

    Scary, I do have ClamXav watching over the Mail Dowloads folder, I was hopping it would intercept... :( :eek:
     
  22. John01021988 macrumors 6502

    Joined:
    May 11, 2007
    #22
    If you double click on it, it asks for confirmation.
    If you just click on the file without opening, it opens itself without confirmation :(
     
  23. arkitect macrumors 601

    arkitect

    Joined:
    Sep 5, 2005
    Location:
    Bath, United Kingdom
    #23
    Well, I double-clicked and it didn't ask for any confirmation… :eek:

    So I guess YMMV in all cases.
     
  24. Let's Sekuhara! macrumors 6502

    Let's Sekuhara!

    Joined:
    Jun 30, 2008
    Location:
    日本
    #25
    Rant

    How many times does it need to be said?! Hidden file extensions are a terrible idea!

    Pros:
    - You don't have to think about what type of file it is.
    - Lack of extension believed more aesthetic by some.

    Cons:
    - You won't think about what type of file it is. In other words, it encourages user ignorance and irresponsible file management practices.
    - When you attach the file in an email it will often become useless as the recipient will not know what type of file it is. I have this experience frequently with people at work (I won't name names) and I have to send a second email asking "was that an AIF, a WAV, an MP3, an M4A? Or maybe an MPEG, an AVI, or a MOV?"
    - Convenient delivery method for malicious software of all sorts.
    - Means having to use "Get Info" instead of simply glancing at the file.
    - The search criteria "By Extension" is rendered utterly useless.

    Hey, we have a great thing called an extension that enables us to tell one type of file from another! Let's hide it...make life a bit more challenging! And then people can get creative and create fake extensions to trick other people! Wouldn't that be fan-*****-tastic! I'm going to send out a bunch of letters now and omit the addresses...I hope they make it to their destinations! After that I'm going to rename the folders on my hard drive from their intuitive names like "Documents" to "Xr1f5TizoOeMWxZi12" - BECAUSE I LOVE HAVING TO GUESS!!!

    :eek::eek::eek::eek::eek::mad::eek:
     

Share This Page