Network News

X My Profile
View More Activity

Exploit Published for Unpatched Mac OS X Flaw

Days after the emergence of two pieces of malware designed to attack Mac OS X users, security experts have uncovered a serious security hole that could be used to infiltrate OS X systems through Safari, the operating system's default Web browser.

According to a post over at the SANS Internet Storm Center, Safari is configured by default to automatically run or open certain types of files marked "safe files" by the operating system. Since Safari by default considers compressed ".zip" files to be safe, a malcious Web site could fill that archive with a set of nasty scripts -- or a series of commands that the host computer is instructed to run when the ZIP file is opened. Worse, that ZIP file could easily be disguised as a JPEG or other type of image file, so that a Safari user could be hit with an "exploit simply by visting a Web site -- no user interaction required," SANS warns.

This writeup at the German technology news publisher Heise Online says the problem isn't limited to Safari. Even an OS X user viewing the site with a different Mac browser who downloads one of the disguised image files and double-clicks on it would cause the operating system to execute the concealed scripts.

Most OS X users run their computers as the default "administrator" account, which is set up so that certain changes to the operating system cannot be made without the user entering the "superuser" or "root" account password. But this exploit could still do a fair amount of damage if run on an administrator account. While a malicious Web site using this flaw would not be able to say, overwrite files or disable the firewall on administrator accounts, it could well delete that user's files or cause that account to send and/or receive various types of data.

The guy who discovered the flaw, Michael Lehn, a Ph.D. student and research assistant at the Department of Numerical Analysis at the University of Ulm, also published a harmless proof-of-concept exploit that Mac users can check out if they want to see this exploit in action. According to the author, "It merely prints 'Hallo Welt!' [Hello World] in a terminal (but infinite many times)." Unfortunately, several experts I spoke with last night about this exploit said it looks like Lehn's exploit could be trivially modified for nefarious purposes.

In an e-mail interview, Lehn said he was prompted to look for the flaw after watching the German TV show Mac-Tv, which on Sunday featured a discussion of the threat from two new pieces of malware targeting OS X. Lehn said viewers were calling in to defend the security of Mac OS X, saying that it was not possible for OS X users to infect their machines just by clicking on a link or visiting a Web page. Lehn disagreed.

In math you either prove that something is true, or you find a counter-example to prove it wrong," he said. Lehn said he found the flaw after just 15 minutes of looking.

I don't see an advisory about this yet from Apple, but SANS says for the time being Safari users should consider disabling the option "Open 'safe' files after downloading" in the "General" preferences section in Safari.

Update, 2:24 p.m. ET: Vulnerability watcher Secunia has just issued an advisory on this Mac OS X flaw, assigning it an "extremely critical," threat rating, its most serious. Secunia assigns that rating when a flaw is "typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. These vulnerabilities can e.g. exist in services like FTP, HTTP, and SMTP or in certain client systems like email programs or browsers."

By Brian Krebs  |  February 21, 2006; 9:50 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: More 'Rogue' Trouble for 180solutions
Next: Alarming Phishing Trends

Comments

There is an easy fix for this flaw until Apple issues a patch: move the terminal application from its place in applications/utilities to another folder.
Next problem, please.

Posted by: JC | February 21, 2006 11:10 AM | Report abuse

This so-called exploit does not work on my Mac.

Posted by: Mark S | February 21, 2006 11:29 AM | Report abuse

How 'bout the easiest fix - disable Safari from opening 'trusted' files without authorization. Or even better, use a different browser.

Posted by: JohanTheOlive | February 21, 2006 12:00 PM | Report abuse

This is hardly news. Apple warned users about this in the early days of Panther; that's why disabling the "Open 'safe' files after downloading" is one of the first things I do when installing a fresh copy of OS X.

Posted by: Andrew | February 21, 2006 12:07 PM | Report abuse

of course, nothing bad every threatens os x. where's the rest of the mac crowd to come downplay the seriousness of the issue?

SANS filed an update on this:

It looks like this can be used to fool users into starting the file no matter which vector is used (download from the web, e-mail, or something else).
According to the Heise article, "users should verify that the OS is using the proper file type. This can be done through the information window or in the column view."

oh and Andrew "You can also move your Terminal application somewhere else, but this might (and will) break other things."

yeah right this isn't news.

Posted by: joejoe | February 21, 2006 12:35 PM | Report abuse

heh. and that's why Secunia is rating this "extremely critical." nothing to see here, move along. mac users crack me up.

http://secunia.com/advisories/18963/

Posted by: steve | February 21, 2006 12:36 PM | Report abuse

Worked like a charm on my two fully updated and patched work computers, after I enabled "Open 'safe' files after downloading." (Guess I now know why 'safe' is in quotes.) It's pretty scary to see a terminal window open and execute a command on its own after doing nothing more than following a hyperlink. Though I'm a huge Apple fan and will never own a Windows computer, even I can see this is a big problem and a hole which needs to be patched by Apple quicky before the benign exploit is put to more nefarious uses. And anyone who says differently needs to pull their head out of the sand.

Posted by: spellman | February 21, 2006 1:05 PM | Report abuse

The exploit doesn't work on my computer. The file gets downloaded but is not run. I'd agree, there is a tension between the natural ability of a program to "skin" itself with an icon and the potential for cloaking one's file type via the icon of a different file type.

Perhaps the solution is to call attention to file extension/type mismatches, via the colour label metaphor. Another would be to use the already-existing protection on normal binaries to shell scripts - a window pops up asking "You've never run this program before... are you sure you want to".

Note that this system is already in place for compiled executables; it simply needs to be extended to shell scripts not directly called by a user-controlled Terminal instance.

-RS

Posted by: Rahul Sinha | February 21, 2006 1:47 PM | Report abuse

This IS news. And it's not just a Safari thing. Did you click on an email attachment this week? Using Apples Mail app? How can you safely know it's a picture and not a terminal script?

If you click the attachment, and if the file was malicious, your data is lost. Tell this to someone who works in an ad agency, exploring hundreds of photos a week.

Posted by: Joern | February 21, 2006 1:48 PM | Report abuse

Oddly, it doesn't work for me either. The file downloads, but even when I explicitly double-click on it, it opens Terminal and then does nothing. While I agree this is certainly a security concern, it seems there's more than one setting that has to be configured in a particular way for the exploit to work.

Posted by: Brian Ellis | February 21, 2006 9:16 PM | Report abuse

Metasploit released exploit code for this today. There are 4 payloads that can be sent via the Metasploit console. A couple that will get you a remote shell. I haven't tested it though.

http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.php

Posted by: David Taylor | February 22, 2006 1:55 PM | Report abuse

This vulnerability comes right on the heels of two dramatically over-hyped malware discovery events, which were called "worms" by the Fox station in D.C. Wednesday night.

The near hysteria of local news outfits all over the country to those earlier news items prompted a backlash among the user community, which was underway when this news struck. This appears to have caused quite a bit of confusion, and probably resulted in people not taking this Safari issue as seriously as they perhaps should. I know I'm disabling the automatic "Open safe files" feature of Safari until a fix is released.

/gary
http://antibogon.org/blog/

Posted by: Gary W. Longsine | February 23, 2006 2:13 AM | Report abuse

Here it is 3 days after this bit of 'news' and LIFE AS WE KNOW IT IS ENDING!!!!!

Actually, nothing has happened. No wave of virii attacking Macs is being reported. While I'm sure that Apple is working on a fix for this "extremely critical threat" Windows whiners would do well to wait until there is an actual problem before crowing so loudly. Meanwhile, today we learned of another "critical security hole" in Winamp. Let's see, viral score: Mac - 3 (?); Windows 3x10^^6

Posted by: I'm so scared! | February 24, 2006 1:23 PM | Report abuse

Safe downloads, gee I change this long time ago with command line. If your a OSX user and do not know command line, maybe it is time you picked up a book.

Turn off the Safari safe downloads.

defaults write com.apple.Safari AutoOpenSafeDownloads -bool NO

Posted by: Learn command line | February 27, 2006 4:18 PM | Report abuse

Concerning the numbers posted by I'm so scared,
throttle back on the exaggeration there.
3 x 10^6 malwares for Windows? Try 3 x 10^3
(30000) to 1 x 10^4. Also, don't let the paltry
numbers lull you into a false sense of security.
The very first virus was written not on MS
Windows, not on MS-DOS, but on Unix. Yes, that
is right - the first virus was written on Unix
using the ideas of self replicating code
proposed by the inventors of Unix:

http://www.all.net/books/virus/part5.html
http://news.bbc.co.uk/2/hi/technology/3257165.stm

In case you didn't know it, the Mac is one of the
Unix clones, derived primarily from FreeBSD. I
take a dim view of Apple setting up an admin
account. All this really means is that they are
in the sudoers file which means if they stupidly
say yes to a lot of things, they may as well have
been logged in as root. At least when they are
logged in as root they KNOW that they are in un
unsafe position and perhaps should temporarily
disconnect themselves from the Internet. They should NEVER point their browser out at the
Internet if they are logged in as root. I favor
educating people that they should log in as root
(default for the Mac is that you can't) rather
than sudo to do system things. What is the
difference? If you have sudoed you are just as
privileged as if you have logged in as root.
By hiding how the OS is doing things, the Apple
camp is doing a GREAT disservice to the people
using their systems. DO MORE THAN JUST PATCH
APPLE, DO SOME INITIAL TRAINING OF THE USERS OF
YOUR SYSTEMS!

Rest assured, since the Mac OS X is positioned as
a direct replacement for MS Windows (Linux, the
FreeBSD the Mac OS X is based loosely on, NetBSD,
and OpenBSD are for people with more experience
with Unix). Mac OS X will inevitably gain more
nasties as time progresses. In the mean time,
follow the advice of the Learn command line.
Just be aware that there are FAR more settable
things than just AutoOpenSafeDownloads for
Safari, and almost everything that is tunable is
most easily set this way.

Meanwhile, Mac OS X users, TAKE THIS SERIOUSLY.
This is the beginning salvo. More are going to
come. You may want to consider downloading and
using Firefox, but it isn't a magic bullet, and
even it needs to be strictly tuned for security.
It is NOT ready for prime time with the default
settings.

Posted by: Henry Hertz Hobbit | February 28, 2006 11:32 PM | Report abuse

Very good site, congratulations! suikoden iii

Posted by: suikoden | April 18, 2006 2:17 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company