recent posts

Exploit Released for Unpatched Mac OS X Bug
Guidance Software Settles With FTC Over Data Compromise
Microsoft Patches 9 Security Holes
Report: Firefox 2.0 Trumps IE7 In Phish-Fighting
A Little Patch Housekeeping

Stories by Category

Stories By Date

related links

The Archives
Security Fix Live: Web Chats
About This Blog
Password Primer
7 Security Tips
Technology Section

syndicate

About This Blog   |   Archives   |   RSS Feeds RSS Feed   (What's RSS?)

Exploit Released for Unpatched Mac OS X Bug

The "Month of Kernel Bugs strikes again. At the beginning of the month, a security researcher known only as LMH started the project to highlight unpatched flaws that are so severe that malicious attackers could use them to completely subvert the security of vulnerable computers. On Monday, the project's curator released instructions for targeting a serious flaw in the way Mac OS X systems processes certain types of files.

This particular exploit targets a vulnerability in the way that most Macs process files ending in ".DMG", a file type commonly encountered when Mac users download a software install. Clicking on the proof-of-concept DMG file listed on the MoKB homepage with a brand new Mac OS X 10.4.8 installation caused the system to throw up a prompt telling me that I needed to restart my computer by holding down the power button or restarting the machine.

Sounds like an innocuous enough bug, to be sure, but the crash report generated after I used Safari to click on the file indicated that the exploit had indeed resulted in a "kernel panic," which in most cases means that if someone wanted to use the exploit to install malicious code, they could do so regardless of the security settings or precautions already present on the machine.

I'm not a Mac OS X expert, but others who have examined DMG files have previously pointed to them as a potential source of system compromise. Here's a recent post at the Matasano Security blog: "What is interesting about DMG [files] is that they allow non-privileged users to mount a filesystem. This poses a number of unique threats to OS X."

What was interesting about the flaw detailed by "LMH" was that I merely clicked on a link at the MoKB site and received a file, which OS X subsequently opened and then told me it needed to shut down.

LMH said he tested the exploit against an OS X installation running on an Intel "shipping" Mac; the exploit also seemed to work against my older PowerPC based system. According to LMH, there is no existing patch for this vulnerability, but OS X users can mitigate this flaw by "changing the Preferences and deactivating the functionality for opening 'safe' files after downloading."

I have sent a message to the Apple public relations folks seeking comment and will update this post if and when I hear back from them.

By Brian Krebs |  November 21, 2006; 9:30 AM ET  | Category:  Latest Warnings
Previous: Guidance Software Settles With FTC Over Data Compromise |

Blogs That Reference This Entry

TrackBack URL for this entry:
http://blog.washingtonpost.com/cgi-bin/mt/mtb.cgi/13431

Comments

Please email us to report offensive comments.



This is an old issue actually, with the fix mentioned above being the recommended easiest protection (turning off automatic processing in Safari). The shocking thing actually is that you still HAVE to turn this off, when it should be off by default, and only turned on by those who know what they're risking. At least once it's turned off, it doesn't automatically turn back on with later updates (yet).

Disabling file system mounting by non-privileged users would be the equivalent of not allowing them to load CDs/DVDs, which could also be infected by the way, so may or may not be very practical as an additional precaution depending on a given user's setup.

I just turn off the Safari preference at every client and family member's computer I can find.

Posted by: Brad | November 21, 2006 10:03 AM

you have a typo--you list it as system 10.8, which presumably won't be released until after leopard, which is 10.5. the current version (with all patches applied) is 10.4.8.

Posted by: James Hare | November 21, 2006 10:08 AM

James, yes that was a typo. I've fixed, thanks.

Posted by: Bk | November 21, 2006 10:33 AM

Are there any virus protection programs available for Intel-based Macs yet? I used Norton Internet Security for my Power Mac but had to scrap it once I scrapped the Power Mac and moved up to the Mac Pro.

Posted by: Glenn | November 21, 2006 10:33 AM

Post a Comment

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.




 
 

© 2006 The Washington Post Company