February 21st, 2006, 16:00 PM
Old and Cranky
Apple Safari Browser Automatically Executes Shell Scripts
Shortly after reports of the first virus for Mac OS X, a new security flaw has surfaced. The culprit is the option "Open 'safe' files after downloading" in Apple's Safari web browser. This feature is activated by default. Its function is to automatically display images and movies after they are transmitted to the user's computer, using the application assigned to that particular document format. Safari will also unpack ZIP archives and display the documents within if they are considered "safe". If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good.
Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. This behavior has been discovered by Michael Lehn, who has documented it on a web site.
Under normal circumstances, shell scripts begin with a "shebang line" such as "#!/bin/bash" to indicate which interpreter should handle its execution. However, Mac OS X will load scripts without a shebang line into the Terminal where it will be executed by a shell. If the user has assigned the Finder to open scripts using the Terminal, this will happen automatically.
If a script is given an extension such as "jpg" or "mov" and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application -- regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X.
The best immediate recourse against such an attack is to deactivate the option "Open 'safe' files after downloading" in the "General" section of Safari's preferences. Alternative web browsers such as Camino or Firefox do not support the automatic execution of files. These browsers can be prompted to automatically download a file by using the refresh command in the HTML source code of a web page. However, the file will not be executed. Since the Finder selects the icon for a file based on its extension, users are advised to verify that the OS is using the proper file type. This can be done through the information window or in column view.
An additional protective measure is to move the Terminal application from /Applications/Utilities into a different folder. The metadata file within the ZIP archives always contains absolute paths to the applications to be used for opening its contents. To avoid problems with system updates which update the Terminal, the application should be moved back to its original location before updating the OS. In addition, users should not use their administrator account.
You can determine whether your system is vulnerable by using this online demonstration provided by heise Security. The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user. At this point, no web pages are known to misuse this vulnerability. However, this could change quickly.
*Follow the original link for the actual demonstration*
February 24th, 2006, 20:50 PM
Old and Cranky
Security hole in Mac OS X also affects Apple Mail
The weak point in Apple's Mac OS X operating system is apparently worse than originally thought. In addition to attacks via the Safari web browser, Apple Mail also executes scripts without asking in certain circumstances.
It suffices to disguise a script with the ending "jpg" and assign the Terminal application for opening it. If this script is then sent in the AppleDouble format as an attachment, the information is passed along so that the recipient's system also opens it with the Terminal. Apple Mail displays the attachment with a JPG file symbol, but when users click on it, the script executes within Terminal without further prompting. This has been tested on Apple Mail 2 and Mac OS X 10.4. Older versions display a warning.
Like the numerous Windows viruses, Mac OS X could also spread viruses via emails in this manner. The virus need only tempt users with a text to open the faked image file. You can use heise Security's Emailcheck to have a harmless e-mail sent to you that demonstrates the problem.
The main problem is that the attacker can determine which application should open a file. Normally, this information is hidden in the file's resource fork and hence limited to the local system. To transport this via the Web, resources typical of Mac can be included for analysis by the local programs. In the weak point reported yesterday, a ZIP archive also contains the folder __MACOSX with metadata. You may infect your computer if you open the JPG file in such an archive without a warning even if the ZIP file was downloaded and saved to your Mac via Firefox. For e-mails, the MIME format AppleDouble allows resource forks to be attached; Apple Mail automatically analyses them. To make things worse, in both cases the type of a file is determined via the extension -- and that can be misleading.
The free e-mail client Thunderbird does not fall for this trick because it does not analyze AppleDouble. A protective measure is to move the Terminal application from /Applications/Utilities into a different folder. But the best idea is not to open any files if you don't know where they came from.
March 2nd, 2006, 15:44 PM
Old and Cranky
Apple plugs 20 OS X holes
Security update deals with Leap.A threat and more...
Apple on Wednesday released a security update for Mac OS X that fixes 20 vulnerabilities, including a high-profile web browser and Mail flaw disclosed last week.
The set of patches addresses a variety of security flaws, including several that could let an attacker gain control over a computer running the operating system software. The patch arrives after two weeks of intense scrutiny for Apple Mac OS X safety, prompted by the discovery of two worms and the disclosure of two security flaws in that period.
The Apple security update addresses those flaws, which affect the Safari web browser and Apple Mail client. The vulnerabilities expose Mac users to risks that are more familiar to Windows owners: the installation of malicious code through a bad website or email because of improper validation of downloads.
The update also changes iChat, Apple's instant messaging application, to thwart instant message threats such as the Leap.A pest, which was detected recently and attacked some Apple users.
Apple said: "iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers."
Other flaws fixed in the update include four issues related to the PHP scripted programming language, two problems related to Apple's Directory Services, a problem with mounting of file servers and a bug in FileVault secure storage, which was found to be insecure in the way a FileVault image is created.
Security Update 2006-001, can be downloaded and installed via the Software Update feature in Mac OS X or from Apple Downloads.
The representative said: "Apple advises Mac OS X users to keep their system current by installing this and all Mac OS X software updates."