New Security Update addresses "safe file" issue...

ElDiabloConCaca

ElDiabloConCaca

U.S.D.A. Prime
Get it while it's hot in Software Update (or download it manually, but what fun is that?).

http://docs.info.apple.com/article.html?artnum=303382

Now all those people bitching about how insecure Mac OS X is can shut their mouths. Those "proofs of concept" existed for what -- barely a week? -- and now Apple has patched it.

Dearest Crackers: next time be a little more creative with your exploits. Copying and pasting a JPEG icon on a UNIX executable has got to be the most juvenile attempt at an exploitation. Why don't y'all learn to REALLY write code instead of being crappy little script kiddies?

Go spread FUD somewhere else and just let us Mac users enjoy our Macs.
 
ElDiablo: It wasn't the script kiddies who did that JPEG thing. It was a demo to show how _easily_ one could trick a user into double-clicking a file he or she doesn't know. Most Mac users have _no_ idea about these things, mainly because there never _were_ any real security threats on Mac OS X. And as such a demo, cloaking the file as a JPG was the right thing to do in my opinion.

There's no need to gloat now, either, I think. Sure: These holes have been filled. (Have they? Or will heise.de release a news blurb tomorrow about how this only fixes half of it?) But the past few weeks have clearly shown that if there _is_ enough energy in the world of script-kiddies etc., the Mac platform _could_ be targetted from time to time. And I think the more we gloat, the more envious people might become and start doing _just_ what you urged them to: To attack us with the real stuff. And we _don't_ want that. In my opinion.
 
Did y'all even read the link?

CVE-ID: CVE-2006-0394

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Viewing a malicious web site may result in arbitrary code execution

Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).
Click to expand...
 
Have a look over the full description of the security update. Look at the CVE numbers - notice how many of them are from 2005? Throw the CVE ID into google, and you can find out more.

Just for example, the PHP vulnerabilities are from October to November 2005. That's a 3-4 month window of vulnerability. Every other OS vendor out there had patches out in a matter of days, but Apple took months. That is just plain unacceptable.
 
iChat. A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.
 
Switcher question here: Isn't the solution just for me to disable the "Open `safe' files after downloading" option in my prefs? That's what I've done, anyway.
And I agree with Fryke - it's one thing to taunt your Windozer mates down the pub about all the malware they keep getting clobbered with, another altogether to lay down the gauntlet to the script-bunnies. I for one am still luxuriating in the newfound security and peace of OsX. I'd prefer to carry on a while longer if possible.
 
easterhay said:
Switcher question here: Isn't the solution just for me to disable the "Open `safe' files after downloading" option in my prefs? That's what I've done, anyway.
Click to expand...
Yep, that'll keep you safe. Apple's already patched this hole, so even if you have that option turned on, you're still safe as long as you're up-to-date with the security patches (run Software Update if you're not sure).
 
Disabling "open safe files after download" saves you from one particular attack scenario - the single-step drive-by download and execution in Safari.

The Finder, Mail, perhaps a few other programs, will still present the file as a jpeg (or some sort of generally benign file type), so an email worm could still use this trick. You still can't trust a file that you receive in email, with a jpeg icon on it, and a name that ends in ".jpeg", to actually be a jpeg, and not do anything nasty when you open it. To verify what the file is, save it to the desktop, click it _once only_ and choose "get info" from the Finder's menus (I'm not writing this on a Mac, so I can't check which menu it's under. The keyboard shortcut is command-i). This will tell you what sort of file it is. If it doesn't say something like "jpeg image", get suspicious.

The exposure is downgraded from a nearly zero-interaction attack, to a social engineering attack that is assisted by the way the OS handles file types (i.e. inconsistently - one way when it comes to presenting the user with information, and another way when it comes to determining how to open it).

On another note, just because I don't like being told to shut my mouth, here are a couple of references for your consideration:

One of the vulnerabilities patched in 2006-001 - a simple, dumb privilege escalation in the passwd utility - took Apple 6 months to fix from the time it was reported to them. http://seclists.org/lists/fulldisclosure/2006/Mar/0053.html

The update to PHP, brings PHP up to version 4.4.1, which was released publicly four months ago to address various vulnerabilities. The catch - PHP 4.4.2 was released publicly over one month ago, to address additional vulnerabilities. http://isc.incidents.org/diary.php?storyid=1160

I like Macs, and I generally like Apple as a company, but they haven't quite gotten their act together on security. One of the problems, I think, is that Apple hasn't realized that when you distribute open source software, you become an open source company, meaning you don't control the release schedule of all the software you distribute; public vulnerability disclosure doesn't wait for your convenience. I think some people may be unwilling to recognize this, and get angry when people point it out to them.
 
fryke said:
And I think the more we gloat, the more envious people might become and start doing _just_ what you urged them to: To attack us with the real stuff. And we _don't_ want that. In my opinion.
Click to expand...
I have to disagree. I think that we do want exactly that. Vulnerabilities are never fixed by any developer until someone exploits them. With the Mac OS not being open source, the code is not peer-reviewed, so exploits are the only way to expose what can happen with this or that hole.

In a perfect world, I'd completely agree with you. No one wants to wake up one morning and find that some exploited hole has wreaked havoc on their machine. Practically, however, this may need to happen here and there. This is not a perfect world, and the Mac will be targeted as it gains marketshare. Better to have people hitting it now, so it can be properly secured as each minor issue pops up. Then, as Apple moves forward with additional development, all the existing issues have been worked out and they only have to focus (at least in theory) on new problems that they write into the OS.
 
scruffy said:
Disabling "open safe files after download" saves you from one particular attack scenario - the single-step drive-by download and execution in Safari.

The Finder, Mail, perhaps a few other programs, will still present the file as a jpeg (or some sort of generally benign file type), so an email worm could still use this trick. You still can't trust a file that you receive in email, with a jpeg icon on it, and a name that ends in ".jpeg", to actually be a jpeg, and not do anything nasty when you open it. To verify what the file is, save it to the desktop, click it _once only_ and choose "get info" from the Finder's menus (I'm not writing this on a Mac, so I can't check which menu it's under. The keyboard shortcut is command-i). This will tell you what sort of file it is. If it doesn't say something like "jpeg image", get suspicious.
Click to expand...

great saftey tip. Just to add to it, some of you who are still a little bit more insecure, there is hope. Simply rename the Terminal.app to something else and remove it from the utilities folder until things cool down a bit more.
 
You must log in or register to reply here.
Back
Top