Serious flaw on OS X (NEW)
<small>Published: 2006-02-21,
Last Updated: 2006-02-21 09:32:13 UTC by Kyle Haugsness
Source: http://isc.sans.org/diary.php?storyid=1138</small>
We received notice from Juergen Schmidt, editor-in-chief at heise.de, that a serious vulnerability has been found in Apple Safari on OS X. "In its default configuration shell commands are execute[d] simply by visting a web site - no user interaction required." This could be really bad. Attackers can run shell scripts on your computer remotely just by visiting a malicious website.
Full text of the article: http://www.heise.de/english/newsticker/news/69862
Proof of concept from the original discoverer (Michael Lehn): http://www.mathematik.uni-ulm.de/~lehn/mac.html
The problem is due to a feature that is activated by default: Open Safe Files after downloading. A zip file is considered safe and so they will be opened automatically. Subsequently, a shell script with no #! at the beginning of the script will be executed automatically. No user interaction!
Recommended action: disable the option "Open 'safe' files after downloading" in the "General" preferences section in Safari.
More
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here. </small>
Caution: Serious Flaw Found in MAC OS X
Moderator: Wiz Feinberg
-
Wiz Feinberg
- Posts: 6117
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
- State/Province: Michigan
- Country: United States
-
Brad Sarno
- Posts: 4958
- Joined: 18 Dec 2000 1:01 am
- Location: St. Louis, MO USA
- State/Province: -
- Country: United States
-
Wiz Feinberg
- Posts: 6117
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
- State/Province: Michigan
- Country: United States
update
A serious flaw in Mac OS X could be a conduit for attackers to install malicious code on computers running the Apple Computer software, experts warned Tuesday.
The security problem is the third to surface for the operating system in the past week. It exposes Mac users to risks that are more familiar to Windows users: Visiting a malicious Web site using Apple's Safari Web browser could result in a rootkit, a backdoor or other malicious software being installed on the computer without the user noticing anything, experts said.
"This could be really bad," the SANS Internet Storm Center, which tracks network threats, said Tuesday. "Attackers can run shell scripts on your computer remotely just by visiting a malicious Web site."
Apple is developing a patch for the flaw, a company representative told CNET News.com. "We're working on a fix so that this doesn't become something that could affect customers," the representative said, but could not give a delivery date for the update.
The issue may go beyond archive files, SANS said in updated notes on its Web site. "The attacker doesn't need to send a ZIP archive; the shell script itself can be disguised to practically anything," the note said.
The culprit appears to be the Mac OS Finder, the component of the operating system used to view and organize files, according to the SANS posting. A malicious file can be masked to look innocent--for example, like a JPEG image--yet it will run and execute when opened, SANS said.
This occurs because the operating system assigns an identifying image for the file based on the file extension, but decides which application will handle the file based on file permissions, SANS said. If the file has any executable bits set, it will be run using Terminal, the Unix command line prompt used in Mac OS X, SANS said.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here. </small>
A serious flaw in Mac OS X could be a conduit for attackers to install malicious code on computers running the Apple Computer software, experts warned Tuesday.
The security problem is the third to surface for the operating system in the past week. It exposes Mac users to risks that are more familiar to Windows users: Visiting a malicious Web site using Apple's Safari Web browser could result in a rootkit, a backdoor or other malicious software being installed on the computer without the user noticing anything, experts said.
"This could be really bad," the SANS Internet Storm Center, which tracks network threats, said Tuesday. "Attackers can run shell scripts on your computer remotely just by visiting a malicious Web site."
Apple is developing a patch for the flaw, a company representative told CNET News.com. "We're working on a fix so that this doesn't become something that could affect customers," the representative said, but could not give a delivery date for the update.
The issue may go beyond archive files, SANS said in updated notes on its Web site. "The attacker doesn't need to send a ZIP archive; the shell script itself can be disguised to practically anything," the note said.
The culprit appears to be the Mac OS Finder, the component of the operating system used to view and organize files, according to the SANS posting. A malicious file can be masked to look innocent--for example, like a JPEG image--yet it will run and execute when opened, SANS said.
This occurs because the operating system assigns an identifying image for the file based on the file extension, but decides which application will handle the file based on file permissions, SANS said. If the file has any executable bits set, it will be run using Terminal, the Unix command line prompt used in Mac OS X, SANS said.
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here. </small>
-
Wiz Feinberg
- Posts: 6117
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
- State/Province: Michigan
- Country: United States
Here is a link to a browser vulnerability test, on Securia, where you can see if your MAC is suseptable to this attack vector.
http://secunia.com/mac_os_x_command_execution_vulnerability_test/
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here. </small>
http://secunia.com/mac_os_x_command_execution_vulnerability_test/
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here. </small>
-
Wiz Feinberg
- Posts: 6117
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
- State/Province: Michigan
- Country: United States
Apple releases Security Update 2006-001 for Mac OS X
Apple today released Security Update 2006-001 which is recommended for
all users (Mac OS X 10.3.9, Mac OS X 10.4.5) and improves the security
of the following components:
• apache_mod_php
• automount
• Bom
• Directory Services
• iChat: A malicious application named Leap.A that attempts to
propagate using iChat has been detected. With this update for Mac OS X
v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download
Validation to warn of unknown or unsafe file types during file transfers.
• IPSec
• LaunchServices
• LibSystem
• loginwindow
• Mail: n Mac OS X v10.4 Tiger, when an email attachment is
double-clicked in Mail, Download Validation is used to warn the user
if the file type is not "safe". Certain techniques can be used to
disguise the file's type so that Download Validation is bypassed. This
update addresses the issue by presenting Download Validation with the
entire file, providing more information for Download Validation to
detect unknown or unsafe file types in attachments.
• rsync
• Safari: It is possible to construct a file which appears to be a
safe file type, such as an image or movie, but is actually an
application. When the "Open `safe' files after downloading" option is
enabled in Safari's General preferences, visiting a malicious web site
may result in the automatic download and execution of such a file. A
proof-of-concept has been detected on public web sites that
demonstrates the automatic execution of shell scripts. This update
addresses the issue by performing additional download validation so
that the user is warned (in Mac OS X v10.4.5) or the download is not
automatically opened (in Mac OS X v10.3.9). (More fixes in linked
article below.)
• Safari, LaunchServices: Impact: Viewing a malicious web site may
result in arbitrary code execution. Description: It is possible to
construct a file which appears to be a safe file type, such as an
image or movie, but is actually an application. When the "Open `safe'
files after downloading" option is enabled in Safari's General
preferences, visiting a malicious web site may result in the automatic
download and execution of such a file. A proof-of-concept has been
detected on public web sites that demonstrates the automatic execution
of shell scripts. This update addresses the issue by performing
additional download validation so that the user is warned (in Mac OS X
v10.4.5) or the download is not automatically opened (in Mac OS X
v10.3.9).
• Syndication
The Update is available via Software Update. Detailed information on
this Update here: http://docs.info.apple.com/article.html?artnum=303382
Note: For those who've moved their Terminal app out of
/Applications/Utilities, you can put it back now after updating.
For the Safari exploit, the safe online demonstration provided by
Heise Security that you can use to determine whether your system is
affected is included in the article here:
http://www.heise.de/english/newsticker/news/69862
(Updated systems will display a dialog stating: "'Heise.jpg' may
contain an application. The safety of this file cannot be determined.
Are you sure you want to download 'Heise.jpg'?" Users should simply
cancel the download).
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here. </small>
Apple today released Security Update 2006-001 which is recommended for
all users (Mac OS X 10.3.9, Mac OS X 10.4.5) and improves the security
of the following components:
• apache_mod_php
• automount
• Bom
• Directory Services
• iChat: A malicious application named Leap.A that attempts to
propagate using iChat has been detected. With this update for Mac OS X
v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download
Validation to warn of unknown or unsafe file types during file transfers.
• IPSec
• LaunchServices
• LibSystem
• loginwindow
• Mail: n Mac OS X v10.4 Tiger, when an email attachment is
double-clicked in Mail, Download Validation is used to warn the user
if the file type is not "safe". Certain techniques can be used to
disguise the file's type so that Download Validation is bypassed. This
update addresses the issue by presenting Download Validation with the
entire file, providing more information for Download Validation to
detect unknown or unsafe file types in attachments.
• rsync
• Safari: It is possible to construct a file which appears to be a
safe file type, such as an image or movie, but is actually an
application. When the "Open `safe' files after downloading" option is
enabled in Safari's General preferences, visiting a malicious web site
may result in the automatic download and execution of such a file. A
proof-of-concept has been detected on public web sites that
demonstrates the automatic execution of shell scripts. This update
addresses the issue by performing additional download validation so
that the user is warned (in Mac OS X v10.4.5) or the download is not
automatically opened (in Mac OS X v10.3.9). (More fixes in linked
article below.)
• Safari, LaunchServices: Impact: Viewing a malicious web site may
result in arbitrary code execution. Description: It is possible to
construct a file which appears to be a safe file type, such as an
image or movie, but is actually an application. When the "Open `safe'
files after downloading" option is enabled in Safari's General
preferences, visiting a malicious web site may result in the automatic
download and execution of such a file. A proof-of-concept has been
detected on public web sites that demonstrates the automatic execution
of shell scripts. This update addresses the issue by performing
additional download validation so that the user is warned (in Mac OS X
v10.4.5) or the download is not automatically opened (in Mac OS X
v10.3.9).
• Syndication
The Update is available via Software Update. Detailed information on
this Update here: http://docs.info.apple.com/article.html?artnum=303382
Note: For those who've moved their Terminal app out of
/Applications/Utilities, you can put it back now after updating.
For the Safari exploit, the safe online demonstration provided by
Heise Security that you can use to determine whether your system is
affected is included in the article here:
http://www.heise.de/english/newsticker/news/69862
(Updated systems will display a dialog stating: "'Heise.jpg' may
contain an application. The safety of this file cannot be determined.
Are you sure you want to download 'Heise.jpg'?" Users should simply
cancel the download).
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here. </small>
-
Wiz Feinberg
- Posts: 6117
- Joined: 8 Jan 1999 1:01 am
- Location: Mid-Michigan, USA
- State/Province: Michigan
- Country: United States
<h3>New Patch Released for Mac Vulnerabilities</h3>
<h4>Subject: Apple releases Security Update 2006-002 v1.1 for Mac OS X 10.4.5</h4>
Apple today released Security Update 2006-002 v1.1 which "improves security and reliability and is recommended for all users." Security Update 2006-002 v1.1's notes describe the same updated components as Security Update 2006-002: apache_mod_php, CoreTypes, LaunchServices, Mail, rsync, and Safari, but is now version 1.1. Additional information is not yet available and the update is not yet available via Software Update.
More info about and download link (13.9MB) for Security Update 2006-002 v1.1 Mac OS X 10.4.5 for PowerPC here:
More info about and download link (15.4MB) for Security Update 2006-002 v1.1 Mac OS X 10.4.5 for Intel here:
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here. </small>
<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 17 March 2006 at 12:16 PM.]</p></FONT>
<h4>Subject: Apple releases Security Update 2006-002 v1.1 for Mac OS X 10.4.5</h4>
Apple today released Security Update 2006-002 v1.1 which "improves security and reliability and is recommended for all users." Security Update 2006-002 v1.1's notes describe the same updated components as Security Update 2006-002: apache_mod_php, CoreTypes, LaunchServices, Mail, rsync, and Safari, but is now version 1.1. Additional information is not yet available and the update is not yet available via Software Update.
More info about and download link (13.9MB) for Security Update 2006-002 v1.1 Mac OS X 10.4.5 for PowerPC here:
More info about and download link (15.4MB) for Security Update 2006-002 v1.1 Mac OS X 10.4.5 for Intel here:
------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
<small>Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage.
Learn about current computer virus and security threats here. </small>
<font size="1" color="#8e236b"><p align="center">[This message was edited by Wiz Feinberg on 17 March 2006 at 12:16 PM.]</p></FONT>