On Monday, February 20, an "extremely
critical" security
vulnerability in Mac OS X was reported, one which you and
your users
should address immediately.
That vulnerability is confirmed in this Secunia advisory
and in a
CERT note linked from it:
http://secunia.c
om/advisories/18963/
In brief, if a user running Apple's Safari web browser
can be
induced - through specially crafted web page content, such
as a page
refresh, or through social engineering - to download a ZIP
archive
file, a script contained within that file can be
automatically run in
the default shell, with the privileges of the current user,
via the
Mac OS X Terminal application. Simply downloading the file
in Safari
is sufficient for this to occur; no other manual user
actions are
required.
What to do now
--------------
Until this vulnerability is addressed by Apple, you can
protect
yourself by making a change to Safari's preferences: in the
Preferences window, in the "General" tab, turn
OFF the 'Open "safe"
files after downloading' option, as shown in this
screenshot:
http://www.us-cert.gov/reading_room/securing_brows
er/#sgeneral
That setting is enabled (i.e. turned on) by default, so
it is
likely that many Mac OS X users may be at risk for this
vulnerability
if they use Safari to browse the web. (That setting
happened to be
enabled in my copy of Safari, for example.)
In addition, many campus Mac OS X users are likely to be
working in
a user account with Admin privileges - which is the default
for the
first account set up under Mac OS X - so any malware would
run with
those privileges.
More about the vulnerability
----------------------------
This underlying vulnerability appears to be broader than
just a
Safari issue, but this Safari exploitation scenario is by
far the
greatest concern.
An excellent description of this issue for a general
audience is:
http://www.macuser.com/security/when_safe_isnt_safe.php
And details are provided at:
htt
p://www.heise.de/english/newsticker/news/69862
(regarding the immediate Safari vulnerability)
http://daringfireball.net/2006/02/safari_shell_scri
pt_exploit
and
http://ww
w.unsanity.org/archives/000449.php
(regarding the underlying issues)
In general, this vulnerability appears to offer yet
another
mechanism for someone to disguise the nature of a file under
Mac OS X
- to make a script or other executable file look like a JPEG
image,
QuickTime movie, or other innocuous file when viewed on the
Desktop -
but then to have that file automatically execute malicious
code when
opened. As Jon Gruber concludes in his Daring Fireball
article,
above:
>It boils down to this: you can't safely double-click
files from
>untrusted sources, and you never could. This is no
different today
>on Mac OS X 10.4 than it was a decade ago on Mac OS 8
and 9.
Aron Roberts
Workstation Software Support Group
P.S. This issue appears to be based, in part, on the Launch
Services
mechanism in Mac OS X. That mechanism was involved in
another
serious vulnerability two years ago, in Spring 2004, as
described in
this MAGNet posting from that time:
htt
p://ls.berkeley.edu/mail/magnet/2004/0191.html
------------------------------------------------------------
------------
The following was automatically added to this message by the
list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.be
rkeley.edu/>.
|