Linked by Thom Holwerda on Tue 21st Feb 2006 17:59 UTC
Mac OS X "[Last week], we reported on a Trojan horse for Mac OS X that is just like the entry for Earth in the Hitchhiker's Guide to the Galaxy in that it is mostly harmless. A new vulnerability targeted at Apple's home-grown web browser, Safari, is another matter entirely. A German security firm appears to have been the first to discover the Safari flaw, which allows for shell scripts to be executed after clicking a link."
Order by: Score:
the real deal
by TomB7 on Tue 21st Feb 2006 18:18 UTC
TomB7
Member since:
2006-01-03

This sounds like the first confirmed SCARY vulnerability. I would urge people to go to www.macintouch.com or someplace to learn how to lock down your system against Safari exploit.


The silver lining of the three attacks this week, only one could infect non-stupid users. And to see only one serious exploit 5 years after the launch of OSX is a really good track record. It is a good opportunity to close up these holes while marketshare is 5% instead of a few years down the road when share could be much higher.

Reply Score: 3

Look below the surface
by elsewhere on Tue 21st Feb 2006 18:33 UTC
elsewhere
Member since:
2005-07-13

This will be dismissed as not being a serious flaw for those not running as admin, or having disabled the default setting for running safe items.

And on it's own, it's probably true. But if this were combined with one of those privilege escalation flaws that until now were dismissed as minor because they couldn't be executed remotely, it could be something bigger.

I'm not going to criticize OS X, but I will say don't take security for granted. Don't assume a false sense of security and brag about Apple's track record for security because, frankly, they've never been tested. The true test will be a combination of how many inherent vulnerabilities are found once people put their minds to finding them, and how quickly (and responsibly) Apple responds to them.

That earlier flaw with the widgets, now this, may be easily dismissed and fixed with simple settings changes etc., but that's not the point. Microsoft has learned some valuable lessons about the impact of default settings on security, among other things, and they're still wrestling with it. I would hope Apple (and *nix et al.) take this into account and don't learn the hard way as well. Assume the worst and account for it, don't bank on the common sense of your users.

Reply Score: 4

RE: Look below the surface
by Soulbender on Wed 22nd Feb 2006 05:20 UTC in reply to "Look below the surface"
Soulbender Member since:
2005-08-18

"This will be dismissed as not being a serious flaw for those not running as admin, or having disabled the default setting for running safe items. "

malware dont need root privs to participate in botnets/drone armies or to read your private data.

Reply Score: 1

Reality strikes back
by olivier on Tue 21st Feb 2006 18:52 UTC
olivier
Member since:
2005-07-06

I have been a Mac addict since my "switch" 2.5 years ago.
I did so at the time because XP was encumbered with security flaws (SP2 wasn't out yet) and I was frustrated with my Windows machine's reliability.
As good as teh honeymoon was, I am now thinking about switching back once again. I read a report a few weeks ago that there were actually more security alerts for OSX in 2005 than for XP in the same period.
I am getting tired of not being able to run all the cool new "free" apps (ala Google Earth -this was soved recently- Picasa + Games), not being able to sync flawlessly my PocketPC, not having access to all the latest media subscription services (Vongo, Yahoo Unlimited etc..) or even being able to have PMP choices (with a Mac it's pretty much iPod or nothing).

My XP machine in the office seems to have comparable uptimes, no more security threats (at the moment) and all the apps.
Did I mention my office PC cost a full 3rd less than the equivalent Mac config? And yes this is a high spec PC, not your average Beige box (it's a Dell Precision 470 Workstation with Dual-Xeons, Gigs of Ram, SATA, multi-monitors etc..).

I am tired of being part of the "resistance" now; MSFT has shappened up and is looking mighty attractive.

Is anybody like me thinking of switching back now that Macs have lost their comparative advantages (security, reliability), and MSFT is playing strong on it strnghts (compatibility, convergence, innovation)?

Reply Score: 5

RE: Reality strikes back
by el3ktro on Tue 21st Feb 2006 19:13 UTC in reply to "Reality strikes back"
el3ktro Member since:
2006-01-10

Definitely not. Well I'm on Linux (Ubuntu), not on Mac. But hell, you can't just count the security flaws in this OS, the security flas in this other OS and compare the raw numbers. You also have to take into account the TYPE of security flaw - and then it looks pretty bad for Windows. A security flaw that is not exploitable remotely is often pretty "useless" for hackers, at last on home PCs where YOU are usually the only one sitting in front of it.

About MP3 Players: All of them work with Macintosh, because they all act as a standard USB harddisk which ANY OS can read/write today. I always get frustrated when I go to a shop and all the MP3 players say that hey hav Win2k or WinXP as a "system requirement", making people think that it doesn't work on Mac or with Linux. This is just stupid.

Mac is still much more secure and stable than Windows, and I doubt this will change anytime soon. And please don't mention the words "MS" and "compatibility" in one sentence ...

Tom

Reply Score: 4

RE[2]: Reality strikes back
by MamiyaOtaru on Tue 21st Feb 2006 20:28 UTC in reply to "RE: Reality strikes back"
MamiyaOtaru Member since:
2005-11-11

About MP3 Players: All of them work with Macintosh, because they all act as a standard USB harddisk which ANY OS can read/write today.

That's hardly true anymore. Sony's players need Sony software (windows only). iRiver's newer players need Windows Media Player 10 (a surprise change that bit me when I bought one, to return it later). iPods need iTunes. Sure files can be copied to them with explorer/finder/konqueror/cp but those files can't then be played. Most players today need the songs to be loaded into a database by some proprietary software before being used.

Some of Samsung's players remain an exception, which is why I use them. That and .ogg support (I must be one of the few with any significant amount of songs in .ogg format, if the usual comments on that subject are to be believed). The box still says they need Media Player 10, but that is only for DRMd WMVs. (the iRiver player I had for a short period needed WiMP 10 for everything).

All of that is hardly a reason to avoid purchasing a Macintosh of course. iPods (by far the most popular) will of course work, as will Samsung's and some others. It's far from true though that all MP3 players will work with OSX (or Linux, which is why it concerns me).

Reply Score: 3

RE[3]: Reality strikes back
by el3ktro on Tue 21st Feb 2006 20:41 UTC in reply to "RE[2]: Reality strikes back"
el3ktro Member since:
2006-01-10

Well okay honestly I didn't know that. I know about the iRivers though, I saw a really cool one, but the guy at the shop told me it needs Windows XP (XP, not even 2k works!!). But I definitely avoid such crap, I mean damn, I want to use MY player everywhere I want. It happens that I go to a friend, he has a few good songs for my for my walk home and I want to copy them. With such players I first had to install some software on his computer - which is probably what this all is about, avoiding that you use your player too much in such a way. The number one MUST HAVE for an player for me is that it works as a standard USB drive, without ANY kind of extra software involved, and that it can play OGG files. So luckily, you found somebody who also has most of his music in OGG format - welcome to the club, we're at least two so far ;-)

Tom

Reply Score: 2

RE[3]: Reality strikes back
by Wintermute on Tue 21st Feb 2006 22:10 UTC in reply to "RE[2]: Reality strikes back"
Wintermute Member since:
2005-07-30

Just for interests sake, could you specify which iRivir player you purchased? I have a H340 and it doesn't need any software at all. I just copy all my oggs/mp3s onto the drive and everything is cool. I haven't tried this on Linux, but on OS X it works just fine. I do remember iRiver talking about using WiMP10, but I think that applies only for ppl who can't sync music collections manually (drag and drops).

Reply Score: 1

RE[2]: Reality strikes back
by SpasmaticSeacow on Tue 21st Feb 2006 20:35 UTC in reply to "RE: Reality strikes back"
SpasmaticSeacow Member since:
2006-02-17

About MP3 Players: All of them work with Macintosh, because they all act as a standard USB harddisk which ANY OS can read/write today.

... that's not correct. While it's true that many players function this way, it is incorrect to imply that they all do. For example, units like several of the iRiver models have firmware that implements its own protocol so that it can support the various radio and voice memo features. You can flash the firmware to turn it into a usb storage device, but at the expense of being able to operate the radio/presets/etc.

Reply Score: 1

v RE: Reality strikes back
by barkley on Tue 21st Feb 2006 20:01 UTC in reply to "Reality strikes back"
RE: Reality strikes back
by AquaRed on Tue 21st Feb 2006 22:14 UTC in reply to "Reality strikes back"
AquaRed Member since:
2006-02-21

"I have been a Mac addict since my "switch" 2.5 years ago.
I did so at the time because XP was encumbered with security flaws (SP2 wasn't out yet) and I was frustrated with my Windows machine's reliability.
As good as teh honeymoon was, I am now thinking about switching back once again. I read a report a few weeks ago that there were actually more security alerts for OSX in 2005 than for XP in the same period.
I am getting tired of not being able to run all the cool new "free" apps (ala Google Earth -this was soved recently- Picasa + Games), not being able to sync flawlessly my PocketPC, not having access to all the latest media subscription services (Vongo, Yahoo Unlimited etc..) or even being able to have PMP choices (with a Mac it's pretty much iPod or nothing).

My XP machine in the office seems to have comparable uptimes, no more security threats (at the moment) and all the apps.
Did I mention my office PC cost a full 3rd less than the equivalent Mac config? And yes this is a high spec PC, not your average Beige box (it's a Dell Precision 470 Workstation with Dual-Xeons, Gigs of Ram, SATA, multi-monitors etc..).

I am tired of being part of the "resistance" now; MSFT has shappened up and is looking mighty attractive.

Is anybody like me thinking of switching back now that Macs have lost their comparative advantages (security, reliability), and MSFT is playing strong on it strnghts (compatibility, convergence, innovation)?"




Are you sure you don't work for MS? Please a virus was bound to happen and the instant it appears then you want to just ship?

XP is still encumbered with security flaws. I think I get a critical update every freakin day!

Not being able to sync?!? Ummm is your pocketpc windows based os?

Ummm in regard to cost. I would like to see the receipt. I work at an institution that requires some serious computing power and if you got something at a 3rd the price then I am interested. The hardware is on par with pee cees and retain their value ALOT longer. Check ebay and such if you wanna see.

And I don't know anyone who would choose a computer to be part of a resistance because that is just plain dumb. Are you an ewok or something on Endor? Right tool for the job my friend.

Using the Microsoft stock name MSFT you must have some interest *cough* employee *cough* but anyway, by the time VISTA comes out OSX will have morphed into something that makes MS saying yeah that's what we wanted to do.

(compatibility, convergence, innovation)? Wow you picked all the right buzzwords!!!

XP still reeks....as much as your poor attempt at pr.

Sorry didn't bite.

Edited 2006-02-21 22:21

Reply Score: 2

RE[2]: Reality strikes back
by sappyvcv on Tue 21st Feb 2006 22:58 UTC in reply to "RE: Reality strikes back"
sappyvcv Member since:
2005-07-06

Are you sure you don't work for Apple??

Reply Score: 1

RE[2]: Reality strikes back
by olivier on Tue 21st Feb 2006 23:00 UTC in reply to "RE: Reality strikes back"
olivier Member since:
2005-07-06

Wow, didn't think my post would attract so much enthusiasm.
Anyway, I do not work for Microsoft, I work for a financial institution (hence the MSFT ticker), but that isn't relevant to my point.
I said the office machine was a 3rd "less" ; i.e. 2/3rds of the Mac price, i.e. a ~30% discount. But price is not really my concern.

As I personally don't deal with Windows security updates anymore (at home I have a Mac, and at the office patches are deployed by desktop support, I never get involved). It just seems from an outsider's point of view that windows seems to be getting lesser press these days with regards to security threats. Regardless of the severity of the faults on the Mac, it seems that this is a breach in the "security hull", and the Mac with its recent gain in popularity (although still minimal at this point) is already facing some teething issues. But you may be right and I may be overreacting to these new types of Mac threats.

What is definitely more objective i the Mac's lack of integration and compatibility when compared to XP. Yes my PocketPc runs windows mobile (don't they all? Only Palms runs ... Palm!).

My "resistance" was more of a nudge than anything else, although I do not appreciate having one company rule it all. And yes you are right utility guides my choice of a system before anything else; in my case Virus free, reliable machine with the software I care for.

I may have depected a too dim picture of my mac experience, most surely due to the "neighbours greener grass" syndrome, but I wanted to give an honest feedback of my experience, and yes as crazy as it may soun owning a Mac restricts my computer joe experience as I cannot run everything (yes virus included :-), and I cannot buy anything for my Mac, I am tied in because of the lac of support. And in this specific case Windows does give me more choice as a consumer, hence my remarks.

Didn't mean to offend anyone really, I was just looking for others to share their experience with me and see if anybody else had the same thoughts as I did.

Feel free to contribute some more.

Reply Score: 4

RE[3]: Reality strikes back
by evangs on Wed 22nd Feb 2006 08:40 UTC in reply to "RE[2]: Reality strikes back"
evangs Member since:
2005-07-07

It just seems from an outsider's point of view that windows seems to be getting lesser press these days with regards to security threats.

You do realize it's far more exciting to report about a Mac OS X flaw than it is to report on a Windows flaw? For years we've been hearing about Windows security flaws, reporting on it regularly is like saying it rains in Blackpool. Contrast that with security flaws on OS X, which has always been touted as being superior to Windows XP.

Tell ya what, why not get a PC and use XP for a while. You'll see how the grass isn't really greener on the other side.

Reply Score: 3

Second new worm for MAC
by rakamaka on Tue 21st Feb 2006 18:53 UTC
rakamaka
Member since:
2005-08-12

I am computer literate and I use debian pure with everything configured myself.
----------------------------
http://news.yahoo.com/s/nm/20060221/tc_nm/apple_worm_dc
Welcome to the land of worms, so far owned by MS.
It just boosts hackers confidence that MAC can be broken and pulls hair of MAC/Linux devs thinking what will happen when market share rises to 90%?
Don't give me past security performance of OSS, any kid can write #rm -rf / script virus and destroy your system.
is there any easy to use good data synchronizing program for OSS?
----------------------------
SAN FRANCISCO (Reuters) - A new computer worm targeting Apple Computer Inc.'s (Nasdaq:AAPL - news)
Macintosh computers has been identified for the second time in one week, security experts said.
ADVERTISEMENT


The new worm, called OSX.Inqtana.A, spreads through a vulnerability in Apple's
OS X operating system via Bluetooth wireless connections, antivirus company Symantec said.

"We have speculated that attackers would turn their attention to other platforms, and two back-to-back examples of malicious code targeting Macintosh OS X ... illustrate this emerging trend," said Vincent Weafer, senior director at Symantec Security Response.

The latest virus follows OSX/Leap-A, which was identified last week and believed to be the first such virus targeting the Mac platform. That worm attempts to spread via Apple's iChat instant messaging program, which is compatible with America Online's popular AIM instant messaging program.

Symantec said the latest worm attempts to use Bluetooth connections to spread by searching for other Bluetooth-using devices that will accept requests for a connection when the computer is restarted.

Bluetooth is a wireless technology used to transmit data among devices at short distances.

The worm spreads via a vulnerability in the OS X operating system called the Apple Mac OS X BlueTooth Directory Traversal Vulnerability.

If a Bluetooth connection is made, the worm attempts to send itself to those remote computers. However, the worm itself does not appear to pose an immediate threat.

"While this particular worm is not fully functional, the source code could be easily modified by a future attacker to do damage," Weafer said, adding that Mac users should install available software patches to their operating systems to prevent such attacks.

The latest worm was identified on Friday. Both worms are ranked a Level 1 threat on a scale of 1 to 5, with 5 being the most severe, Symantec said.

Reply Score: 3

RE: Second new worm for MAC
by el3ktro on Tue 21st Feb 2006 19:15 UTC in reply to "Second new worm for MAC"
el3ktro Member since:
2006-01-10

Well the thing is that this "rm -rf /" script wouldn't do anything on my system. I could run it here, right now, it would fail horribly.

Tom

Reply Score: 1

RE[2]: Second new worm for MAC
by ColdZero on Tue 21st Feb 2006 19:35 UTC in reply to "RE: Second new worm for MAC"
ColdZero Member since:
2006-02-21

I'm going to guess not many people care about rm -rf / but would be more concered with rf -rf ~/ which would be far more devestating than having to do a reinstall. Oh and it doesn't require any authentication.

Reply Score: 4

RE[3]: Second new worm for MAC
by el3ktro on Tue 21st Feb 2006 20:00 UTC in reply to "RE[2]: Second new worm for MAC"
el3ktro Member since:
2006-01-10

I agree, but this is not at all a Linux problem, you can do the same in Windows. Against such attacks the only things that really help are regular backups, a thing which many people don't do, well I do it daily, and it really makes me sleep better.

Tom

Reply Score: 1

RE[4]: Second new worm for MAC
by kmarius on Wed 22nd Feb 2006 07:48 UTC in reply to "RE[3]: Second new worm for MAC"
kmarius Member since:
2005-06-30

There are two problems when trojans are allowed to execute.

1. Deleting all your personal files

2. Using your computer as a part of a zombie-network, attacking computers and sending spams.

The solution to the first problem, is good backup software. But the second problem is much harder to fix.

Edited 2006-02-22 07:48

Reply Score: 1

RE[3]: Second new worm for MAC
by mallard on Tue 21st Feb 2006 21:31 UTC in reply to "RE[2]: Second new worm for MAC"
mallard Member since:
2006-01-06

Bah, we could all put a dummy rm binary that always asks for confirmation in ~/bin... That would stop them.
</sarcasm>

Reply Score: 3

v This "flaw"
by psschroe on Tue 21st Feb 2006 19:10 UTC
meta refresh tag
by ApproachingZero on Tue 21st Feb 2006 19:55 UTC
ApproachingZero
Member since:
2005-11-10

You can use the meta refresh tag to automatically download a file to a user's machine if they're using Safari. Combine that with this vulnerability, and all the user has to do is visit a web page in order for shell scripts to be executed on his/her system.

Switch to Camino, folks.

Reply Score: 2

RE: meta refresh tag
by PowerMacX on Wed 22nd Feb 2006 10:31 UTC in reply to "meta refresh tag"
PowerMacX Member since:
2005-11-06

Just disabling the "Open safe files" setting in Safari would be enough. Nonetheless, Camino (now at 1.0!) is indeed very nice.

Reply Score: 1

rm -rf ~/ can be devastating...
by rakamaka on Tue 21st Feb 2006 20:13 UTC
rakamaka
Member since:
2005-08-12

I agree, but this is not at all a Linux problem, you can do the same in Windows. Against such attacks the only things that really help are regular backups, a thing which many people don't do, well I do it daily, and it really makes me sleep better.

--------------------------------
Which command do you use to delete c:/windows without any recovery action?? at least i don't know any...
rm -rf ~/ still remains vulnerable and it proves linux security may be as shallow as MS.
thats why i asked, is there any on the fly good backup/synchronize program in linux for average joe??

Reply Score: 0

RE: rm -rf ~/ can be devastating...
by ormandj on Tue 21st Feb 2006 20:37 UTC in reply to "rm -rf ~/ can be devastating..."
ormandj Member since:
2005-10-09

rmdir C: /s /q

Goodbye C: drive and all subdirectories. You might not "know" any ways of doing things via the command line in windows, that doesn't mean they do not exist. rm -rf ~/ isn't a security vulnerability, it's a feature. If you're too stupid to have backups of important files, and too ignorant to run under a non-privlidged user account, then you deserve losing everything. Maybe it'd teach you a lesson and you'd learn to keep backups and not run as administrator.

As to "on the fly" "good" backup/sync programs, yes. "rsync" is probably what you're looking for. "man rsync".

Reply Score: 5

Ben2040 Member since:
2005-06-29

rm -rf ~/ isn't a security vulnerability, it's a feature. If you're too stupid to have backups of important files, and too ignorant to run under a non-privlidged user account, then you deserve losing everything.

lol! Why the hell would anyone stupid enough to type this even have a command line open?!?! Same for the Windows "flaw"....

Reply Score: 1

ormandj Member since:
2005-10-09

"lol! Why the hell would anyone stupid enough to type this even have a command line open?!?! Same for the Windows "flaw"...."

They don't have to type it, and they don't have to have the command line open. A simple shell script disguised as a jpeg would do the job. ;) That's the issue at hand and discussed in the article.

The problem isn't people are so stupid as to type in commands they don't understand into a terminal, the issue is they will click on *random file name* from *random source*. Oh, and all the grandmas and 16 y/os who forward every little thing they get to hundreds of their friends. (Kidding about the grandmas and 16 y/os, although my grandmother has this habit. ;) ) I did finally get her to stop downloading "reallycoolcheckitout.exe" from random spam mail and sending it to her entire mailing list of contacts. I suspect her entire church is full of spyware laden machines by now. ;)

Reply Score: 2

RE: rm -rf ~/ can be devastating...
by Emil on Tue 21st Feb 2006 22:21 UTC in reply to "rm -rf ~/ can be devastating..."
Emil Member since:
2005-06-29

sudo -s
cp /bin/rm /bin/rm_org
vi /bin/rm (write a scipt that runs rm with -i)
chmod a+r /bin/rm

You're secure now. Try that on not-UNIX box.

Reply Score: 4

raver31 Member since:
2005-07-06

Almost, it should read..........

sudo -s
cp /bin/rm /bin/rm_org
vi /bin/rm (write a scipt that says ECHO "Aye, Right, sure I will, Dickhead")
chmod a+r /bin/rm

You're secure now. Try that on not-UNIX box.

:)

Reply Score: 1

Emil Member since:
2005-06-29

TBH, we both have missed +x flag. :-D

Reply Score: 1

ormandj Member since:
2005-10-09

As superuser (sudo/su root, whatever you prefer):

cp /bin/rm /bin/rm_org;echo "echo '"Aye, Right, sure I will, Dickhead"'">/bin/rm;echo "rm -i">>/bin/rm;chmod a+rx /bin/rm

Er, yea..ok. ;)

Reply Score: 1

ormandj Member since:
2005-10-09

Oops, should be:

cp /bin/rm /bin/rm_org;echo "echo '"Aye, Right, sure I will, Dickhead"'">/bin/rm;echo "/bin/rm_org -i">>/bin/rm;chmod a+rx /bin/rm

Reply Score: 1

stew Member since:
2005-07-06

Renaming "rm" is just false security. There are a dozen other ways how a script can destroy your data without invoking rm.

Reply Score: 1

abraxas Member since:
2005-07-07

You don't have to go to that kind of trouble. Just alias "rm" to "rm -i". Also it's difficult to run a script like that disguised as a jpg or something to that effect because it is not executable. If you can't open a picture because it is not executable you know there is a problem and joe user would have a tough time trying to figure out how to make it executable.

Edited 2006-02-22 05:33

Reply Score: 1

Emil Member since:
2005-06-29

Just alias "rm" to "rm -i".

What if scipt will run outsite your normal shell session? Where aliases are not defined? Hacking a bash script under /bin/rm will prevent from abuse anytime.

Reply Score: 1

abraxas Member since:
2005-07-07

True, but in reality there is little to worry about because as I stated before the file will NOT be executable. It's ignorant to think that A. "rm -rf /" is a virus and B. that it is at all a danger to Linux/Unix boxes. Windows is more prone to a "virus" like that than Linux is.

Reply Score: 1

Quick Fix
by mdsama on Tue 21st Feb 2006 20:43 UTC
mdsama
Member since:
2005-07-08

I checked out macintouch.com and the quickest fix to this vulnerability is to move Terminal.app from /Applications/Utilities/ . I moved mine to /Applications/ and the demo script no longer executes in the terminal but tries to load (and fails) in Preview.app.

(Not saying the vulnerability isn't a real problem etc, just a heads up -- seems to me this is probably a good thing to do if you are to continue using Safari)

Edited 2006-02-21 20:44

Reply Score: 1

RE: Quick Fix
by ormandj on Tue 21st Feb 2006 20:56 UTC in reply to "Quick Fix"
ormandj Member since:
2005-10-09

That really doesn't "fix" the vulnerability. It just means the author has to change the shell script a bit to point to the right path. The fix is disable opening "safe" files after downloading (temporary) and then Apple rolling out something to make executables easily found. This means changing pardigrams for file information, and not relying on the file creator's "word" so to speak.

Reply Score: 1

RE[2]: Quick Fix
by mdsama on Tue 21st Feb 2006 21:09 UTC in reply to "RE: Quick Fix"
mdsama Member since:
2005-07-08

You're right it's not a "fix" but I'm assuming each script can only refer to one path for the app, and I'm also assuming a trojan would be set to refer to the default path, so it seems like a good idea for the time being to me, until a real fix, as you say, is rolled out.

Reply Score: 1

RE[3]: Quick Fix
by ormandj on Tue 21st Feb 2006 21:16 UTC in reply to "RE[2]: Quick Fix"
ormandj Member since:
2005-10-09

Just disable "open safe files after downloading" or whatever that option is. That's a much better alternative, because it doesn't matter if the trojan writers change the paths, it still won't execute unless you run it yourself. You should consider selling your PC if you double click images that randomly download off sites you don't know. ;)

Reply Score: 1

This IS serious for John Doe
by Tobbe on Tue 21st Feb 2006 21:20 UTC
Tobbe
Member since:
2005-07-06

This is not just a Safari flaw though - we're still dealing with the error in the file description meta data parsing, making it possible to create zip files with seemingly harmless files (images, mp3, whatever). When unpacked and clicked on they can execute shell scripts.

Sure, in Safari with the default settings (as in "Automatically open safe files" enabled) these scripts can be triggered automatically - but downloading a zip with say Firefox and then unpacking it and clicking the files is just as dangerous. It's probably safe to assume that most people who download zip files have the intention of unpacking and using the contents sometime.

Imagine the damage a simple "rm -rf ~" will do for John Doe. Sure, the system files stay intact - but most people don't backup their files (like most of my colleagues). Most people expect an image to show when they click a file with the image icon. If they would've written "rm -rf ~" manually, or thrown all the files in the trashcan, or even clicked a shellscript to do it for them I'd say they had it coming and they should've RTFM:ed.

Double-clicking a JPEG should be safe - as of now it really isn't unless you're 100% sure the zip file comes from a reliable source.

Reply Score: 1

RE: This IS serious for John Doe
by mallard on Tue 21st Feb 2006 21:43 UTC in reply to "This IS serious for John Doe "
mallard Member since:
2006-01-06

You could make sure that you always right-click/ctrl-click and "Open with >" any files you download from the internet. That will make sure that they are not .zips in disguise.

Also I believe that the "runs straight from .zip" vulnerability only affects Apples unzip utility, so if you use Stuffit Expander, you should be safe(r).

Reply Score: 1

RE: This IS serious for John Doe
by ormandj on Tue 21st Feb 2006 22:39 UTC in reply to "This IS serious for John Doe "
ormandj Member since:
2005-10-09

"Sure, in Safari with the default settings (as in "Automatically open safe files" enabled) these scripts can be triggered automatically - but downloading a zip with say Firefox and then unpacking it and clicking the files is just as dangerous. It's probably safe to assume that most people who download zip files have the intention of unpacking and using the contents sometime. "

While I completely agree about the issue at hand, and the true fix from Apple (see my above posts), again - I'd like to re-iterate, any user who is getting downloads from a source they do not trust, and just opening them up, is asking for trouble. I don't care what kind of security Apple puts in their OS, even if they fix the filetype issues, it won't help.

It's the same thing that plagues Windows. Often, it really isn't MS's fault. Yes, windows is prone to spyware/virus infections due to most people running as administrator level. Yes, there are other issues at hand. The point is, no matter what MS does in Windows, and no matter what Apple does in OSX, the true issue is users who are NOT educated enough (read: ignorant) in computer operation, and have a form of turrets syndrome known as "click on anything that says click on me or has a pretty icon".

No amount of safeguarding is going to stop this. I've seen infected Windows machines full of spyware, and upon examining the source/cause (in order to prevent the infection from happening again) I discover emails with random garbage text to bypass spam filters (they make no sense), headings that say hello to *insert random name here*, and email addresses like lksjddlfkj@ldkjfle.com. In those emails is often an attachment. Strangely enough, on the last computer I "fixed" that was full of this crap, the email I found had a file named "infectmypcnow.exe" attached. After talking to the user about it, they admitted to having now only downloaded the file, but then double clicked it to run.

Apple very well *should* fix this content type issue (read my above posts, as I describe the basis for this assertion) but at the same time, it really isn't going to stop this kind of thing. You can send a good majority of people running OSX/Windows a file in an email from a random address with non-sensical text, that contains a random name (not the actual user's) and a file called "deleteveryfileonmycomputerandmakeitblowupinsmokeandburndownmyhouse.ex e" (or marked as an application on OSX) and they are STILL going to download and run it. Take it as you may, but user education and good admins who force user backups on a schedule, are the only solution.

Sorry to be a pessamist and make out most users to be ignorant, but it's true. I don't totally blame them, I blame the lack of good sysadmins/support techs. I think we should mandate courses on basic computer operation before selling a single person a computer! (Won't happen, lol). Probably even if we did, people would still run these files. Oh well.

PS - I'm not defending Apple, this is a flaw, and they should fix it. I'm just pointing out this really won't solve the problem, by any means.

Reply Score: 2

Not entirely uncritical
by ma_d on Tue 21st Feb 2006 21:44 UTC
ma_d
Member since:
2005-06-29

It's often considered that user problems are no big deal. However, all it'd have to do is attach some form of monitoring program into a startup file (say ~/.bashrc or the like). Then you'd have Mac spyware. Spyware, unlike most virii, doesn't want admin access (unless it needs it for what it really wants).

Anyway, I imagine Ars is right, this should be an easy fix, and I'd say demand it by Friday, absolutely no later.

Reply Score: 1

Every OS
by Finchwizard on Tue 21st Feb 2006 22:45 UTC
Finchwizard
Member since:
2006-02-01

Every OS will have flaws, it's part of life.

Now, the big challenge is how the company, in this case Apple respond to the problem, and release a patch of fix, and how easily the patch is applied.

That's what it comes down to in the end.

And this is where Microsoft falls behind, it's not because of their flaws, it's because of their average patch time is around 130 days. And they refuse to release a patch earlier than the normal allotted patch dates.

Reply Score: 2

RE[2]: Reality strikes back
by Matt24 on Tue 21st Feb 2006 23:45 UTC
Matt24
Member since:
2005-07-23

We can have strange different opinions concernings OS's. After my switch I had to find equivelant apps for OSX which was no problem at all, all applications had far better alternatives, never looked back. Windows is def. out of the question. The only area where Windows rules concerning apps ( for how long? ) are games. The last reason someone should not switch to OSX are apps!

Reply Score: 2

They can do me
by Yamin on Wed 22nd Feb 2006 00:02 UTC
Yamin
Member since:
2006-01-10

There is much more the OSs can do. Even for 'stupid' batch/script files that try to delete the whole system. Even if the system itself is not compromised, but the users documents, that's damage enough. A reinstall is easy...redoing hundreds documents and photos is impossible.

A very basic example is MS anti-spyware. By default, it prompts you if a batch file is trying to run. So if a user clicking a picture, which somehow runs a script, it traps it and asks the user what to do. Now, the user might just be an idiot again and click OK, but they might clue in a bit and say...hmmm...this shouldn't happen, it should just show the picture like it normally does, and they click deny.

The OSs can add this kind of monitoring ability and some kind of heuristic to trap 'dangerous' actions or 'illegitimate' network traffic. It won't be perfect, but it will help a lot.

Yes, users need to improve their education, but the OSs can still do a lot more to make life easier.

Reply Score: 1