An Apple Computer patch released last week doesn’t completely fix a high-profile Mac OS X flaw, leaving a toehold for cyberattacks, experts said. The update added a function called ‘download validation’ to the Safari Web browser, Apple Mail client and iChat instant messaging tool. “While Apple added a checkpoint to the downloading and execution process, they did not eliminate this vulnerability,” said Kevin Long, an analyst at security specialist Cybertrust and a Mac user for 11 years. “If a user can be tricked into opening a file that looks like a picture, the user may actually be opening a malicious script.”


“Idiot computer users manage to break, infect and disable their machines despite manufacturers best efforts.”
seriously, you deserve it if you download something and are told that it’s a program then still open it thinking it’s a picture (or movie, whatever) then are told that this application is being run for the first time, click OK and get screwed.
Yes but the problem is that if the file arrived by some other means, it would still be apper to be a real picture or movie file. However, the real solution to the problem would actually be very easy for Apple to implement:
At present if you open a document that will launch an application for the first time, OS X warns you that “you are about to run application XXX for the first time. Are sure you want to?”
This is because Launch Services has been told to open the file, and before doing so it performs a quick check.
So, all Apple has to do is extend Launch Services. Whenever the user opens an application, Lauch Services should perform a quick check to see if the app has been run before. If it hasn’t then it can provide a nice dialog with words to the effect of:
The application you just launched has never been run before. If you think you are actually opening something that isn’t an application, then it is highly likely it is malicious. Are you sure you want to run it?
There we go, simple as that
Unfortunately, it’s not that simple. A shell script is not considered an application but a text document that happens to be associated with Terminal.app.
The flaw in the system is not something technical but on the usability side – the user is being tricked into thinking that a certain file is an image, where in fact it’s a script. That’s a conceptual problem that Apple can’t simply address in a small bugfix. What is needed is a way to show the actual file type (which is not necessarily the file name suffix) to the user, and as it stands right now, the only way of doing this in the Finder is to explicitly open the “Get Info…” window.
Edited 2006-03-07 18:56
Unfortunately, it’s not that simple. A shell script is not considered an application but a text document that happens to be associated with Terminal.app.
The flaw in the system is not something technical but on the usability side – the user is being tricked into thinking that a certain file is an image, where in fact it’s a script. That’s a conceptual problem that Apple can’t simply address in a small bugfix. What is needed is a way to show the actual file type (which is not necessarily the file name suffix) to the user, and as it stands right now, the only way of doing this in the Finder is to explicitly open the “Get Info…” window.
I don’t use OS X, but since it’s BSD-based, does it rely on the executable bit being set before launching a file as as an app or a script?
If it’s a data file, like an image or a movie, it can launch the helper app as expected, but if it’s a script, shouldn’t the terminal app be verifying it’s executable? I’m sure most users wouldn’t want to have to deal with chmod, but could a simplified method be implemented that would require users to explicity indicate a downloaded or transferred file should be executable? Done properly, I don’t see that it would really impact usability.
I dunno, maybe I’m talking through my hat. Like I said, I’m not familiar with OS X in daily use, so it’s just a thought as much as a question.
It’s a bit funny that gnome got this right before apple:
first, when launching a file it checks for the “real” file type using libmagic, and warns you if the extension and content do not match.
and second: a shell script is NOT executable until you set the +x bit yourself!
Fair enough. But in which case, surely shell scripts are the terminals responsibility to handle securely then?
There we go, simple as that 
 
I want a real fix for this problem, not another “are you really really sure?” dialog box. The “are you sure you want to do this?” dialog box has been the standard security method in IE since its birth and look how well that worked.
The reason this has been a problem in Internet Explorer is more due to the disconnection for the average user between the message and what they are doing. In this particular instance, it would be a lot clearer to the use just what is going on.
This is exactly the problem.
If Mac OS X only identified file types with libmagic instead of file extensions and somehow made it obvious on any icon that that file is executable then these vulnerabilities would not occur.
I have a bad feeling though that this issue won’t properly be addressed until 10.5 when Finder will (hopefully) be given a makeover.
You can give a .exe a file icon on Windows and nobody classes that as a vulnerability, why is the same thing called a vulnerability on OS X?
I once gave a .exe file the correct icon and metadata to make it look like a Word document. (it was a joke “virus” written in VB, I don’t write “real” malware)
> You can give a .exe a file icon on Windows and nobody classes that as a vulnerability, why is the same thing called a vulnerability on OS X?
And now rename your jokevirus.exe to jokevirus.jpg. Double click it. That’s the difference.
>> You can give a .exe a file icon on Windows and nobody classes that as a vulnerability, why is the same thing called a vulnerability on OS X?
>And now rename your jokevirus.exe to jokevirus.jpg. Double click it. That’s the difference.
Both systems hide the file extension by default.
In Windows, it is possible to spoof the metadata that is shown in tile view (but not the properties box or details pane).
If you right click in Windows, you get “Open” as the default action, just like with a real document. If you right-click/ctrl-click in OS X, you get “Open with SomeApp” or “Execute”, so you can tell quite easily.
Therefore, the threat level seems about the same for each OS.
_Therefore, the threat level seems about the same for each OS._
Yes, each is equally bad. Whoever at MS decided that hiding file extensions by default (actually even allowing them to be hidden at all) was a good thing deserves nothing less than smack across the head with a very thick clue stick.
What difference does it make if the file extension is visible if you don’t know the meaning of the extension in the first place?
My grandmother shouldn’t have to worry that an EXE is disguised as a JPG, nor should she have to know what a EXE or JPG is in order to safely use a computer.
This whole idea that the user should know the difference is ignorant and unfounded.
“This whole idea that the user should know the difference is ignorant and unfounded.”
Where did the idea come from the users should expect to use a computer safely and securely, with 0% chance of risk to their computer or their data, without actually having an understanding of how their computer works?
That, to me, seems unfounded.
without actually having an understanding of how their computer works?
How much of an understanding of how your car works do you have?
Yet … so many safely drive without understanding how a 4 stroke internal combustion engine works and/or the planetary gear systems in their auto trans.
—
So, back on to the whole file names and extensions. Not only does the user have to recognize an alphabet soup of extensions, which may or may not give hints about what the file does, they then have to start learing that some of these arcane differences restict what can be done to the file.
For example
My husband is handed a file called paper.doc.
His old version of Word can’t open it.
So I do a rename of of the file to paper.rtf or paper.txt and bingo, it works.
So now I am in the position of explaining to him why renaming IE6.exe to IE6.app won’t let the program open on his mac. Or why changing the .doc on a word file to .pdf doesn’t turn it into something Adobe reader wants to open and play nice with.
And he’s still puzzled about why some times it works for some letters and not for others. Because to him (and thousands of others), a .doc .rtf .xls file is the program. That is, they don’t understand that there’s a huge difference between something called opera.exe and opera.html
‘Cause they’re both computer files, right?
I have to explain, at least twice a week, college students and sometimes even with internationally renown in their fields PHDs that while all programs are files, not all files are programs.
And you’d be amazed at the blank looks on faces.
While not many people understand how an engine or automatic transmission work, people know enough about operating their car that they won’t use both the brake and gas at the same time, not to swerve wildly around, and not to pop their tranny into reverse when doing 60 down the street.
The same applies to computers. They might not necessarily understand the concept of file extensions and file type assocations, but they should better damned understand that double-clicking files attached to email messages from people they don’t know is dangerous for their computer, just like doing the above is dangerous for them/the car.
but they should better damned understand that double-clicking files attached to email messages from people they don’t know is dangerous for their computer
So what do they do when the file comes from somebody they do know?
I have friends that send me unsolicited attached files all the time.
I write for a webzine and as part of the getting issues ready for publication we post file attachements to list a central list. It’s not uncommon for others on said list to “preview” what’s going to be in the next issue and take a look at those files.
Or, to get more specific, say you’re the Art Director of said ‘zine and one of your staffers has sent you an email saying that pictures are forthcoming and lo and behold, she sends you an email with some attached pictures.
Unbenownst to you, the pictures are really malware sent by her infected computer and have just been sent to everyone in her address book.
Unless the message and subject line autogenerated by the malware was something that would raise the AD’s red flag, it’s entirely likely that she’d go right ahead and click on said “pictures” if the Subject Line was something like “here’s those pictures I told you about” and the files had generic enough names that she could reasonably assume they’re the ones she’s expecting.
What then?
While (what ought to be) common sense is a great first line defense against many an attack, under the right circumstances it can fail utterly.
Which is why it is important for Apple (or any OS vendor/distributor) to get on top of vunerablitlies and patch them quickly.
I have friends that send me unsolicited attached files all the time.
And people who do that to be, find that their email is automatically deleted; want to send me something, give me a heads up before sending it.
Whether they should know or not, many people don’t…
In the case of the car, there is at least a driving test, which somewhat ensures they know the basics. But you don’t need to pass any test to run a computer. On the contrary, computers are sold with the illusion that anyone can use them. Maybe they should have a tutorial at the beginning of the first use that tells the user all of this.
Because to him (and thousands of others), a .doc .rtf .xls file is the program. That is, they don’t understand that there’s a huge difference between something called opera.exe and opera.html
Thats true and quite common among users. On my file manager, the default action on double clicking a file is to pop up a dialog, asking the user whether to execute the file (if possible) or to open it with a registered application. Users are generally a bit hesitant when faced with the dialog, but it gives a basic understanding of what “opening” a file involves.
I feel that a system which allows users to develop a basic understanding of its working is more reliable than something which completely abstracts its working. I am not talking about forcing the user to understant the complex implementation behind a process (i.e. filename to mimetype matching, mimetype handling and so on), but just some logical interpretation of the system. It helps avoiding the occasional problem (like this one) that users are bound to face.
…has two choices: 1) learn what file extensions are, or 2) use an OS which limits flexibility in order to protect users from themselves. 2 is obviously the better solution for most users, which is why I would recommend it. In this case it would mean that any icon representing any file associated with the shell should have some kind of clear indication of that fact (like a big ugly terminal badge). Further, any executable file needs to be have a similar badge on it which will clearly indicate to the user that clicking on it will launch an executable rather than opening the file in another program.
This whole idea that the user should know the difference is ignorant and unfounded.
No. The idea that a computer should be useable with no instruction whatsoever is ignorant and unfounded and is futher the cause of many desktop security problems. It’s a tool, and if you can’t be arsed to learn how to use it, just as we expected to how to use most tools, than you shouldn’t be using it at all.
According to your logic, all car manufacturers should cut out all the trees growing nearby the roads because the user (driver) should’t have to know than when he hits it he’ll die…
The purpose of the OS is to make it possible to easily interact with the hardwareand software, but not think for the user.
I am having the perhaps ungenerous thought that while Apple is an interesting company, and OSX an interesting operating system, one can finally have too many stories in too much detail on even the most interesting of subjects….
This vulnerability is serious, very serious. It is not just a problem for “dumb users”. Kudos to Apple for getting a fix out quickly which closes off the worst attack vector (simply clicking on a link in Safari will longer pass along arbitrary data to the shell interpreter), but the underlying cause of the problem still remains.
The real problem is related to the Mac behavior which allows for a file association to be set on an individual file that then overrides the global file association settings. In order for a user to behave intelligently, the OS must first behave consistently and, while per file associations can be useful on an individual computer, I do not believe there is any feasible way to make this kind of behavior secure in the context of a public network. In order to be a well behaved users I must be able to count on the OS doing the exact same thing every time in response to same action. If I launch an “image file”–whether it is a real image file or a fake should be irrelevant here–it should invoke the default image viewer. Per file associations can be secure so long as they hold only within the context of a single machine, but tying that unique association to the file itself (actually the hidden resource directory) is an inherently insecure practice which will continue to result in security problems.
Perhaps there is a compromise position between allowing per file associations and not allowing them at all. Certain programs (eg., the shell, the apple script interpreter, etc…) could be excluded from the list of executables which the OS allows to be associated with an individual file. That way you could still set an individual html file to open in an editor rather than in the default browser, but nothing could be associated with shell except as set in the global file associations. Still not very secure behavior, but better.
And what do you propose as the alternative? I do not want to have to put a file extension on every one of my files and be restricted to that. For instance, I have many PDFs that have to be opened in Adobe Reader due to form data being present. Most other PDFs I want to open in Preview because it’s faster. I fail to see how I can accomplish this without per-file associations. The same is true for many other document types.
I understand your suggestion but I don’t think it would solve the whole problem. As long as I can have a file called “abc.jpg” be a shell script or an app, there is the potential for mischief. Should Apple disallow the use of periods in file names of apps and shell scripts? Then we would just see “abc,jpg” and have essentially the same problem. Apple could force apps and scripts to have a certain extension, but that’s quite a major undertaking (particularly on the script side).
There are no easy answers. If you want to call this a vulnerability, that’s fine. It’s probably not fair to call the OS flawed because of this, though. That’s like saying my house is flawed because it’s vulnerable to small arms fire. At some point, tradeoffs have to be made.
I really think the best option is to limit the per file association to the computer where it was set. Thus if a file were to be sent by email, zipped, transferred to shared network drive, or put on a thumb drive it would then revert to opening with the default application on any computer where the unique association wasn’t explicitly set. Maybe I’m a purist, but I think it is absolutely crucial that your computer behave predictably, which means that if your OS is going to treat a file as an image file, video file, or text file then it should predicatbly treat them like every other image, video, or text file unless explicitly instructed to do otherwise.
Apple might also be able to require than all scripts have a proper file extension (sh, py, pl, etc…) in order to be lauched by the GUI.
But that limits how things are sent. most downloaded OS X apps are DMG. Disk images. They get mounted to the file system and a new finder window then opens. most use a custom background and locations so showcase off their wares.(if you run OS X download the Fire IM client)
But that’s for apps, yes? I’m talking about how OS X handles the file associations for plain old files.
Wouldn’t it be possible to create a sort of sandbox for files downloaded off of the internet? Say I receive ‘photo.jpg’ that actually happens to be a malicious script. Would it be possible for Apple to implement some sort of simulated open/execute chain?
Instead of actually *really* opening the file (and thus running the terminal + malicious script) it performs a simulated run of the script, and then makes an assertion about whether or not the file is dangerous, using the output of the script?
I’m having a hard time explaining this, so you may need to read this 3 times before you get me :/.
that’s a brilliant idea
Isn’t it what anti-virus software should do? I think that some windows av-tools doing exactly this kind of stuff already (dr.web for example).
the os itself should do it, though. seems like kind of a no brainer
The problem exists due to OSX determining execution type by meta-data and display type by file extension. Hence how you can have a shell script with a jpeg icon.
To me, the solution is simple, keep the execution type to meta data. If absent meta data set execution type to file extension. Set the display type to meta-data, if absent meta data set display type to file extension.
This way, the user will always see the execution representation and the system maintains its granularity. A user can still make a shell script look like an image file, but the script would then be handled by the system as an image.
Bert
Such security issues are, of course, not exclusive to the Mac. If a user can be tricked into downloading and opening a file, that user’s system can be compromised. “This is true regardless of the operating system being used. It is a universal vulnerability,” Long said.
the truth of the matter is no matter how sercure you make an operating system if you dont first have the users educated properly on what not to do they will find a way to make it unsecure. my mother for example sees pop ups that say “want to protect yourself from spyware (in windows)” and thinks its a god idea to click it. why? because she doesnt know any better, (and she is an idiot. but we will forget about that for the time being). “make it idiot proof and somebody will make a better idoot.”
seriously, you deserve it if you download something and are told that it’s a program then still open it thinking it’s a picture (or movie, whatever) then are told that this application is being run for the first time, click OK and get screwed.
I’m afraid that’s not the whole picture.
Todays browsers are little OS’s themself.Without any user intervention,all that needed is clicking a link and you are screwed.
‘Much Ado About Nothing’
so sez Billy S.
Please, when is it going to get to the point that PERSONAL RESPONSIBILITY starts to take course, and the liability for peoples stupidity, in regards to businesses, finish.