more on this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability

[David Farber <dave () farber net>]

Begin forwarded message:

From: Serge Egelman <egelman () cs cmu edu>
Date: February 21, 2006 4:59:16 PM EST
To: dave () farber net
Subject: Re: [IP] this is very important for mac users New Mac OS X  
"__MACOSX" ZIP Archive Shell Script Vulnerability

For IP if you wish:

Not to go on a tangent, but this reminds me of a recent discussion on
the Anti-Phishing Working Group mailing list.  Someone posted a message
asking what can be done if a user is using a phishing detection toolbar,
but somehow their connection is hijacked so that all traffic goes
through a malicious proxy (with the intent of feeding the toolbar wrong
information).  I pointed out that if the cause of this is malware
installed on the user's computer (giving it the ability at the OS level
to redirect all traffic), then all bets are off.  As at this point the
malware can also alter program behavior (such as adding a few jumps in
the toolbar code to bypass checking altogether).  Of course DNS
poisoning, upstream attacks, and the like are a separate matter (I'm
only talking about attacks confined to the local machine).

I was hoping to start a serious discussion on this issue, but instead
only marketoids from various toolbar vendors responded, all saying "our
product is immune from this problem!"  I responded to each one asking
how their software is impervious to viral code.  Half stopped
responding, and the other half gave a nonsequitor such as, "we use SSL
for our connections!"  I responded with, "so say the viral code alters
the local certificate," but still haven't heard any responses to that.

So anyway, my point (and the relevance to this thread) is that I believe
 many of these problems should be addressed at the OS level now.  While
every OS has vulnerabilities, it would seem that a lot more can be done
at the OS level to detect when such vulnerabilities are being exploited.
 Obviously I don't mean to imply that OSs should detect their own
vulnerabilities, but more often than not such exploits have a pattern.


serge

David Farber wrote:
> Begin forwarded message:
>
> From: "Robert J. Berger" <rberger () ibd com>
> Date: February 21, 2006 3:51:04 PM EST
> To: Lee Revell <rlrevell () joe-job com>
> Cc: Dave Farber <dave () farber net>, Dewayne Hendricks
> <dewayne () warpspeed com>
> Subject: Re: [IP] Basic Mac OS X Security / New Mac OS X  
> "__MACOSX"  ZIP
> Archive Shell Script Vulnerability
>
> Yes, I agree 100%. The term Secure OS is an oxymoron, especially one
> connected to a network.
>
> Linux and Mac OS X does do a better job than Windows, but any OS with
> lots of lines of code in the kernel and the ability to execute   
> programs
> downloaded over the net
> is vulnerable somewhere.
>
> At least OS X will prompt you before it runs something as root!.
>
> And to prove the point this just in:
>
> Mac OS X "__MACOSX" ZIP Archive Shell Script Execution
> http://secunia.com/advisories/18963/
> Description:
>
> Michael Lehn has discovered a vulnerability in Mac OS X, which can be
> exploited by malicious people to compromise a user's system.
>
> The vulnerability is caused due to an error in the processing of file
> association meta data (stored in the "__MACOSX" folder) in ZIP
> archives. This can be exploited to trick users into executing a
> malicious shell script renamed to a safe file extension stored in a
> ZIP archive.
>
> This can also be exploited automatically via the Safari browser when
> visiting a malicious web site.
>
> Secunia has constructed a test, which can be used to check if your
> system is affected by this issue:
> http://secunia.com/mac_os_x_command_execution_vulnerability_test/
>
> The vulnerability has been confirmed on a fully patched system with
> Safari 2.0.3 (417.8) and Mac OS X 10.4.5.
>
> Solution: The vulnerability can be mitigated by disabling the "Open
> safe files after downloading" option in Safari.
>
> Do not open files in ZIP archives originating from untrusted sources.
>
>
> On Feb 21, 2006, at 11:35 AM, Lee Revell wrote:
>
> > My point was not as much that Windows is secure, but that the points
> > listed do not constiture a "secure OS".
> >
> > In fact security people consider there to be no such thing - any  
> > OS is
> > only as secure as the user.  You can be more or less secure by   
> > default.
> >
> > Calling OSX a "secure OSX" just struck me as a bit of zealotry.  Even
> > Linux people don't claim their OS is secure...
> >
> > On Tue, 2006-02-21 at 11:25 -0800, Robert J. Berger wrote:
> >
> > > You would think so, but it turns out not to be true.
> > >
> > > First of all, it encourages (almost requires) you to run as
> > > Administrator all the time to actually use the system.
> > >
> > > Second, they "pierced the veil" of memory management isolation as a
> > > hack to improve graphics performance. So kernel memory is mapped  
> > > into
> > > every user process.
> > >
> > > Third, I'm sure there are more, I'm not an expert, but I see all my
> > > friends struggling with worms, virus and trojans (and lots of bad  
> > > UI)
> > > on windows and I have none of that (ok sometimes there's some bad UI
> > > too)
> > >
> > > I'm sure others could point out other Windows currently inherent
> > > security flaws that are not present in Mac OS.
> > >
> > > But as the article states, its not an invulnerable OS and you still
> > > have to have some consciousness of how you use it to make it most
> > > secure.
> > >
> > > Rob
> > >
> > > On Feb 21, 2006, at 11:01 AM, Lee Revell wrote:
> > >
> > > > On Tue, 2006-02-21 at 08:03 -0500, Dave Farber wrote:
> > > >
> > > > > Mac OS X is a secure operating system in that it's multi-user
> > > > > and has limits on what some user accounts can do. If an account
> > > > > is setup as a basic user, that user can only hurt himself, not
> > > > > the whole system or other users. However, in the interest of
> > > > > being "friendly" to new users, Apple leaves of a lot of the
> > > > > secure bits off for the first user created and this means that
> > > > > trojans like this week's can cause some pretty nasty problems on
> > > > > your system.
> > > >
> > > >
> > > > If this really constitutes a "secure OS" then you'd have to say the
> > > > same
> > > > of Windows.
> > > >
> > > > Lee
> > >
> > > ––––––––––––––––––––––––––––––
> > > Robert J. Berger - Internet Bandwidth Development, LLC.
> > > Voice: 408-882-4755 eFax: +1-408-490-2868
> > > http://www.ibd.com
>
> ––––––––––––––––––––––––––––––
> Robert J. Berger - Internet Bandwidth Development, LLC.
> Voice: 408-882-4755 eFax: +1-408-490-2868
> http://www.ibd.com
>
>
>
>
>
> -------------------------------------
> You are subscribed as serge () guanotronic com
> To manage your subscription, go to
>  http://v2.listbox.com/member/?listname=ip
>
> Archives at: http://www.interesting-people.org/archives/interesting- 
> people/

--
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate and Professional Students
*/


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/