Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability

From: David Farber <dave () farber net>
Date: Tue, 21 Feb 2006 16:13:57 -0500


Begin forwarded message:

From: "Robert J. Berger" <rberger () ibd com>
Date: February 21, 2006 3:51:04 PM EST
To: Lee Revell <rlrevell () joe-job com>
Cc: Dave Farber <dave () farber net>, Dewayne Hendricks <dewayne () warpspeed com> Subject: Re: [IP] Basic Mac OS X Security / New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability 

Yes, I agree 100%. The term Secure OS is an oxymoron, especially one
connected to a network.

Linux and Mac OS X does do a better job than Windows, but any OS with
lots of lines of code in the kernel and the ability to execute programs downloaded over the net 
is vulnerable somewhere.

At least OS X will prompt you before it runs something as root!.

And to prove the point this just in:

Mac OS X "__MACOSX" ZIP Archive Shell Script Execution
http://secunia.com/advisories/18963/
Description:

Michael Lehn has discovered a vulnerability in Mac OS X, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the processing of file
association meta data (stored in the "__MACOSX" folder) in ZIP
archives. This can be exploited to trick users into executing a
malicious shell script renamed to a safe file extension stored in a
ZIP archive.

This can also be exploited automatically via the Safari browser when
visiting a malicious web site.

Secunia has constructed a test, which can be used to check if your
system is affected by this issue:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/

The vulnerability has been confirmed on a fully patched system with
Safari 2.0.3 (417.8) and Mac OS X 10.4.5.

Solution: The vulnerability can be mitigated by disabling the "Open
safe files after downloading" option in Safari.

Do not open files in ZIP archives originating from untrusted sources.


On Feb 21, 2006, at 11:35 AM, Lee Revell wrote:


My point was not as much that Windows is secure, but that the points
listed do not constiture a "secure OS".

In fact security people consider there to be no such thing - any OS is
only as secure as the user. You can be more or less secure by default. 

Calling OSX a "secure OSX" just struck me as a bit of zealotry.  Even
Linux people don't claim their OS is secure...

On Tue, 2006-02-21 at 11:25 -0800, Robert J. Berger wrote:

You would think so, but it turns out not to be true.

First of all, it encourages (almost requires) you to run as
Administrator all the time to actually use the system.

Second, they "pierced the veil" of memory management isolation as a
hack to improve graphics performance. So kernel memory is mapped into
every user process.

Third, I'm sure there are more, I'm not an expert, but I see all my
friends struggling with worms, virus and trojans (and lots of bad UI)
on windows and I have none of that (ok sometimes there's some bad UI
too)

I'm sure others could point out other Windows currently inherent
security flaws that are not present in Mac OS.

But as the article states, its not an invulnerable OS and you still
have to have some consciousness of how you use it to make it most
secure.

Rob

On Feb 21, 2006, at 11:01 AM, Lee Revell wrote:


On Tue, 2006-02-21 at 08:03 -0500, Dave Farber wrote:

Mac OS X is a secure operating system in that it's multi-user
and has limits on what some user accounts can do. If an account
is setup as a basic user, that user can only hurt himself, not
the whole system or other users. However, in the interest of
being "friendly" to new users, Apple leaves of a lot of the
secure bits off for the first user created and this means that
trojans like this week's can cause some pretty nasty problems on
your system.


If this really constitutes a "secure OS" then you'd have to say the
same
of Windows.

Lee



––––––––––––––––––––––––––––––
Robert J. Berger - Internet Bandwidth Development, LLC.
Voice: 408-882-4755 eFax: +1-408-490-2868
http://www.ibd.com








––––––––––––––––––––––––––––––
Robert J. Berger - Internet Bandwidth Development, LLC.
Voice: 408-882-4755 eFax: +1-408-490-2868
http://www.ibd.com





-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: