Interesting People mailing list archives
this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability
From: David Farber <dave () farber net>
Date: Tue, 21 Feb 2006 16:13:57 -0500
Begin forwarded message: From: "Robert J. Berger" <rberger () ibd com> Date: February 21, 2006 3:51:04 PM EST To: Lee Revell <rlrevell () joe-job com>Cc: Dave Farber <dave () farber net>, Dewayne Hendricks <dewayne () warpspeed com> Subject: Re: [IP] Basic Mac OS X Security / New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability
Yes, I agree 100%. The term Secure OS is an oxymoron, especially one connected to a network. Linux and Mac OS X does do a better job than Windows, but any OS withlots of lines of code in the kernel and the ability to execute programs downloaded over the net
is vulnerable somewhere. At least OS X will prompt you before it runs something as root!. And to prove the point this just in: Mac OS X "__MACOSX" ZIP Archive Shell Script Execution http://secunia.com/advisories/18963/ Description: Michael Lehn has discovered a vulnerability in Mac OS X, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of file association meta data (stored in the "__MACOSX" folder) in ZIP archives. This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive. This can also be exploited automatically via the Safari browser when visiting a malicious web site. Secunia has constructed a test, which can be used to check if your system is affected by this issue: http://secunia.com/mac_os_x_command_execution_vulnerability_test/ The vulnerability has been confirmed on a fully patched system with Safari 2.0.3 (417.8) and Mac OS X 10.4.5. Solution: The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari. Do not open files in ZIP archives originating from untrusted sources. On Feb 21, 2006, at 11:35 AM, Lee Revell wrote:
My point was not as much that Windows is secure, but that the points listed do not constiture a "secure OS". In fact security people consider there to be no such thing - any OS isonly as secure as the user. You can be more or less secure by default.Calling OSX a "secure OSX" just struck me as a bit of zealotry. Even Linux people don't claim their OS is secure... On Tue, 2006-02-21 at 11:25 -0800, Robert J. Berger wrote:You would think so, but it turns out not to be true. First of all, it encourages (almost requires) you to run as Administrator all the time to actually use the system. Second, they "pierced the veil" of memory management isolation as a hack to improve graphics performance. So kernel memory is mapped into every user process. Third, I'm sure there are more, I'm not an expert, but I see all my friends struggling with worms, virus and trojans (and lots of bad UI) on windows and I have none of that (ok sometimes there's some bad UI too) I'm sure others could point out other Windows currently inherent security flaws that are not present in Mac OS. But as the article states, its not an invulnerable OS and you still have to have some consciousness of how you use it to make it most secure. Rob On Feb 21, 2006, at 11:01 AM, Lee Revell wrote:On Tue, 2006-02-21 at 08:03 -0500, Dave Farber wrote:Mac OS X is a secure operating system in that it's multi-user and has limits on what some user accounts can do. If an account is setup as a basic user, that user can only hurt himself, not the whole system or other users. However, in the interest of being "friendly" to new users, Apple leaves of a lot of the secure bits off for the first user created and this means that trojans like this week's can cause some pretty nasty problems on your system.If this really constitutes a "secure OS" then you'd have to say the same of Windows. Lee–––––––––––––––––––––––––––––– Robert J. Berger - Internet Bandwidth Development, LLC. Voice: 408-882-4755 eFax: +1-408-490-2868 http://www.ibd.com
–––––––––––––––––––––––––––––– Robert J. Berger - Internet Bandwidth Development, LLC. Voice: 408-882-4755 eFax: +1-408-490-2868 http://www.ibd.com ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability David Farber (Feb 21)