Exploit Published for Unpatched Mac OS X Flaw
Days after the emergence of two pieces of malware designed to attack Mac OS X users, security experts have uncovered a serious security hole that could be used to infiltrate OS X systems through Safari, the operating system's default Web browser.
According to a post over at the SANS Internet Storm Center, Safari is configured by default to automatically run or open certain types of files marked "safe files" by the operating system. Since Safari by default considers compressed ".zip" files to be safe, a malcious Web site could fill that archive with a set of nasty scripts -- or a series of commands that the host computer is instructed to run when the ZIP file is opened. Worse, that ZIP file could easily be disguised as a JPEG or other type of image file, so that a Safari user could be hit with an "exploit simply by visting a Web site -- no user interaction required," SANS warns.
This writeup at the German technology news publisher Heise Online says the problem isn't limited to Safari. Even an OS X user viewing the site with a different Mac browser who downloads one of the disguised image files and double-clicks on it would cause the operating system to execute the concealed scripts.
Most OS X users run their computers as the default "administrator" account, which is set up so that certain changes to the operating system cannot be made without the user entering the "superuser" or "root" account password. But this exploit could still do a fair amount of damage if run on an administrator account. While a malicious Web site using this flaw would not be able to say, overwrite files or disable the firewall on administrator accounts, it could well delete that user's files or cause that account to send and/or receive various types of data.
The guy who discovered the flaw, Michael Lehn, a Ph.D. student and research assistant at the Department of Numerical Analysis at the University of Ulm, also published a harmless proof-of-concept exploit that Mac users can check out if they want to see this exploit in action. According to the author, "It merely prints 'Hallo Welt!' [Hello World] in a terminal (but infinite many times)." Unfortunately, several experts I spoke with last night about this exploit said it looks like Lehn's exploit could be trivially modified for nefarious purposes.
In an e-mail interview, Lehn said he was prompted to look for the flaw after watching the German TV show Mac-Tv, which on Sunday featured a discussion of the threat from two new pieces of malware targeting OS X. Lehn said viewers were calling in to defend the security of Mac OS X, saying that it was not possible for OS X users to infect their machines just by clicking on a link or visiting a Web page. Lehn disagreed.
In math you either prove that something is true, or you find a counter-example to prove it wrong," he said. Lehn said he found the flaw after just 15 minutes of looking.
I don't see an advisory about this yet from Apple, but SANS says for the time being Safari users should consider disabling the option "Open 'safe' files after downloading" in the "General" preferences section in Safari.
Update, 2:24 p.m. ET: Vulnerability watcher Secunia has just issued an advisory on this Mac OS X flaw, assigning it an "extremely critical," threat rating, its most serious. Secunia assigns that rating when a flaw is "typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. These vulnerabilities can e.g. exist in services like FTP, HTTP, and SMTP or in certain client systems like email programs or browsers."
Posted by: JC | February 21, 2006 11:10 AM | Report abuse
Posted by: Mark S | February 21, 2006 11:29 AM | Report abuse
Posted by: JohanTheOlive | February 21, 2006 12:00 PM | Report abuse
Posted by: Andrew | February 21, 2006 12:07 PM | Report abuse
Posted by: joejoe | February 21, 2006 12:35 PM | Report abuse
Posted by: steve | February 21, 2006 12:36 PM | Report abuse
Posted by: spellman | February 21, 2006 1:05 PM | Report abuse
Posted by: Rahul Sinha | February 21, 2006 1:47 PM | Report abuse
Posted by: Joern | February 21, 2006 1:48 PM | Report abuse
Posted by: Brian Ellis | February 21, 2006 9:16 PM | Report abuse
Posted by: David Taylor | February 22, 2006 1:55 PM | Report abuse
Posted by: Gary W. Longsine | February 23, 2006 2:13 AM | Report abuse
Posted by: I'm so scared! | February 24, 2006 1:23 PM | Report abuse
Posted by: Learn command line | February 27, 2006 4:18 PM | Report abuse
Posted by: Henry Hertz Hobbit | February 28, 2006 11:32 PM | Report abuse
Posted by: suikoden | April 18, 2006 2:17 PM | Report abuse
The comments to this entry are closed.