Network News

X My Profile
View More Activity

Exploit Released for Unpatched Mac OS X Bug

The "Month of Kernel Bugs" strikes again. At the beginning of the month, a security researcher known only as LMH started the project to highlight unpatched flaws that are so severe that attackers could use them to completely subvert the security of vulnerable computers. On Monday, the project's curator released instructions for targeting a serious flaw in the way Mac OS X systems processes certain types of files.

This particular exploit targets a vulnerability in the way that most Macs process files ending in ".DMG", a file type commonly encountered when Mac users download a software installer. Clicking on the proof-of-concept DMG file listed on the MoKB homepage with a brand new Mac OS X 10.4.8 installation caused the system to throw up a prompt telling me that I needed to restart my computer by holding down the power button or restarting the machine.

Sounds like an innocuous enough bug, to be sure, but the crash report generated after I used Safari to click on the file indicated that the exploit had indeed resulted in a "kernel panic," which in most cases means that if someone wanted to use the exploit to install malicious code, they could do so regardless of the security settings or precautions already present on the machine.

I'm not a Mac OS X expert, but others who have examined DMG files have previously pointed to them as a potential source of system compromise. Here's a recent post at the Matasano Security blog: "What is interesting about DMG [files] is that they allow non-privileged users to mount a filesystem. This poses a number of unique threats to OS X."

What was interesting about the flaw detailed by "LMH" was that I merely clicked on a link at the MoKB site and received a file, which OS X subsequently opened and then told me it needed to shut down.

LMH said he tested the exploit against an OS X installation running on an Intel "shipping" Mac; the exploit also seemed to work against my older PowerPC based system. According to LMH, there is no existing patch for this vulnerability, but OS X users can mitigate this flaw by "changing the Preferences and deactivating the functionality for opening 'safe' files after downloading."

I have sent a message to the Apple public relations folks seeking comment and will update this post if and when I hear back from them.

By Brian Krebs  |  November 21, 2006; 9:30 AM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Guidance Software Settles With FTC Over Data Compromise
Next: Boarding Pass Hacker Breaks Silence

Comments

This is an old issue actually, with the fix mentioned above being the recommended easiest protection (turning off automatic processing in Safari). The shocking thing actually is that you still HAVE to turn this off, when it should be off by default, and only turned on by those who know what they're risking. At least once it's turned off, it doesn't automatically turn back on with later updates (yet).

Disabling file system mounting by non-privileged users would be the equivalent of not allowing them to load CDs/DVDs, which could also be infected by the way, so may or may not be very practical as an additional precaution depending on a given user's setup.

I just turn off the Safari preference at every client and family member's computer I can find.

Posted by: Brad | November 21, 2006 10:03 AM | Report abuse

you have a typo--you list it as system 10.8, which presumably won't be released until after leopard, which is 10.5. the current version (with all patches applied) is 10.4.8.

Posted by: James Hare | November 21, 2006 10:08 AM | Report abuse

James, yes that was a typo. I've fixed, thanks.

Posted by: Bk | November 21, 2006 10:33 AM | Report abuse

Are there any virus protection programs available for Intel-based Macs yet? I used Norton Internet Security for my Power Mac but had to scrap it once I scrapped the Power Mac and moved up to the Mac Pro.

Posted by: Glenn | November 21, 2006 10:33 AM | Report abuse

I decided to be a "proud Safari" user and downloaded the dmg file. My preferences were set so that Open Safe Files After Downloading" was unchecked (my normal setting.) I downloaded the dmg file and when completed I doubled-clicked it. Sure enough, my machine froze, a 2.5 dual processor G5 running 10.4.8 completely updated with security patches. PPCs are not immune to this exploit. (Ordinarily I do NOT click on untrusted DMGs!)

Posted by: MJC | November 21, 2006 11:53 AM | Report abuse

Hasn't MJC pointed to the limitation of the preferences setting? The file downloads, and then it can be opened manually, which creates the problem.

Posted by: ah | November 21, 2006 12:08 PM | Report abuse

Among its other security flaws, Safari still doesn't offer the ability to selectively accept cookies; to accept session cookies only; or to selectively accept pop-ups - some five years after Mozilla-based browsers acquired these options, which are now also available on Internet Exploder for Windows.

I'll use Safari to play the crossword puzzles on this publication until Adobe releases an Intel-compatible update to Shockwave Player (rather than relaunching Firefox under Rosetta, a time-consuming PITA). That is the only thing Safari is good for.

Posted by: Think! | November 21, 2006 12:29 PM | Report abuse

Sorry, but could you PLAINLY state which preference to diable?

Posted by: neal | November 21, 2006 12:38 PM | Report abuse

Neal:

In Safari-->Preferences-->General there is a checkbox in the dowloads portion of the pane that asks "open 'safe' files after downloading"

Posted by: ah | November 21, 2006 1:25 PM | Report abuse

There's a big step from crashing a computer by causing a kernel panic and being able to install new software. I'm not saying that a crash is not a problem, nor that the bug doesn't allow execution of arbitrary code, just that the second doesn't follow from the first.

Posted by: Kevin Crowston | November 21, 2006 1:31 PM | Report abuse

Glenn: Yes, Norton Antivirus works fine on Intel Macs. The installer that I have is a PPC one (which installs, but then complains), and then you just have to use the online updater to get the latest version which works just fine.

And a comment on the article. The exploit in question causes a Kernel panic (which is bad), but then the article asserts that this would allow people to arbitrarily execute code. To the best of my knowledge that is not correct. When a kernel panic goes off all execution halts. Nothing gets executed. This is the whole point of having a kernel panic (it is the bottom layer of the OS saying that something has gone horribly wrong).

This is easly demonstrated on a Mac because if you let it sit your computers fans will start revving up to full. That is because the fans are computer controlled, and when they don't get their controll signals to keep their speed low they go to full speed.

So this attack is a somewhat annoying (but probably ineffective) denial of service attack, but not a propagation/execution vector.

Posted by: larkost | November 21, 2006 3:18 PM | Report abuse

Glenn, I would advise that you stay far, far away from Norton for the Mac. Once upon a time, it was a decent piece of software, but now it does more damage to OS X than anything else.

There are so few (zero!) viruses, trojans, etc. in the wild for OS X, I don't think any company has felt it would be profitable to write the software. Who would buy it? What would the software scan for if it doesn't have any known viruses to look for?

I don't think we'll see any kind of virus protection software until there is a true *need* for such software.

Until then, use normal safe computer practices, and remember that the best safeguard you will ever have against any threat is to backup your data.

Posted by: Vicki | November 21, 2006 3:25 PM | Report abuse

larkost:

Fans aren't controlled by the underlying OS, although there are interfaces that can be used at low level to operate them (ex. ACPI support in the kernel, depends on platform, etc). Using it in this context, is, at very least, funny. Makes me want to get a pack of cigarettes.

BTW, the proof of concept won't impact CPU usage, at all. Maybe you notice the fan noise because your iTunes indie music stopped playing or something else :-)

Anyway, back to the topic.

'When a kernel panic goes off all execution halts. Nothing gets executed. This is the whole point of having a kernel panic (it is the bottom layer of the OS saying that something has gone horribly wrong).'

OK, I'll correct that. You're right about kernel panic being the 'end'. Although you totally miss the whole picture. Before a kernel panic happens, the conditions that take place usually are related to unhandled exceptions (ex. invalid memory access) or handled ones (ex. the stupid fpathconf() bug).

Before the kernel panic happens, the execution flow can be influenced and subverted in any way you want. If you are able to corrupt memory, inject values and make it land on a memory area you control, game over. A successful exploit takes advantage of a vulnerable condition to make the execution path change to our needs. If the exploitation doesn't succeed or something else happens, it will 'crash'. So that means it's not exploitable? ...

To put it out clearly, it's like saying that a segmentation fault (SIGSEGV signal) is the end of the execution of a process and nothing can happen. Yeah, sure. If you are overwriting EIP with 0xdeadbabe, it will obviously crash. So, bug is not exploitable at all right?

User-land processes can be re-spawned, whilst kernel 'crashes' can't recover, obviously.

I'm trying to explain this in the easiest possible way, as you seem to be confused, or being another Mac Zealot cultist making a rather flawed use of:
http://en.wikipedia.org/wiki/Logical_fallacy

Have fun.

Posted by: LMH | November 21, 2006 4:27 PM | Report abuse

Turning off the automatic download option is always a good bet. Frankly, Adobe Acrobat has also been the source of security holes, albeit unexploited, so you don't want those to open automatically either. Flash too has a new update to fix a bunch of holes and short of deinstalling it, there is no way to disable it, so you have to keep that updated as well. The more programs you have at the "interface" with the outside world, the more vulnerable you are, no matter what OS you are using. Trouble with Flash and Acrobat and Real Player (another security nightmare), etc. is you keep doubling your chances to get hit with each one you have installed.

If you are going to use the Internet, back up your data often and early. If you aren't going to use the Internet, back up your data anyway.

Posted by: Marie | November 21, 2006 7:03 PM | Report abuse

What is the "automatic processing" option the first poster refers to, and where can I find it in preferences to make changes? Thanks.

Posted by: John | November 22, 2006 3:14 AM | Report abuse

Belay my last request... I didn't see the rest of the thread. Thanks.

Posted by: John | November 22, 2006 3:15 AM | Report abuse

LMH, glad you were here to clear up larkost's theory. Very well put-together response! :)

spank spank

And thanks for the month of kernel bugs. I think vendors will have no choice but to focus more on security of their products if everytime they turn around someone is infiltrating it.

kudos!

Posted by: Amused | November 22, 2006 11:22 AM | Report abuse

The instructions to mitigate this vulnerability in the blog should be a) more complete, which in this case requires cleaning up one sentence and adding one more; and b) much earlier in the column. IMO. It should not be left up to the readers to post clear solutions that mitigate the vulnerability when that solution is already common knowledge amongst many in the Mac community. Thank you.

Posted by: WhitIV | November 22, 2006 11:41 AM | Report abuse

Wait, aren't all Mac users supposed to be denying these bugs exist? Funny, I don't see that at all. When properly disclosed, Mac users seem to accept quite easily that bugs on OS X are real and can be security issues.

Nor will you see Apple denying the problem and I suspect that LMH will get credit for the discovery as well.

So what was different about Maynor and Elich? Oh yeah, they never showed anyone anything real.

Posted by: James Bailey | November 24, 2006 2:47 PM | Report abuse

What's different about Maynor and Cache is that some people continue to deny, against all reason and evidence (including a live demo for Brian Krebs), the veracity of their report. But at least Apple's subsequent release of patches for a vulnerability in the Airport driver has caused these people to tone down the dogmatic, holier-than-thou attitude so that when something like this dmg vulnerability comes out, there is now grudging acceptance that, yes, Macs have vulnerabilities too. Nonetheless, inexplicably, some of them still won't go so far as to admit that Maynor and Cache may have been on to something.

Posted by: antibozo | November 25, 2006 2:55 AM | Report abuse

Re: antibozo

Pfffft! "...all reason and evidence"? Yank yank. "...grudging acceptance"? The only grudge I see is that any vulnerability - and I can admit them UNgrudgingly - is enough to get Microsoftees to think that the playing field is now suddenly level. That the how-many-tens-of-thousands of viruses, adware, and spyware, and the dollars and processing power Microsoftees have to expend to protect against those threats, or how the Microsoftees have to become technicians just to keep their PCs up and running - like all of that goes away, or is somehow equal to, one vulnerability on the Macintosh.

Yep, I'll admit - ungrudgingly - that one day the Mac may actually have a real, threatening virus to contend with. Or maybe, one real-world piece of adware to worry about. How one, two, or for that matter, years from now, a hundred threats equals tens-of-thousands of exploits right now in the Land of the Microsoftees is beyond me.

Macs are not perfect. They just have to be better. The fact that they are a LOT better over the last five years is an added bonus.

While there are plenty of Microsoftees who have seen the light, and plenty more thinking of making the switch, inexplicably, in spite of strong evidence to the contrary, some Microsoftees won't go so far as to admit that XP has always been broken just like 98, and 95 before that, and that Vista may wind up as still-born as a brown Zune. I don't blame the poor folks that just don't know any better, but there is a big difference between ignorance and aggressive-ignorance.

Put some veracity into that.

Posted by: WhitIV | November 25, 2006 4:36 AM | Report abuse

WhitIV> enough to get Microsoftees to think that the playing field is now suddenly level.

Microsoft has nothing to do with it. I made no claims about Microsoft or the security of any of its products. I'm not clear why you think Microsoft is relevant, or why you think denigrating Microsoft users by calling them names is useful. Much of your posting is pretty unclear actually.

To address the part of your post I think I understand, the playing field can't be level as long as the population of Macs is too small to warrant significant interest from either botnet operators or, therefore, security researchers.

For your information, once upon a time, before practically every system had an Internet connection, there were a large number of Mac viruses. In those days, working in an office where there were as many Macs as Windows 3.1 boxes (and fewer of those combined than SunOS 4.x boxes), I used to have to clean viruses off of Macs just as often as PCs. When PCs took over as the platform of choice for most businesses, and so many of them started popping up on the Internet, interest in writing Mac viruses waned. The switch to a *BSD-based system for Apple is a favorable new development, but that isn't the factor that long ago made virus writers bored with MacOS.

Posted by: antibozo | November 25, 2006 8:06 PM | Report abuse

antibozo: Several things:

Krebs is not a credible witness, unfortunately; he is not a programmer/hacker/software engineer and his story is riddled with technical holes.

Apple's Airport security updates seem to have patched unrelated problems, not the hypothetical root exploit Maynor et al claimed to have found (and then backed away from).

See also the coverage of Maynor et al at http://www.smallworks.com/.

Posted by: antiantibozo | November 25, 2006 11:26 PM | Report abuse

Re: antibozo

"...favorable new development"? OS X, built on BSD. was released on 3/24/2001. Not really new.

Now, let's say for a moment, just for sake of discussion, that I bought into the argument of "security thru obscurity." If the Macs are more secure because they're obscure - "...the population of Macs is too small to warrant significant interest...", well hallelujah! I'm safe! I'm not running anti-virus, anti-spyware, or three anti-adware programs, and I don't need to, because "the population of Macs is too small to warrant significant interest from either botnet operators...".

Sounds good to me! But it's not security through obsurity that makes the Mac more secure. Heck, the first virus to hit Vista/Longhorn came within 24 hours or so of the release of a whole 10,000 copies of Vista to developers. There's a few more Macs than that around, by a few million, but 10,000 copies of Vista is apparently equivalent to all those millions of Macs.

No, Macs are more secure because they are designed more securely, and now that Vista is on the horizon, its users will soon find out about Microsoft's idea of security - a gazillion, more or less, popups asking "Are you sure you want to do xxxx?" Yeah, there's security for you, and a giant pain in the butt, as well. Not to mention that Microsoft is now happy to charge you for anti-virus protection to protect their OS on your machine! I had a cousin once who ran a restaurant along Rt 22 in New Jersey. He had to pay for protection too. The restaurant burned down anyway.

Oh, oh, and who said I was calling anyone names? Just cause a few nickel words and phrases were used doesn't make these words NOT an insult: "dogmatic, holier-than-thou attitude" "inexplicably" "won't go so far as to admit" "grudging acceptance" Glass houses, you know.

The word "veracity," actually, was my favorite. And while "veracity" is not an insult, I'm sure it sent more than a few people (that cared) to their dictionaries. Yep, couch the insults in something fancier than the vernacular, and suddently, it's not an insult anymore! Good game plan. So there. And I threw in a nickel word too!

Posted by: WhitIV | November 26, 2006 1:41 AM | Report abuse

WhitIV> Now, let's say for a moment, just for sake of discussion, that I bought into the argument of "security thru obscurity." If the Macs are more secure because they're obscure

That's not what "security by obscurity" means. Security by obscurity is the practice of relying on people's ignorance of the details of your algorithms as a security measure. This is brittle security because algorithms are hard to change once discovered by your adversary; it is a violation of Kerckhoffs's principle which states that all security should be in the key. See the following:

http://en.wikipedia.org/wiki/Kerckhoffs'_principle

WhitIv> No, Macs are more secure because they are designed more securely

You keep missing the point. It doesn't matter whether Macs are more secure than Windows systems. (I personally agree they are, generally speaking, but neither of these is my platform of choice because I find them both lame.) What matters is that people long ago became disinterested in attacking Macs because the payoff is so small. This happened years before the release of the OS X, which remains new by platform standards. The release of a few vulnerabilities in OS X, even severe ones, is not enough to change that. These things don't turn on a dime. There is a wealth of existing knowledge and tools for developing malware for Windows systems, including tools for automated generation of polymorphic viruses. Spinning up a parallel industry for developing MacOS malware simply won't happen as long as the population of Macs is so small. The relative absence of malware for MacOS is no more evidence of platform security than the relative absence of malware for OS-9, IRIX, AIX, AmigaOS, QNX, or any of the dozens of other platforms that also don't happen to be the dominant platform on the market.

WhitIv> And while "veracity" is not an insult, I'm sure it sent more than a few people (that cared) to their dictionaries.

Umm, how to put this... If you think "veracity" is a nickel word, I think you need to spend a little more time reading the dictionary. I mean that in a nice way.

Posted by: antibozo | November 27, 2006 1:45 AM | Report abuse

Mr. Krebs:

You need to get rid of that POSH spam, posted by wow, immediately between this message and the last message by antibozo. You can get rid of this one too, if you'd like, without hurting my sensitive feelings, because I know this message is only just a little bit more on point than the one from wow.

wow is why we keep antibozo around! kidding. KIDDING! ;-)

Posted by: WhitIV | November 28, 2006 4:07 AM | Report abuse

Krebs may be a non-programmer, but if so that doesn't make him any less credible than most of the people denying Maynor and Cache's report, most of whom are also non-programmers. The problems, furthermore, are clearly not "unrelated". Johnny Cache stated they weren't exactly the same problems, IIRC, but they're clearly very proximal in the code. Nor have I seen it reported that Maynor backed away from the report; they simply declined to release exploit code for reasons that possibly include not wishing to incur the wrath of Apple's prodigious legal facilities.

Here's the thing: suppose I report that there's a privilege escalation vulnerability in the Linux kernel involving parsing of ELF headers in LD_PRELOAD handling in the runtime linker, but I decide not to release exploit code. Do I expect a bevy of Linux users, most of whom think ELF is a movie starring Will Ferrell, to come out of the woodwork and claim that I'm making it all up, call me all sorts of nasty names, and generally behave like imps? Of course not. Why would they?

The problem here is that some small but highly vocal subset of Mac users are elitists to the point of a kind of conceptual blindness, despite their having few if any programming skills, and little of the technical knowledge actually required even to understand the impact of a vulnerability in the bottom half of a device driver. This kind of elitism is not too harmful when it's tempered with the understanding that your platform does have real vulnerabilities. But when it gets to the point of denying dogmatically that a vulnerability report is true, it's dangerous.

For an amusing cautionary tale about what happens when people are more interested in denying the existence of a vulnerability than tracking it down and fixing it, review the following, in order:

http://www.phpbb.com/phpBB/viewtopic.php?p=1316231
http://marc.theaimsgroup.com/?l=bugtraq&m=110079436714518
http://www.phpbb.com/phpBB/viewtopic.php?t=240513
http://news.netcraft.com/archives/2004/12/21/santy_worm_spreads_through_phpbb_forums.html

What is the technical argument demonstrating that Maynor and Cache's report is false, while this report is true? Because they didn't follow a notification protocol? Because they didn't release exploit code? Because they didn't do a live demo in a hall full of laptops all sniffing the wireless network in promiscuous mode? Why, other than hubris, are some people so determined to believe that M&C just had to be lying? Isn't is safer to assume that a vulnerability report is true than to get all belligerent about how perfect your platform is and what jerks those vulnerability reporters are?

Posted by: antibozo | November 28, 2006 11:17 AM | Report abuse

[For contextual info: I posted the previous comment on Saturday night, but it got eaten by the comment system until today.]

Posted by: antibozo | November 28, 2006 12:16 PM | Report abuse

Ever see the movie "Dumber than Dumb"

Posted by: Robin Lockhart | November 29, 2006 6:38 PM | Report abuse

There is AV for Intel-based Macs besides Norton's digg-in-you-system-and-mess-it-up AV.. Go to:

http://www.clamxav.com

and you will find a free/donation/ware AV application. Recent updates have been compiled for Universal apps.

It's something I run once in a blue moon. There is now a plug-in that allows you to scan individual files with a Contextual Menu selection.

Posted by: MacSmiley | December 2, 2006 4:19 AM | Report abuse

I just used ClamXav to scan the MOKB file. The report says it found no viruses. I'll have to check more about this on the website.

Posted by: MacSmiley | December 2, 2006 4:29 AM | Report abuse

It turns out that this "security vulnerability" is probably nothing of the sort.

http://alastairs-place.net/2006/11/dmg-vulnerability/

How about a follow up Mr. Krebs?

Posted by: James Bailey | December 5, 2006 11:57 PM | Report abuse

The true and evil monster second kill free exchange evil monster world to order card, need of come in quickly!!!
http://www.power4game.com

Posted by: power | December 7, 2006 1:45 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company