[scratt]

linky

Did it scare the bejesus out of you!!

He He!

Form this article if you haven't read it yet...

ars

edit by Brad: please don't post links to articles without quoting relevant parts or without at least sufficiently describing it.

Quote:

A new vulnerability targeted at Apple's home-grown web browser, Safari, is another matter entirely. A German security firm appears to have been the first to discover the Safari flaw, which allows for shell scripts to be executed after clicking a link. Here's how it works: if a Safari user has the "Open 'safe' files after downloading" option checked (which enables movies, images, music, text, PDF, and a few other automatic documents to be automatically opened upon completion of a download), a specially designed shell script can be executed. Normally, shell scripts will not be executed after Safari downloads them without user confirmation. However, if the script lacks a "shebang line" (e.g., #!/bin/csh) and the Finder is set to open scripts using Terminal, the Finder will pass the scripts to the Terminal application, where they will be executed. [...] Right now, the only workaround for Safari users is to uncheck the "Open 'safe' files after downloading" option in Safari preferences. Safari is the only Mac OS X browser affected, so users of Camino and Firefox as well as WebKit-using browser such as OmniWeb and Shiira are safe. Another option is moving Terminal out of /Applications/Utilities so that absolute paths inserted into scripts won't work.

[MrENGLISH™]

I'm still nervous....... THANKS!

I made sure I unchecked "Open Safe Files" in preferences after discovering that....

[Franz Josef]

These have been a sobering few days - I sent some of these links with comment to Apple yesterday. They need to be devoting some serious resource to security in the near term.

Meantime I've moved Terminal to a new folder.

[Luca]

It's kind of disturbing to hear that while the exploit affects the entire OS, the applications that are most vulnerable are Apple's (Safari and Mail, both of which commonly open files without any user confirmation whatsoever).

Let's hope Apple gets an effective patch out there, and quickly. And it better not only be a Safari patch for 10.4 users.

[Jason]

The BBC have picked up on this now as well as three other virus variants (apparently).

http://news.bbc.co.uk/1/hi/technology/4739432.stm

Let's face it guys, all this was inevitable. I believe the days of thinking that Apple were immune are well and truly over. Increased sales and the new popularity of Apple worldwide means hackers are slowly but surely turning their attention to OSX.

[scratt]

Having said that, they are all easilly avoidable once made public, and I doubt they would catch out many of the savvy amongst us.

I don't think we have to panic yet... And I am sure a lot of this is almost part of the new found high profile of Apple... Besides we've all been shooting our mouths off far too loudly and for far too long about how invulnerable we are.

The bluetooth one is very interesting, and almost seems to indicate that people are really searching hard for ways to score that 'goal' of creating the first real virus... So far, none of them really are virus viruses, more exploits and tojan horse style attacks.

[InactionMan]

I've had Open Safe Files turned off for a long time, mainly because it was irritating me.

Nonetheless, it's time for Apple to get their shit together.

[Jason]

Quote:

Originally Posted by InactionMan I've had Open Safe Files turned off for a long time, mainly because it was irritating me. Nonetheless, it's time for Apple to get their shit together.

Agreed. Less iPod nonsense - more 'back to basics'.

The main reason I have always stuck with Apple down the years (and spending thousands in the process) is because of the security and virus free OS. If one day, down the road, OSX is no more secure than Windows then there will be no reason to stick with Mac. Hopefully that day will never come.

Regards

[Franz Josef]

Quote:

Originally Posted by InactionMan I've had Open Safe Files turned off for a long time

Yup, many of us did

[hotch]

it seems that, since i'm running stuffit instead of letting apple unzip my files, this hasn't affected me

[Jason]

Quote:

Originally Posted by Franz Josef These have been a sobering few days - I sent some of these links with comment to Apple yesterday. They need to be devoting some serious resource to security in the near term. Meantime I've moved Terminal to a new folder.

Can you move Terminal anywhere or does it need to be some specific folder?

regards

[scratt]

Quote:

Originally Posted by hotch it seems that, since i'm running stuffit instead of letting apple unzip my files, this hasn't affected me

Don't worry stuffit will bite your ass at some point in the future instead, so you won't be left out!

stuffit has kind of become the bastard nephew of Norton in my eyes..

[alcimedes]

Funny part is I do think this has a lot to do with the move to x86. Hackers and tinkerers can now hack the OS to run on their current boxes. Cost to own a Mac? $0 as long as you're willing to steal the OS. Used to be you'd need to get your hands on an old Mac to be able to pick apart at the OS. Not anymore.

[Mugge]

Clicked your link scratt, with 'open safe files disabled' and got a 'Heise.jpeg.zip' on my desktop. Sorry for being paranoid but I couldn't bring myself to double-click it. Then i tried to see the *zip's info, but that only caused the beachball to come on permanently until I reset the Finder.

So WTF was this all about?



On the security issue, I also think Apple should get busy with security. I have mocked my friends (poor suffering PC bastards) and I don't want them to pointing fingers at me now. As to any hackers who dream of fame and glory; I can assure you that I will "do away with your worthless lives" if I catch one of you disgruntled osx86 fu *** censored *** rds!!!

[scratt]

All it does is run a shell command to list your directory contents...

The scariest thing is how fast you go from clicking a link, or a jpeg on your desktop, and the shell is up and text all over the window.. Anything could happen!! Quite a shock the first time...

[johnny5]

the irony...
your system is vulnerable only when you have the "open safe files" option on?
oh, the irony.......

[scratt]

At the end of the day none off these 'exploits' are going to get very far, unless you click on any link on any site (I can't see it being on a main stream, or genuine web site), don't exercise general day to day cautions, and run as a root user on you Mac...

I for one am not that worried.. I also expect there will be a security update within 24 hours based on the media attention today..

If I wasn't so laid back and trusting I would even suspect that certain large computer corporations are

a) Definitely rubbing their hands with glee..
b) Most likely fanning the flames..
c) ..perhaps even devoting time to finding these exploits..

[Luca]

Quote:

Originally Posted by johnny5 the irony... your system is vulnerable only when you have the "open safe files" option on? oh, the irony.......

Correction, you are ALWAYS vulnerable. "Open Safe Files" just provides an easy avenue through which to exploit the vulnerability. So does Mail's tendency to automatically open certain attachments without asking your confirmation first.

The problem isn't with Safari; Safari is just more vulnerable because "Open Safe Files" is enabled by default and because a huge portion of Mac users have Safari as their main/only browser.

Because this has to do with the way the operating system handles the opening of files, I expect it might take more than a day to fix. However, it would be a good idea to release a basic security patch while they work on the underlying problem.

[Jason]

Scratt,

I think you're certainly right on the above points. However, when i read the original article it stated that :

The main problem is that the attacker can determine which application should open a file. Normally, this information is hidden in the file's resource fork and hence limited to the local system. To transport this via the Web, resources typical of Mac can be included for analysis by the local programs. In the weak point reported yesterday, a ZIP archive also contains the folder __MACOSX with metadata. You may infect your computer if you open the JPG file in such an archive without a warning even if the ZIP file was downloaded and saved to your Mac via Firefox. For e-mails, the MIME format AppleDouble allows resource forks to be attached; Apple Mail automatically analyses them. To make things worse, in both cases the type of a file is determined via the extension -- and that can be misleading.

Is there a way a machine can be infected by visiting certain sites without the user opening suspect files? Someone somewhere mentioned 'Drive-by Downloading'?

To be honest, I'm a bit confused about the whole issue now. Should I be running as Admin anymore?

Brad? Somebody? Anybody?

[Brad]

Quote:

Originally Posted by Jason To be honest, I'm a bit confused about the whole issue now. Should I be running as Admin anymore?

As discussed in the other recent topic, if you have any concern for these vulnerabilities, no you shouldn't be running as admin. Most people won't even notice that they not running as admin because, really, they don't need the privileges for day-to-day use. At worst, they'll occasionally be prompted for a password when they want to change the contents of /Applications or they change system settings.

It's as simple as this:
1. Create a new user as an admin.
2. Uncheck the option for your user to be an admin.
3. There is no step three!

[Banana]

You know, "Always Open Safe files" was a bit too Mircosoft-ish.

Could it be that Apple is trying too hard to make it convenient for mass, a la Mircosoft's style?

[Jason]

Quote:

Originally Posted by Brad As discussed in the other recent topic, if you have any concern for these vulnerabilities, no you shouldn't be running as admin. Most people won't even notice that they not running as admin because, really, they don't need the privileges for day-to-day use. At worst, they'll occasionally be prompted for a password when they want to change the contents of /Applications or they change system settings. It's as simple as this: 1. Create a new user as an admin. 2. Uncheck the option for your user to be an admin. 3. There is no step three!

Ahh...my saviour returns.

[ZachPruckowski]

Quote:

Originally Posted by Brad As discussed in the other recent topic, if you have any concern for these vulnerabilities, no you shouldn't be running as admin. Most people won't even notice that they not running as admin because, really, they don't need the privileges for day-to-day use. At worst, they'll occasionally be prompted for a password when they want to change the contents of /Applications or they change system settings. It's as simple as this: 1. Create a new user as an admin. 2. Uncheck the option for your user to be an admin. 3. There is no step three!

Hey Brad, important question about this: can I give users more permissions?

Specifically, I want to give my regular user account access to Airport without the password. How do I do that?

[Brad]

No, it's generally just admin or no admin.

[Brad]

Quote:

Originally Posted by scratt All it does is run a shell command to list your directory contents...

Specifically, here is the content of the script:

Code:

/bin/ls -al echo echo echo "heise Security: Sie sind verwundbar." echo echo

[torifile]

The thing about this vulnerability is that it can't do much beyond destroy your data. I mean, it can't put its hooks into your system. To prevent this, you could alias the "rm" command to "rm -i" and that will force you to accept the deletion.

[chucker]

Quote:

Originally Posted by torifile The thing about this vulnerability is that it can't do much beyond destroy your data. I mean, it can't put its hooks into your system. To prevent this, you could alias the "rm" command to "rm -i" and that will force you to accept the deletion.

Quote:

-f Attempt to remove the files without prompting for confirma- tion, regardless of the file's permissions. If the file does not exist, do not display a diagnostic message or modify the exit status to reflect an error. The -f option overrides any previous -i options.

A clever enough "script kiddie" would therefore simply add '-f', thereby overriding your proposed alias.

[torifile]

Quote:

A clever enough "script kiddie" would therefore simply add '-f', thereby overriding your proposed alias.

Well, then alias "rm -f" to "rm -i"

[turbulentfurball]

Quote:

Originally Posted by Brad Specifically, here is the content of the script: Code: /bin/ls -al echo echo echo "heise Security: Sie sind verwundbar." echo echo

Heise Security: They are vulnerable.

I always knew school would come in handy some time!

[Oompa Loompa]

Quote:

Originally Posted by turbulentfurball Heise Security: They are vulnerable. I always knew school would come in handy some time!

Ehmmm... isn't it: 'Heise Security: You are vulnerable' ?

Well, nevermind. Bloody germans...



BTW: Turbulentfurball, didn't I just tell you to stop mentioning the war?

(just a John Cleese joke, people, let's not get upset...)