<<< Date Index >>>     <<< Thread Index >>>

[IP] more on this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability





Begin forwarded message:

From: Serge Egelman <egelman@xxxxxxxxxx>
Date: February 21, 2006 4:59:16 PM EST
To: dave@xxxxxxxxxx
Subject: Re: [IP] this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability

For IP if you wish:

Not to go on a tangent, but this reminds me of a recent discussion on
the Anti-Phishing Working Group mailing list.  Someone posted a message
asking what can be done if a user is using a phishing detection toolbar,
but somehow their connection is hijacked so that all traffic goes
through a malicious proxy (with the intent of feeding the toolbar wrong
information).  I pointed out that if the cause of this is malware
installed on the user's computer (giving it the ability at the OS level
to redirect all traffic), then all bets are off.  As at this point the
malware can also alter program behavior (such as adding a few jumps in
the toolbar code to bypass checking altogether).  Of course DNS
poisoning, upstream attacks, and the like are a separate matter (I'm
only talking about attacks confined to the local machine).

I was hoping to start a serious discussion on this issue, but instead
only marketoids from various toolbar vendors responded, all saying "our
product is immune from this problem!"  I responded to each one asking
how their software is impervious to viral code.  Half stopped
responding, and the other half gave a nonsequitor such as, "we use SSL
for our connections!"  I responded with, "so say the viral code alters
the local certificate," but still haven't heard any responses to that.

So anyway, my point (and the relevance to this thread) is that I believe
 many of these problems should be addressed at the OS level now.  While
every OS has vulnerabilities, it would seem that a lot more can be done
at the OS level to detect when such vulnerabilities are being exploited.
 Obviously I don't mean to imply that OSs should detect their own
vulnerabilities, but more often than not such exploits have a pattern.


serge

David Farber wrote:


Begin forwarded message:

From: "Robert J. Berger" <rberger@xxxxxxx>
Date: February 21, 2006 3:51:04 PM EST
To: Lee Revell <rlrevell@xxxxxxxxxxx>
Cc: Dave Farber <dave@xxxxxxxxxx>, Dewayne Hendricks
<dewayne@xxxxxxxxxxxxx>
Subject: Re: [IP] Basic Mac OS X Security / New Mac OS X "__MACOSX" ZIP
Archive Shell Script Vulnerability

Yes, I agree 100%. The term Secure OS is an oxymoron, especially one
connected to a network.

Linux and Mac OS X does do a better job than Windows, but any OS with
lots of lines of code in the kernel and the ability to execute programs
downloaded over the net
is vulnerable somewhere.

At least OS X will prompt you before it runs something as root!.

And to prove the point this just in:

Mac OS X "__MACOSX" ZIP Archive Shell Script Execution
http://secunia.com/advisories/18963/
Description:

Michael Lehn has discovered a vulnerability in Mac OS X, which can be
exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the processing of file
association meta data (stored in the "__MACOSX" folder) in ZIP
archives. This can be exploited to trick users into executing a
malicious shell script renamed to a safe file extension stored in a
ZIP archive.

This can also be exploited automatically via the Safari browser when
visiting a malicious web site.

Secunia has constructed a test, which can be used to check if your
system is affected by this issue:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/

The vulnerability has been confirmed on a fully patched system with
Safari 2.0.3 (417.8) and Mac OS X 10.4.5.

Solution: The vulnerability can be mitigated by disabling the "Open
safe files after downloading" option in Safari.

Do not open files in ZIP archives originating from untrusted sources.


On Feb 21, 2006, at 11:35 AM, Lee Revell wrote:

My point was not as much that Windows is secure, but that the points
listed do not constiture a "secure OS".

In fact security people consider there to be no such thing - any OS is only as secure as the user. You can be more or less secure by default.

Calling OSX a "secure OSX" just struck me as a bit of zealotry.  Even
Linux people don't claim their OS is secure...

On Tue, 2006-02-21 at 11:25 -0800, Robert J. Berger wrote:

You would think so, but it turns out not to be true.

First of all, it encourages (almost requires) you to run as
Administrator all the time to actually use the system.

Second, they "pierced the veil" of memory management isolation as a
hack to improve graphics performance. So kernel memory is mapped into
every user process.

Third, I'm sure there are more, I'm not an expert, but I see all my
friends struggling with worms, virus and trojans (and lots of bad UI)
on windows and I have none of that (ok sometimes there's some bad UI
too)

I'm sure others could point out other Windows currently inherent
security flaws that are not present in Mac OS.

But as the article states, its not an invulnerable OS and you still
have to have some consciousness of how you use it to make it most
secure.

Rob

On Feb 21, 2006, at 11:01 AM, Lee Revell wrote:

On Tue, 2006-02-21 at 08:03 -0500, Dave Farber wrote:

Mac OS X is a secure operating system in that it's multi-user
and has limits on what some user accounts can do. If an account
is setup as a basic user, that user can only hurt himself, not
the whole system or other users. However, in the interest of
being "friendly" to new users, Apple leaves of a lot of the
secure bits off for the first user created and this means that
trojans like this week's can cause some pretty nasty problems on
your system.


If this really constitutes a "secure OS" then you'd have to say the
same
of Windows.

Lee


––––––––––––––––––––––––––––––
Robert J. Berger - Internet Bandwidth Development, LLC.
Voice: 408-882-4755 eFax: +1-408-490-2868
http://www.ibd.com






––––––––––––––––––––––––––––––
Robert J. Berger - Internet Bandwidth Development, LLC.
Voice: 408-882-4755 eFax: +1-408-490-2868
http://www.ibd.com





-------------------------------------
You are subscribed as serge@xxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting- people/

--
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate and Professional Students
*/


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/