Pavlov Scope

2006 February 26

Critical Mac OS X flaw - Fixed

Filed under: ITSec — Kev Frey @ 19:18:28

Update (2006/Mar/2) – Apple has released updates to several versions of OS X (OS “ten”) to fix the previously reported flaw in Safari and file handling below, as well as a handful of other bugs (security-related and otherwise).

The versions covered in this update include v10.3.9 and 10.4.5 – Mac users should upgrade either manually @ Apple’s” Downloads site” or you can configure and utiize the Mac’s Automatic Update feature if you haven’t already configured it in your System Preferences. I recommend using automated tools like the Auto Update function as much as possible to make you life a bit easier (and to receive the updates in a more timely manner in the future).

_____________________________________________________________
KevFrey
kevfrey@gmail.com
.     .    .   .  . .. .  .   .    .     .

Copyright 2006-Kevin Frey

============================================
Original Advisory: 2006-Feb-26
A new vulnerability has been discovered affecting users of Mac OS X by a Ph.D. student named Michael Lehn. This flaw is very serious and can be exploited remotely. Like many IE flaws in Windows, this flaw allows the automatic execution of code by Safari (default Mac web browser). Other browsers (Firefox, Opera, Camino, etc.) do not automatically execute the problematic files, but could still be used as a way of delivering the nefarious programs onto your computer.

Heise online has a nice article on some of the technical details of the flaw if you are a concerned Mac user. But, to summarize, the problem is that Safari automatically executes certain file types designated as “safe” by default. Examples of these include ZIP files, documents, images, video, etc. However, Lehn has found that shell scripts (a kind high-level operating system programming function) will automatically execute if a specific qualifying line is omitted from the file. This is bad, because shell scripts are very powerful and can do things like delete or manipulate files, call other programs, etc. and a clever hacker could easily find a way to infiltrate a Mac OS X computer using these scripts.

Additionally, if the script file is disguised as an image file (etc.), it could be used on a web page and automatically rendered by the Safari browser to run. This remote execution is the crux of the severity assigned to this flaw and is very similar to the flaw found in December 2005 in Windows Metafiles (WMF) during the New Year’s time frame.

Mac users have yet to hear from Apple on this flaw and a fix has yet to be published. The vulnerability has been confirmed on fully patched systems running Safari 2.0.3 (417.8), Mail 2.0.5 (746/746.2), and Mac OS X 10.4.5.

How to protect yourself in the meantime

  • Temporarily disable the “Open safe files after downloading” option in Safari until a fix is released from Apple and applied to your system.

  • Do not open files or mail attachments from unknown or untrusted senders.

I will update this entry once Apple has posted a fix or if new information is forthcoming.

_____________________________________________________________
KevFrey
kevfrey@gmail.com
.     .    .   .  . .. .  .   .    .     .

Copyright 2006-Kevin Frey

Technorati:
del.icio.us:

Leave a Reply

You must be logged in to post a comment.