Submitted by The ‘Month of Kernel Bugs’ project has found two unpatched security vulnerabilities in the way Mac OS X handles .dmg files. The first vulnerability, rated ‘highly critical’ by security-firm Secunia, can lead to privilege escalation, denial of service, and system access by a remote user (if Safari’s open ‘safe’ files option is checked). The second issue is similar in nature, in that a corrupted UDTO HFS+ .dmg can lead to a denial of service condition. A workaround for both issues is to disable Safari’s option to open ‘safe’ files after downloading, and to not open any .dmg file from a source you do not trust.
Yes, Apple need to fix it. Having said that, the “workaround” should be standard practice for all files anyway IMHO.
I’d like to see more information, I do not doubt that it’s real, but what versions of OS X does this effect?, anything in particular?, or all versions?.
Intel?, PPC?, Universal?.
I’m always a little skeptical when there’s little information provided.
The Safari automatically opening safe files has been a problem before which they patched also.
But as above, it’s something that should be standard, I usually turn that off because I don’t like things auto-mounting.
Edited 2006-11-22 09:33
Intel?, PPC?, Universal?.
Both Intel and PPC are affected. Mac OS 10.4.8 is affected (so, the latest version).
This problem consists mainly of a corrupt dmg file that causes the DMG mounter application to crash. Being part of the kernel it therefore causes a kernel panic, meaning, it crashes the kernel.
This can be annoying but does NOT constitute a security problem since you cannot crash the kernel in such a way that you can actually make it execute your own code.
Do expect some news sites to make this look like a major situation…
As suggested, turn off the “Open safe files after downloading” option in Safari as follows:
1. Open Safari
2. Open “Preferences” under the “Safari” menu
3. Click on the “General” tab at the top
4. Un-check the “Open ‘safe’ files after downloading” box
5. Close Safari’s preferences
That way, it’s only an extra click via the downloads window to open whatever gets downloaded – but which places full control in the hands of the user.
Just remember, to turn it back on if you’re downloading a widget and want it to load itself into your Library > Widgets folder. Or you’ll have to drag and drop it yourself.
P.S.- I’ve seen people mod down the last posts… why? Please do notice that you should NOT be modding people down just because you disagree with them…
Edited 2006-11-22 09:51
To be precise: the proof of concept crashes the kernel. The claim is that there’s also potential for arbitrary code execution, but obviously they haven’t got that to work. Given the seriousness of the bug, I doubt they will find anyway before the patch is out.
Crashing your kernel just by browsing websites is more than annoying though. Imagine you have an important job running in the background. Or even worse, if you’re writing to an encrypted disk image in the background. Kernel panics (or rather, power outages) have been known to corrupt the entire image, which are really hard to recover. And you lose the entire image, not just the files you’re working on.
Anyway, as long as nobody discovers a code execution version, this won’t spread very far. There’s little point in setting up websites just to crash random passerby Macs, especially if it will probably be patched very soon anyway.
This can be annoying but does NOT constitute a security problem since you cannot crash the kernel in such a way that you can actually make it execute your own code.
Why couldn’t you? I thought that is exactly the way to exploit the software. Make it crash and execute your code. You mean that system becomes inoperable after kernel crash? Who guarantees you that?
If the kernel crashes it get’s a kernel panic — e.g. nothing more happens.. Who would control things if the kernel craashed?
@Governa
P.S.- I’ve seen people mod down the last posts… why? Please do notice that you should NOT be modding people down just because you disagree with them…
Welcome to OSAlert. LOL
What can I say… People get emotional over computer junk.
I thought you could not mod people down because you disagree with them, it says it’s not valid.
I’ve always been weary of some of these Security places, and always suggest people look into them more, as they do like to blow things out of proportion, whether it’s Linux, Windows or OS X etc.
Selling the “drama” :-).
“I thought you could not mod people down because you disagree with them, it says it’s not valid.”
It’s not like it’s hard to click on any of the other options.
Uh huh. I hereby redact this comment.
Edited 2006-11-22 17:25
Shouldn’t it be time set default automatically opening “safe” files to off by now? Preferably with big scary warning signs if you ever feel tempted to turn it on. Having it on by default is just reckless. It amounts to increasing the attack surface from just the browser to the browser plus every registered file handler.
Depends on your definition of the term ‘reckless’
I consider reckless; crossing the road blindfold, climbing a mountain route without ropes, Playing paintball in the buff. (<- I haven’t done any of these btw.
)
Decreasing the security of my system by a few percent when there isn’t any known remote execution vulnability, given that the suggested workaround will make the OS ‘experience’ less user-friendly is not what I would consider ‘Reckless’. Of course, I back-up regularly, and have an Anti-virus on-access scanner running.
Automatic launching of “safe” files is a hazard. What’s to stop a website from automatically sending you a bogus DMG file that gets automounted when you surf to the site?
I would rather have to look at my list of downloaded files and manually click on the files I want to open.
That’s your option, and Apple has provided that option for you.
I’m not sure that calling for your(user Xs) options to be made default on the grounds of safety over convenience is always a good idea tho.
I know it isn’t directly related, but I can’t help but feel that the idea of having to answer 7 confirmation dialogs just to remove the recycle-bin from Windows Vista Beta desktop is an ideal example of what I’m argueing against.
Some options shouldn’t be there in the first place, or at least they should be disabled by default.
As it stands, the option to open “safe” files after downloading is enabled by default. This is a ridiculously dangerous thing to do, as it doesn’t prevent a malicious website from sending you a file and having your machine automatically execute it. What if somebody set up a website that would automatically download a bogus .DMG file to your mac containing the exploit detailed in the article? Before you know it, boom your Mac has crashed because it tried to open a “safe” file and there was nothing you could do to stop it in time. All the documents you were working on at the time are now lost because you didn’t save it prior to the crash. Good going Apple?
Having to click on files you’ve downloaded is *nothing* like the example you quoted about Windows Vista. This has more to do with enabling sensible defaults for users, defaults that do not compromise the security of the system just for some misguided sense of convenience. We don’t need ActiveX like crap on the Mac, thank you very much.
I agree with you in prinicipal that some default are unsafe and can cause inconvenience when exploited. BUT, this climate of over-hyping any security issue is beginning to get on my nerves. To describe what is a minor problem as: ‘ridiculously dangerous’ or ‘… reckless’ is major over-hype.
Firstly, 90% of the time, when I’m working on an important document and I switch to another app (especially a web browser) I save the file. Also, I don’t tend to visit ‘malitious’ websites while working on said documents (despite what you might think, that IS a valid statement).
5/7 years ago, system crashes (in windows AND mac) were expected, people should be in the habit of auto-saving their documents manually. Most of the time, this is done by the software anyway.
Ever heard of address spoofing? http://macslash.org/article.pl?sid=05/02/09/0818206. Still think it’s smart to just automatically open any files? The exploit detailed in the article currently makes the kernel crash. What if they manage to get it so that the kernel doesn’t crash, and it is then able to arbitrarily execute any code?
I suppose you don’t lock your front door either. After all, it’s such a hassle to go check the door every time someone rings the door bell. Better to just let them automatically enter. What’s the point of locking the door anyway? You don’t associate with dangerous people and all your friends are respectable and trustworthy. Clearly, no need to lock the front door.
It’s always a good idea to practice safe computing habits.
Ever heard of address spoofing?
Actually I have, but because ‘respectable'(see above) sites dont’ tend to link to sites that use IDN spoofing, the risk is pretty low (Not zero, but low enough not to get me worrying)
I suppose you don’t lock your front door either. After all, it’s such a hassle to go check the door every time someone rings the door bell
Actually, when I’m in the house, I don’t. If someone is serious about wanting to get in to my house, there is enough plate glass around that they won’t bother trying to break the front door. When I go out, I do, although, this is for insurance purposes rather than security (see above). Of course I live in a semi-rural area so there is noone close enough to hear a window break. It might be a good test to break a window in a city apartment and see if anyone investigates.
If someone wants to corrupt my computer, let them make a file called setup.exe and IDN spoof the Microsoft Office 2007 site. That way I’ll download something and run it for them. How will that be stopped?
Original advisories by Month of Kernel Bugs (MoKB):
Mac OS X Apple UDIF Disk Image Kernel Memory Corruption (1)
http://projects.info-pull.com/mokb/MOKB-20-11-2006.html
Mac OS X Apple UDTO HFS+ Disk Image Denial of Service (1)
http://projects.info-pull.com/mokb/MOKB-21-11-2006.html
Both contain links to proof of concept disk images.
Both were tested on “up-to-date … Mac OS X installation, running on an Intel ‘shipping’ Mac.”
Edit: the MoKB main page (http://projects.info-pull.com/mokb/) lists them as tested on both x86 and PPC
Edited 2006-11-22 11:33
Well, golly gee there Steve. I just bet you its all those patents in the BSD code that McSoft owns thats causing the problems.
Sorry! Could not resist.
Seriously. I feel safer running a Linux, BSD or OSX systems since even if a crappy piece of code makes its way onto one of these the system, by design, makes it harder for it to do system-wide damage.
BTW. I work with Linux at home and OSX at work. I was also a McSoft systems administrator for a long time so I do have some experience with McSoft security issues.
And what is this ‘McSoft’ you are talking about?
I could have said MickeySoft.
you could have said Microsoft, like a grown up.
But wheres the 1337ness in that.
you could have said Microsoft, like a grown up.
As somebody who has not had all of the whimsy crushed out of my soul by the burdens of being a grown up, I prefer the term “Mordorsoft” m’self.
Seriously. I feel safer running a Linux, BSD or OSX systems since even if a crappy piece of code makes its way onto one of these the system, by design, makes it harder for it to do system-wide damage.
By design? The same design that causes Safari to open “safe” files automatically after downloading? Don’t kid yourself. There are some things on the Mac that make it more difficult to shoot yourself in the foot with, but this open “safe” files option isn’t one of them.
It doesn’t matter whether you’re using Safari or not. If you open the disk images, you can have a serious problem. They need to be able to be opened in a safe place and disarmed.
It’s not as if this couldn’t happen on any other system but it’s another good wake up call for Mac users to be aware of what they’re downloading and installing on their systems.
I’ve been using multiple systems for a while but there are some fanatical Mac users who say that nothing can hurt their systems. It should be interesting to see their reactions.