Interesting People mailing list archives
more on this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability
From: David Farber <dave () farber net>
Date: Tue, 21 Feb 2006 17:34:06 -0500
Begin forwarded message: From: Serge Egelman <egelman () cs cmu edu> Date: February 21, 2006 4:59:16 PM EST To: dave () farber netSubject: Re: [IP] this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability
For IP if you wish: Not to go on a tangent, but this reminds me of a recent discussion on the Anti-Phishing Working Group mailing list. Someone posted a message asking what can be done if a user is using a phishing detection toolbar, but somehow their connection is hijacked so that all traffic goes through a malicious proxy (with the intent of feeding the toolbar wrong information). I pointed out that if the cause of this is malware installed on the user's computer (giving it the ability at the OS level to redirect all traffic), then all bets are off. As at this point the malware can also alter program behavior (such as adding a few jumps in the toolbar code to bypass checking altogether). Of course DNS poisoning, upstream attacks, and the like are a separate matter (I'm only talking about attacks confined to the local machine). I was hoping to start a serious discussion on this issue, but instead only marketoids from various toolbar vendors responded, all saying "our product is immune from this problem!" I responded to each one asking how their software is impervious to viral code. Half stopped responding, and the other half gave a nonsequitor such as, "we use SSL for our connections!" I responded with, "so say the viral code alters the local certificate," but still haven't heard any responses to that. So anyway, my point (and the relevance to this thread) is that I believe many of these problems should be addressed at the OS level now. While every OS has vulnerabilities, it would seem that a lot more can be done at the OS level to detect when such vulnerabilities are being exploited. Obviously I don't mean to imply that OSs should detect their own vulnerabilities, but more often than not such exploits have a pattern. serge David Farber wrote:
Begin forwarded message: From: "Robert J. Berger" <rberger () ibd com> Date: February 21, 2006 3:51:04 PM EST To: Lee Revell <rlrevell () joe-job com> Cc: Dave Farber <dave () farber net>, Dewayne Hendricks <dewayne () warpspeed com>Subject: Re: [IP] Basic Mac OS X Security / New Mac OS X "__MACOSX" ZIPArchive Shell Script Vulnerability Yes, I agree 100%. The term Secure OS is an oxymoron, especially one connected to a network. Linux and Mac OS X does do a better job than Windows, but any OS withlots of lines of code in the kernel and the ability to execute programsdownloaded over the net is vulnerable somewhere. At least OS X will prompt you before it runs something as root!. And to prove the point this just in: Mac OS X "__MACOSX" ZIP Archive Shell Script Execution http://secunia.com/advisories/18963/ Description: Michael Lehn has discovered a vulnerability in Mac OS X, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error in the processing of file association meta data (stored in the "__MACOSX" folder) in ZIP archives. This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive. This can also be exploited automatically via the Safari browser when visiting a malicious web site. Secunia has constructed a test, which can be used to check if your system is affected by this issue: http://secunia.com/mac_os_x_command_execution_vulnerability_test/ The vulnerability has been confirmed on a fully patched system with Safari 2.0.3 (417.8) and Mac OS X 10.4.5. Solution: The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari. Do not open files in ZIP archives originating from untrusted sources. On Feb 21, 2006, at 11:35 AM, Lee Revell wrote:My point was not as much that Windows is secure, but that the points listed do not constiture a "secure OS".In fact security people consider there to be no such thing - any OS is only as secure as the user. You can be more or less secure by default.Calling OSX a "secure OSX" just struck me as a bit of zealotry. Even Linux people don't claim their OS is secure... On Tue, 2006-02-21 at 11:25 -0800, Robert J. Berger wrote:You would think so, but it turns out not to be true. First of all, it encourages (almost requires) you to run as Administrator all the time to actually use the system. Second, they "pierced the veil" of memory management isolation as ahack to improve graphics performance. So kernel memory is mapped intoevery user process. Third, I'm sure there are more, I'm not an expert, but I see all myfriends struggling with worms, virus and trojans (and lots of bad UI)on windows and I have none of that (ok sometimes there's some bad UI too) I'm sure others could point out other Windows currently inherent security flaws that are not present in Mac OS. But as the article states, its not an invulnerable OS and you still have to have some consciousness of how you use it to make it most secure. Rob On Feb 21, 2006, at 11:01 AM, Lee Revell wrote:On Tue, 2006-02-21 at 08:03 -0500, Dave Farber wrote:Mac OS X is a secure operating system in that it's multi-user and has limits on what some user accounts can do. If an account is setup as a basic user, that user can only hurt himself, not the whole system or other users. However, in the interest of being "friendly" to new users, Apple leaves of a lot of the secure bits off for the first user created and this means that trojans like this week's can cause some pretty nasty problems on your system.If this really constitutes a "secure OS" then you'd have to say the same of Windows. Lee–––––––––––––––––––––––––––––– Robert J. Berger - Internet Bandwidth Development, LLC. Voice: 408-882-4755 eFax: +1-408-490-2868 http://www.ibd.com–––––––––––––––––––––––––––––– Robert J. Berger - Internet Bandwidth Development, LLC. Voice: 408-882-4755 eFax: +1-408-490-2868 http://www.ibd.com ------------------------------------- You are subscribed as serge () guanotronic com To manage your subscription, go to http://v2.listbox.com/member/?listname=ipArchives at: http://www.interesting-people.org/archives/interesting- people/
-- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate and Professional Students */ ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- more on this is very important for mac users New Mac OS X "__MACOSX" ZIP Archive Shell Script Vulnerability David Farber (Feb 21)