On CHOW: Sexy vampire party
BNET Business Network:
BNET
TechRepublic
ZDNet

February 21st, 2006

Extremely critical Mac OS X zero-day exploit released

Posted by George Ou @ 2:26 am

Categories: Security

Tags:

Heise online is reporting that a new critical vulnerability for Mac OS X has been discovered and it appears to have ramifications beyond the Safari brows (thanks to SANS and SunbeltBLOG for the link).  The problem is severe because a user simply needs to visit a malicious website and shell scripts with launch with zero user interaction!

The cause for this problem is that OS X will automatically launch shell scripts (even inside a ZIP file) when it’s missing certain syntax at the beginning of the script.

Here is an excerpt from Heise online:
You can determine whether your system is vulnerable by using this online demonstration provided by Heise Security. The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user. At this point, no web pages are known to misuse this vulnerability. However, this could change quickly.

Vulnerabilities don’t get any more serious than this since it requires no user interaction.  The recent Mac OS X Leap.A worm attempted to fool users in to launching the malicious code which was disguised as an image file, but this exploit launches the minute you visit a webpage with Safari.  All Apple OS X users should immediately implement the following temporary workaround before Apple releases a patch.

Heise online recommends this temporary workaround:
The best immediate recourse against such an attack is to deactivate the option "Open ’safe’ files after downloading" in the "General" section of Safari’s preferences. Alternative web browsers such as Camino or Firefox do not support the automatic execution of files. These browsers can be prompted to automatically download a file by using the refresh command in the HTML source code of a web page. However, the file will not be executed. Since the Finder selects the icon for a file based on its extension, users are advised to verify that the OS is using the proper file type. This can be done through the information window or in column view.

[Updated 10:00 AM]  Secunia posted this "extremely critical" advisory along with a demonstration link that automatically launches the calculator.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 287 Talkback(s)
Applet Rating?
For readers like microwiz (descriptive ...) there could be an RSS rating feature.

"A" would stand for "Not suitable for applets-contains adult information and less than adorational levels of OS worship."... (Read the rest)
Posted by: crescentdave Posted on: 02/28/06 You are currently: a Guest | | Terms of Use
I'll admit I only skimmed the article but is this a  Laff | 02/21/06
The article says go here for demo  wolf_z | 02/21/06
Technically yes you ae correct but it is in and of itself  Laff | 02/21/06
Do you know what a shell script can do?  NonZealot | 02/21/06
30 seconds? Man are you a slow typist.....:)  Laff | 02/21/06
My Goodness! I can hardly beleive it!!!  Cayble | 02/21/06
Same as windows  SquishyParts | 02/21/06
windows dosn't use DOS  IceTheNet@... | 02/23/06
No effect here  Rick_K | 02/21/06
proportion  glocks out | 02/21/06
but how many people have that  IceTheNet@... | 02/23/06
Who cares?  NonZealot | 02/21/06
Malware creators everywhere care.  Anton Philidor | 02/21/06
Well I for one ain't rich.....:)  Laff | 02/21/06
Buying Macs will do that to you.  Anton Philidor | 02/21/06
well.. its true that...  doh123 | 02/21/06
Plus  tic swayback | 02/21/06
RE: well.. its true that...  richdave | 02/23/06
Another outlier  Real World | 02/21/06
That's why I said median income...  Anton Philidor | 02/21/06
rich targets...  doh123 | 02/21/06
They only get paid when they keep it a secret  george_ou | 02/21/06
Then they'd have to locate...  Anton Philidor | 02/21/06
Actually there is.  nucrash | 02/21/06
Thieves use malware...  Anton Philidor | 02/21/06
Thieves?  nucrash | 02/22/06
You prefer...  Anton Philidor | 02/22/06
?????????  SquishyParts | 02/21/06
Only time will tell if it is truly marketshare  I'm Ye, the MS SHILL . | 02/21/06
The main reason Mac is subject to fewer attacks  georgep_z | 02/21/06
Good one  toadlife | 02/21/06
Yes there is  hipparchus2001 | 02/21/06
Again - there is nothing special about UNIX  toadlife | 02/21/06
well.....  hipparchus2001 | 02/21/06
hipparchus2001  NonZealot | 02/21/06
RE: Again - there is nothing special about UNIX  richdave | 02/23/06
Mac is subject to fewer attacks  needtogetanapple | 02/22/06
Maybe, But  dreis@... | 02/23/06
Schadenfreude  baggins_z | 02/21/06
Where do you see joy in my response?  george_ou | 02/21/06
How soon they forget....  NonZealot | 02/21/06
Here's the link  george_ou | 02/21/06
Easy  baggins_z | 02/21/06
Gee. Don't show your bias now.  toadlife | 02/21/06
More to it  baggins_z | 02/21/06
Wrong  ianbetteridge | 02/22/06
Correction  baggins_z | 02/22/06
No need to, Mac OS X exploits are plenty  george_ou | 02/21/06
Thanks  baggins_z | 02/21/06
well now...  mboo | 02/22/06
As opposed to MS who never fixes anything  bpick_z | 02/21/06
Patches every month  SquishyParts | 02/21/06
Nope, here's proof  george_ou | 02/23/06
George is the right person to report this  Chad_z | 02/21/06
Thank you, what a well thought out and articulated post.  No_Ax_to_Grind | 02/21/06
Wonder what was so offensive...  jasonp@... | 02/21/06
Didn't say it was offensive. I patted him on the back.  No_Ax_to_Grind | 02/21/06
Yes this is a bad flaw  hipparchus2001 | 02/21/06
Also, ZDNET wants to make SURE there is a MS bias in every story  bpick_z | 02/21/06
Not exactly new  j.m.galvin | 02/21/06
Disabled by default; does require user action  Doug K | 02/21/06
No  ianbetteridge | 02/22/06
This is impossible  NonZealot | 02/21/06
Some of us said that, yes.  dlmeyer@... | 02/21/06
Won't suffer greatly?  NonZealot | 02/21/06
Vista doesn't have this problem with user file access  george_ou | 02/21/06
Vista does not exist  georgep_z | 02/21/06
Vista Does exist  John Zern | 02/21/06
Vista is VAPORWARE, George, but I see your point...  bpick_z | 02/21/06
So you're saying that isn't a better permissions model?  george_ou | 02/21/06
No, MS just hasn't pulled that feature yet...  bpick_z | 02/21/06
This is easy to do in *ANY* unix security model system  hipparchus2001 | 02/21/06
?????????  SquishyParts | 02/21/06
George meet ActiveX, ActiveX meet George...  ju1ce | 02/22/06
wow... where have you been?  unoriginal_sin | 02/23/06
Correct scheme, flawed implementation  tic swayback | 02/21/06
Wrong  NonZealot | 02/21/06
Once again.....so?  Laff | 02/21/06
So?  NonZealot | 02/21/06
Levels of damage  tic swayback | 02/21/06
You continue to minimalize the loss of user files  NonZealot | 02/21/06
He/she should know the pain of loosing files being a Windows user!  Laff | 02/21/06
Please use your own logic  tic swayback | 02/21/06
My logic is fine  NonZealot | 02/21/06
Best tuneup that logic  tic swayback | 02/22/06
Simple really....Because while OSX does have vulnerabilites  Laff | 02/21/06
Grain of sand  SquishyParts | 02/21/06
Overexageration  tic swayback | 02/21/06
You still cling to this?  NonZealot | 02/21/06
What's to cling to?  tic swayback | 02/21/06
Hehe, fair enough  NonZealot | 02/21/06
More info available  tic swayback | 02/22/06
This is no big deal  NonZealot | 02/21/06
really?  doh123 | 02/21/06
Isn't this a Safari exploit?  Robert Crocker | 02/21/06
Missing the point  baggins_z | 02/21/06
Windows doesn't suck...  Mixotic | 02/21/06
You downloaded and installed Safari manually?  NonZealot | 02/21/06
nope!  doh123 | 02/21/06
Um, that's not the point  wolf_z | 02/21/06
I just checked  j.m.galvin | 02/21/06
the point is  doh123 | 02/21/06
Still an OS problem not App  rreed567 | 02/22/06
You aren't going to like this reply  NonZealot | 02/21/06
A point you mentioned...  ju1ce | 02/21/06
RE: You aren't going to like...  JakAttak | 02/21/06
Re re not going to like...  NonZealot | 02/21/06
Ever tried to reinstall iexplore.exe?  Anton Philidor | 02/21/06
One difference is Apple never got caught lying in court about it.  bpick_z | 02/21/06
that would be good if...  doh123 | 02/21/06
Then explain this  NonZealot | 02/21/06
For a NonZealot you're reading pretty high on on the zealotry meter  Richard Flude | 02/21/06
Thanks for the correction  NonZealot | 02/21/06
More specifically "Launch Services"  Richard Flude | 02/21/06
Right on, Right on, Right on.........  donjohn@... | 02/22/06
Follow the links, it is an OSX vulnerability  NonZealot | 02/21/06
Well said  nECrO_z | 02/21/06
Good analysis ... but ...  dlmeyer@... | 02/21/06
Okay, if it makes you feel better  NonZealot | 02/21/06
Deleting ALL your files requires no social engineering  george_ou | 02/21/06
Clarification  nECrO_z | 02/21/06
Read the post  nECrO_z | 02/21/06
show how its done  doh123 | 02/21/06
If this is an OS X vulnerability,  georgep_z | 02/21/06
You answer your own question  rreed567 | 02/22/06
Yes, it's a Safari exploit - so?  dlmeyer@... | 02/21/06
Ratiocinated bifurcations engender nugatory animadversions.  Anton Philidor | 02/21/06
Nitpicking aside ...  dlmeyer@... | 02/21/06
Did anyone proof-read this article?  BitTwiddler | 02/21/06
Workaround.. to use Firefox perhaps?  hipparchus2001 | 02/21/06
I tried this on XP - seems safe (nt)  Qbt | 02/21/06
Message has been deleted.  b.d.hi | 02/21/06
Message has been deleted.  KTLA | 02/21/06
Message has been deleted.  NonZealot | 02/21/06
Most mac users that I know  zmud | 02/21/06
this isn't malware  hipparchus2001 | 02/21/06
It *IS* malware  KTLA | 02/21/06
I think that he meant  j.m.galvin | 02/21/06
Yep, it isn't something like a buffer overrun  hipparchus2001 | 02/21/06
And the collective IQ for PC users?  GoPower | 02/21/06
I agree with you  NonZealot | 02/21/06
Don't know about you....  ju1ce | 02/21/06
I would have agreed 2 months ago  NonZealot | 02/21/06
It's great that you do...  ju1ce | 02/21/06
I guess it's one of those...  ju1ce | 02/21/06
Be glad for auto updates...  Anton Philidor | 02/21/06
PC users are on average more battle hardened  george_ou | 02/21/06
Agree 100% (nt)  NonZealot | 02/21/06
Right...  ju1ce | 02/21/06
You want a Pat on the Back?  Harry Bardal | 02/21/06
HAH.  A_Pickle | 02/21/06
Market Share Rocks! Therefore I Am Sad.  Harry Bardal | 02/21/06
Not really  nucrash | 02/21/06
From my own experience, I would say this is true.  enduser_z | 02/21/06
Ridiculous Logic  Harry Bardal | 02/21/06
Hmm, care to reconsider?  NonZealot | 02/21/06
Accurately titled post.  enduser_z | 02/21/06
I have, get used to it  nucrash | 02/21/06
More that they are used to being victimized  bpick_z | 02/21/06
Not battle hardened. Rather they are war-weary. (NT)  Letophoro | 02/21/06
I think you'll find a lot of Mac users are also PC users  hipparchus2001 | 02/21/06
Clarification for those getting defensive...  NonZealot | 02/21/06
Amen  nucrash | 02/21/06
I think..  Brich | 02/21/06
are you insulting me?  dlmeyer@... | 02/21/06
Rocket Scientist  SquishyParts | 02/21/06
and Windows users won't warn them.  kiddpeat | 02/22/06
Didn't do anything  b.d.hi | 02/21/06
Welcome to the wonderful world of George Ou  zkiwi | 02/21/06
Why aren't Mac users happy about this?  KTLA | 02/21/06
It shows their OS in a bad light  joethemacfan | 02/21/06
users ... not OS  dlmeyer@... | 02/21/06
Serious damage?  NonZealot | 02/21/06
I would say that's worse  george_ou | 02/21/06
Back up  georgep_z | 02/21/06
They also have tools to undelete (NT)  ju1ce | 02/21/06
Come on, one vulnerability doesn't prove a rule  hipparchus2001 | 02/21/06
I thought there were NO vulnerabilities.  kiddpeat | 02/22/06
so...what you're saying....  Monkey_MCSE | 02/21/06
Brains  KTLA | 02/21/06
Zero Day?  TheTSArt | 02/21/06
thats George for ya  Monkey_MCSE | 02/21/06
In a sense it's true.  Anton Philidor | 02/21/06
Not By The Definition I'm Finding  TheTSArt | 02/21/06
Zero day  KTLA | 02/21/06
That is one stoopid definition  bpick_z | 02/21/06
Wrong  Fred Fredrickson | 02/22/06
'Zero day' yes....  s_gamgee | 02/22/06
maybe you should educate yourself better  zzz1234567890 | 02/21/06
Heise Security  Jkirk3279 | 02/21/06
It DOES work if you click a URL  george_ou | 02/21/06
What about the other claim?  Jkirk3279 | 02/21/06
It downloads and runs automatically  george_ou | 02/21/06
hmmmm  mboo | 02/21/06
You've got to be kidding...  FatherJ | 02/23/06
If True...  Jkirk3279 | 02/24/06
Of course they are sponsored by MS  bpick_z | 02/21/06
It's Time  ChasmoeBrown | 02/21/06
George, we can see you snickering  georgep_z | 02/21/06
Message has been deleted.  itanal | 02/21/06
lousy * fanboys  hipparchus2001 | 02/21/06
You're an idiot...  ~rpb~ | 02/22/06
Technically, he's right.  Joel R | 02/22/06
I Can't Get the Exploit to Run  friedcow | 02/21/06
No problem then, you have PLENTY of vul'ns AND exploits  bpick_z | 02/21/06
You can count on George  supoman | 02/21/06
Is option default or NOT?  bpick_z | 02/21/06
overrides sudo?  ktramd | 02/21/06
No, but it can steal or nuke your files  george_ou | 02/21/06
George, dodging questions much?  Monkey_MCSE | 02/21/06
Message has been deleted.  hipparchus2001 | 02/21/06
Message has been deleted.  george_ou | 02/21/06
Message has been deleted.  hipparchus2001 | 02/21/06
Message has been deleted.  hipparchus2001 | 02/21/06
I answered the question already  george_ou | 02/21/06
It's your article/blog  Monkey_MCSE | 02/21/06
Everyone is reporting the same thing  george_ou | 02/21/06
No I didn't make vulgar comments you didn't read the message  hipparchus2001 | 02/21/06
Also take it up with Mike  george_ou | 02/21/06
so when was Apple notified of the exploit?  hipparchus2001 | 02/21/06
I just got deleted for saying humans are animals  hipparchus2001 | 02/21/06
You got deleted for making vulgar comments about my daughter  george_ou | 02/21/06
Not true I've asked moderator to delete your messags claiming this  hipparchus2001 | 02/21/06
Suggestion  nizuse | 02/22/06
I don't call people that  george_ou | 02/22/06
keeo repeating the lie george  hipparchus2001 | 02/23/06
When you can't attack the message...  NonZealot | 02/21/06
Message has been deleted.  JetJaguar | 02/21/06
Message has been deleted.  hipparchus2001 | 02/21/06
Once again, get a clue.  FatherJ | 02/23/06
I should try that sometimes wink  george_ou | 02/23/06
Get a clue  FatherJ | 02/23/06
Reality is multivariate  the_doge | 02/21/06
Reality  TonyMcS | 02/22/06
rEALITY  gjsherr | 02/28/06
Out of interest, when was the fault reported to Apple so they could fix it  hipparchus2001 | 02/21/06
windows vulnerability  glocks out | 02/21/06
Ah...  Jkirk3279 | 02/24/06
Such product fanboy wars ere were seen (marklar)  hipparchus2001 | 02/21/06
Thanks for the heads up!!!  William Cote | 02/21/06
To Z_D  s_gamgee | 02/22/06
Sensationalism.  s_gamgee | 02/22/06
 ProFab_z | 02/22/06
Let me see if I understand  NonZealot | 02/22/06
Say what?  ProFab_z | 02/22/06
Wow, long post to say nothing at all!!  NonZealot | 02/22/06
So you're saying you know more than SANS?  george_ou | 02/22/06
Dude I might not know more than them but I do know this!  Laff | 02/22/06
SANS and Secunia don't sell AV or FW  george_ou | 02/22/06
Not worth the argument  ianbetteridge | 02/23/06
That's exactly what I'm saying  ProFab_z | 02/22/06
This is new, serious and not a trojan, virus or other species  mdfischer | 02/23/06
INVINCIBLE!  Anon_ymous | 02/22/06
been there, done that.  shraven | 02/22/06
OS X "exploits" are all the rage  erichayes5@... | 02/22/06
Very entertaining article!  NonZealot | 02/22/06
Easy work around!  CKayote | 02/22/06
Serious problem, easy workaround, Peace  mdfischer | 02/22/06
I think it's about time to drop the ZDNet feeds  microwiz | 02/22/06
Applet Rating?  crescentdave | 02/28/06
Mac-fans showing their real colours....  Scrat | 02/23/06
Multiple camps showing their colors  woot! | 02/23/06
repeating lies  hipparchus2001 | 02/23/06
and the proof  hipparchus2001 | 02/23/06
Please do...  Linux User 147560 | 02/23/06
Secret Cause of Flame Wars  D. T. Schmitz | 02/23/06
Secret Cause of Flame Wars, Take 2  D. T. Schmitz | 02/23/06
I usually don't get too upset  george_ou | 02/23/06
Continued  george_ou | 02/23/06
I was replying to the "fornicates with animals post"  hipparchus2000 | 02/23/06
That is not how you said it  george_ou | 02/23/06
in that case I apologise again  hipparchus2001 | 02/23/06
Ok, let's forget it then  george_ou | 02/24/06
I have experienced this, too  JetJaguar | 02/24/06
Technology / Email  D. T. Schmitz | 02/24/06
Familiar  nizuse | 02/25/06
And there you have it! happy  D. T. Schmitz | 02/25/06
Authenticate Launches  Alex Santos | 02/23/06
The point I've been trying to make has been obscured by my own poor comms  hipparchus2001 | 02/24/06
Hang in there!  D. T. Schmitz | 02/24/06
"Vulnerabilities don't get any more serious than this"  mobrien_12@... | 02/24/06
Why would you spin like that?  george_ou | 02/24/06
No spin  mobrien_12@... | 02/25/06
broken talkback.  mobrien_12@... | 02/25/06
truncation  D. T. Schmitz | 02/25/06
Me too  george_ou | 02/25/06
Cut In  crescentdave | 02/28/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
    • More from IBM
    • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
    • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
    Click Here