Critical flaw found in Mac OS X

By Bill Brenner, Senior News Writer 21 Feb 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security experts say attackers could exploit a critical security hole in Apple Computer Inc.'s Mac OS X to execute arbitrary shell commands and compromise vulnerable machines. But there are defensive measures IT professionals can take until a patch becomes available.

Word of the flaw came just days after the operating system became the target of malicious code for the first time.

The vulnerability will work for shell scripts, which are very easy to write and can be used as 'wrappers' for other malware. Johannes Ullrich, SANS Internet Storm Center

The French Security Incident Response Team (FrSIRT) said in an advisory that the flaw is due to a glitch in how the operating system processes specially crafted resource forks and HFS metadata stored in the "__MACOSX" folder in .zip archives. The security hole affects OS X 10.4.5 and earlier versions.

Attackers could exploit the flaw to execute arbitrary shell commands and compromise a vulnerable system by convincing a user to open a malicious e-mail attachment or visit a specially crafted Web page designed to automatically exploit the vulnerability through the Safari browser.

The new vulnerability isn't hard to exploit, said Johannes Ullrich, chief research officer for the Bethesda, Md.-based SANS Internet Storm Center (ISC). "The published [proof-of-concept code] will tell you anything you need to know," he said in an e-mail exchange Tuesday morning. "The vulnerability will work for shell scripts, which are very easy to write and can be used as 'wrappers' for other malware."

FrSIRT and Danish vulnerability clearinghouse Secunia said researcher Michael Lehn discovered the flaw. In an advisory, Secunia gave the flaw its most severe threat rating, extremely critical. The rating means the flaw is remotely exploitable, could lead to a system compromise and usually doesn't require any user interaction.

Secunia recommended IT administrators counter the threat by disabling the "Open safe files after downloading" option in Safari and by making sure users don't open .zip archives from untrusted sources.

For more information First Mac OS X worm discovered Mac vs. Windows: Choosing to take a bite out of the Apple

"It is critical to disable 'Open safe files after downloading' in Safari," Ullrich said. "This will at least disable the automatic execution of code via Safari."

But that may not be enough to fully neutralize the threat. "Disabling the 'Open safe files after downloading' option will just prevent the auto-execution with Safari, not the underlying OS X issue with misinterpreting the zipped file," Ullrich added.

The flaw and last week's appearance of malcode targeting Mac OS X may be hard for some users to swallow, given that the operating system has long been considered a more secure alternative to Microsoft Windows.

But Graham Cluley, senior technology consultant for UK-based AV firm Sophos, said the Mac OS X threats shouldn't be blown out of proportion. Asked if the latest malcode could be tweaked to exploit this vulnerability, he said in an e-mail exchange, "I don't think yet that we're seeing the intensity of hacker activity on the Mac platform that would suggest that this is likely."

He added, "My feeling at the moment is that the Mac OS X malware we are seeing is being coded by a small number of individuals who are doing it as a proof-of-concept, an intellectual exercise if you like."

However, he added, "If more criminally-minded hackers are attracted to the platform, they may put more effort into abusing a vulnerability like this to spread malware" in the future.

Apple did not immediately return phone and e-mail requests for comment.

Tags: Alternative OS security: Mac, Linux, Unix, etc.,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Alternative OS security: Mac, Linux, Unix, etc. Machiavelli Mac OS X rootkit unveiled at Black Hat How secure is 'Platform as a Service (PaaS)?' Security comparison: Mac OS X vs. Windows Mac OS memory flaws pose challenges for enterprise endpoint protection Rootkit Hunter demo: Detect and remove Linux rootkits Oracle to buy Sun Microsystems for $7.4 billion How to harden Linux operating systems Serious holes in Mac OS X memory, researcher shows What is the best operating system for an FTP server implementation? Black Hat DC 2009: Mac OS attack method Alternative OS security: Mac, Linux, Unix, etc. Research Web Browser Security Microsoft fixes security update that breaks Internet Explorer Mozilla update repairs Firefox buffer overflow vulnerabilities Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Do Facebook URL security concerns justify blocking social networks? Phishing attacks to remain a major problem, say security experts Adrian Perrig: Improve SSL/TLS Security Through Education and Technology New Bahama botnet evades search engines, fuels click fraud SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary