The weak point in Apple’s Mac OS X operating system is apparently worse than originally thought. In addition to attacks via the Safari web browser, Apple Mail also executes scripts without asking in certain circumstances. It suffices to disguise a script with the ending “jpg” and assign the Terminal application for opening it. If this script is then sent in the AppleDouble format as an attachment, the information is passed along so that the recipient’s system also opens it with the Terminal. Apple Mail displays the attachment with a JPG file symbol, but when users click on it, the script executes within Terminal without further prompting. Update: Heise is right.
I read few other news postings about OSX virus on OSN. One thing is common with proponents of OSS
Whenever there is security problem with OSS (MAC and Linux)blame it on anyone , blame it on command line ignorance of average joe, blame it on a dog on street…but never blame it on developers or distribution of OSS..
Whenever there is problem with MS security squarely blame it on MS for not providing adequately secure operating system….This is not fair deal..
I still think # rm -rf ~/ can devastate not only average joe but also big institutes holding crucial data..
How come this simple script malware escaped through thousands of code watching eyes??
“How come this simple script malware escaped through thousands of code watching eyes?”
There is no explicit code bug that’s causing the problem here. It’s more of a conceptual problem, mainly that OS X has no “one true way” of determining the type of a file. While LaunchServices (the thing that actually opens files) respects a file’s Type/Creator codes (which, contrary to popular belief, are not in the resource fork) and the associated application, Unix/NextStep programs such as Mail or Safari look at the file name suffix to determine whether to classify a file as safe or not.
The trick here is that the file in question is in fact an executable shell script, associated to be opened with the Terminal. The name of the file ends with .jpg, but that doesn’t affect its file type. However, Mail, Safari and most likely the user too think it’s an image file because they look at the name (in case of the user, also the icon).
What Apple needs to do is to make up its mind on how it wants to handle file typing once and for all, and use one mechanism consistently throughout all of their applications.
Edited 2006-02-22 14:03
Becuase it’s not friggin mal ware you idiot. Why hasn’t msft ever fixed Del /f c:*.* ? I mean come on it’s not like that won’t do massive amounts of damage and my presicous user data will be saved. Hell The entire OS goes down with that one. Not only the “precious” user data but the entire system.
Also to the person who thinks that this malware would hurt a company has no Idea on how to setup a real multi user system. Try going back to school. Every *nix system as dedicated user accounts. Apache get’s one, MySQL get’s it’s own user account. So if the Joe user does something stupid like rm -rf ~/the servers aren’t affected, the company database which has a user of MySQL is still there since you Joe User only interacts with a third party app.
I am so tired of idiots claiming OS X is insecure when they The whole point of an OS is to let the User work on his files while maintianing the integrity of the rest of the System. If I want to download a script that destories my user data I should be allowed to do so. The OS shouldn’t baby sit me because I am an idiot. Now if it attacks the integrity of the OS then something is wrong, but a user isn’t the OS. The single user doesn’t have nor should need direct access to the corporate database. It should be accessed through a secondary security layer. It’s How Unix was designed to work. It’s something you MSofties are just begining to learn. That way the only two people who can delete the database are Root, and the database app.
your post has already been answered as to why rm -rf /* isn’t a bug as such, at least any more than a system “allowing” the user to yank out the hard drive and run a magnet on it, destroying it’s data is a “flaw”.
One other point though, you keep referring to Mac OSX as OSS. It isn’t. Linux is. OSX has some OSS components, (yes, some pretty important ones too, e.g. the kernel), but on the whole would _not_ qualify as an open source or free operating system (darwin yes, osx no).
i remember some mac head claiming that apples were practically involnerable, events of the the last few days have proved this point of view to be very wrong
He said _practically_ invulnerable. He’s still correct. OSX is significantly stronger than Windows for security, so how come the existance of one virus for it, now negates the millions and millions of viruses for Windows? This is making mountains out of mole hills.
Now if you want invulnerable, try OpenBSD
“Only one remote hole in the default install, in more than 8 years.”
The difference between Windows and OSX for me:
Before switching from Windows to OSX, I spend more than 60% of my time with my PC to do maintenance, cleanup, restore, backup, update, etc… so not much time really using it for what I wanted to.
Now 100% of the time with my mac is used for just using my computer.
This is important because no stress during my spare time is a great improvement in my life (and my game WoW now does not stop every 5 seconds because of bad memory handling 😉
“The difference between Windows and OSX for me:
Before switching from Windows to OSX, I spend more than 60% of my time with my PC to do maintenance, cleanup, restore, backup, update, etc… ”
That is precisely why I changed over to a Mac and OS X. Also, having come from the Windows world and before that from a rather long background in computers I do not have the complacent attitude that seems to be prevalent in the Mac world. Most malware in the Windows world depends on social engineering and mac users are no more immune to it than are Windows users.
I hope the last few days will serve as a wakeup call to Mac users. While the Mac remains a very secure platform at present users need to take the time to learn about security now rather than waiting for a serious piece of malware code to arrive. A bit of prevention can go a long way towards insuring that Macs remain resonably secure against this type of stuff.
Are you actually telling us that since switching to OSX you no longer do backups? Wow.
No updates?
No cleanup (whatever that means)?
It seems to me that if you were spending 60% of your time on Windows doing administration, that your Windows competence is pretty low. Most of the tasks you mentioned are either automated or easily automatable. I manage to maintain a stable, secure Windows system with (at most) a few minutes per month of maintenance.
Presumably the other 40% of time spent with your PC was spent calculating the time you spent doing things 60% of the time?
Seems to me you should spend more of that time claculating where this obsession of yours comes from.
Apple hasn’t had a good track record lately with this Heinz57 of a operating system. Seems all the exploits have been cause by what they created.
Of course it’s a lot better than most anything currently available.
What’s got me perplexed is the rather low scale of these exploits, like it always requires user intervention, I’m wondering if it’s being done on purpose to get us to accept Trusted Computing?
What else is here to expect? With the Intel-jump Apple solved the main problem with Mac OS X for the most of (potential) users and (potential Mac OS X) hackers: You don’t need exclusive (and pretty expensive) Apple hardware to run it any more. So there will be much more hackers and crackers who _can_ download, run and “play” with it without buying Apple stuff. It is much easier now.
Actually, this recent “proof of concept” runs on PowerPc as well. I say proof of concept because nothing is taking advantage of it at the moment.
As for your other assumptions, the Intel Macs were protected since they are targeted at PPC and they don’t run properly in Rosetta.
JRM7
Undoubtedly this will be the first of may Mac OSX exploits – the weakest point of the OS is being exploited – the user and I have little doubt that if you send funny little programs that need installing users will install them even if they need to use the admin password etc.
I’ve no doubt that Linux could be also exploited this way – bar the fact that most Linux users have a bit more technical wit.
Isn’t this how much of the spyware trojans etc gets on MS Windows (all be it without admin/root passwords), however, with the MS OS too often the user has done nothing wrong or stupid they just don’t have the latest patch, AV or have visited the wrong website.
This doesn’t neccesarily require the user to be dumb. First, just visiting a website can execute the trojan. Second, I think most Mac users would trust their mail app when it says a file is a JPEG and the icon says its a JPEG, and curiosity will get the best of them.
While they are not completely free from blame in t he second case, it’s still not an issue of exploiting the user, but an ACTUAL serious flaw in OSX.
“How come this simple script malware escaped through thousands of code watching eyes?”
There is no explicit code bug that’s causing the problem here. It’s more of a conceptual problem, mainly that OS X has no “one true way” of determining the type of a file. While LaunchServices (the thing that actually opens files) respects a file’s Type/Creator codes (which, contrary to popular belief, are not in the resource fork) and the associated application, Unix/NextStep programs such as Mail or Safari look at the file name suffix to determine whether to classify a file as safe or not.
————————–
Stew, Thanks for your polite and detailed reply to my provocating posting. I understand this script exploitation command is not technically malware or spyware and rather is a feature of OS, which is not known to average joe.
But isn’t it the services RPC, share Dt, net sharing etc etc run by MS are also technically feature of OS assisting to average jo but gets exploited by hackers.
As you said OSS must once and all decide how far they want to go on click-click-click type installers or DT and same time not to compromise security.
thanks
Mac OS is finaly getting the attention it needs to become even more secure. It is not possible to test for every type of exploit while the OS is in developement. Not only that any press is good press. People see stories like this in the news they may start considering Mac over other platforms for computing needs.
I tested this script and it works fine from Finder, so the fault lies in the filetype system rather than Safari or Mail. Fix that fault and Safari and Mail will be fine.
They’re ALL at fault.
It’s dumb for Safari to suppose that there are such things as “safe files” and passing them on to other applications. The only thing that Safari has any right to mark as “safe” are those that it handles itself (html, jpeg, gif). If it doesn’t handle itself, it should download the thing and leave it at that (or ask the user what to do) and not auto-anything.
Mail is in the wrong for misleadingly representing an executable shell script as picture or movie. Finder likewise (although Get Info and the Column view gets it right).
The maligned LaunchServices is actually the only one that got it right. It correctly threats this thing as an executable since that’s what it is. Even if the shell script may be “malformed”, since it can be executed, it is by definition an executable. (The shebang thing btw is a convention, not a requirement for a shell-script. On any Unix like system I’ve tried, any text file with the -x- bit gets executed by the shell, missing shebang or not.)
Finder is treating the item correctly within the specs. It shows the filename that belongs to the file and it’s icon (in the current test case, the icon is explicitly embedded in the application – any application can have a custom icon), and upon double-click it launches it. The fact that the icon looks like a jpg is only social engineering. It’s like putting windex in a soda bottle.
Now, whether Finder should give additional visual clues about what happens when the icon gets double-clicked, that’s a different debate. But in the current version, it behaves 100% correctly according to Apple’s guidelines.
Edited 2006-02-22 17:18
“Finder is treating the item correctly within the specs. It shows the filename that belongs to the file and it’s icon (in the current test case, the icon is explicitly embedded in the application – any application can have a custom icon), and upon double-click it launches it. The fact that the icon looks like a jpg is only social engineering. It’s like putting windex in a soda bottle. ”
This really isn’t correct. The finder is applying an icon to the file based upon the file extension. The OS is executing the file based upon the metadata associations. Here is a quick test (assuming you have a mac).
$ vi ~/script.gif
in the file put something simple like:
echo “Hello from a bad guy” > ~/urhacked.txt
save the file. Finder will now display an image icon for ~/script.gif.
chmod +x ~/sript.gif and it is now executable.
Set the default application to Terminal and now you have a fully functional trojan. It appears to be an image but will execute a script in the terminal.
This is strictly an inconsistancy in the OS and is not insignificant, imo.
You’re right…it might actually be that both Mail and Finder use the same file typing mechanism.
There’s something broken with OS X file typing, conceptually. If a document opens in Terminal, it should get a Terminal document icon, no matter what file name it has. Well, if you ask me, basing file type decisions on the file name is a bad idea to begin with (horray for BeOS/Haiku/Zeta!), but Apple has gone too far with that to turn back, I’m afraid.
OSX must behave inconsistently on this because when I try it, script.gif displays the terminal script icon, and does not execute when double clicked in the finder. But it does run when invoked manually in the terminal. (I’m using 10.3.9)
As you say, though, this is something that Apple really needs to think out and resolve.
The security hole is only present in Tiger’s file recognition system which was completely rewritten after Panther, so you won’t see the hole in Panther.
Then is it not IE’s fault when a problem with ActiveX leads to a security issue?
If I were to turn my DH’s “everyday” account from a standard into a “managed” account and then use the admin powers to deny that account permission to use the terminal, would this prevent this kind of attack?
I’d think it would afford some protection. But it is important to remember that there are lots of ways to execute shell commands in OSX that don’t involve the terminal. It is likely that some of these avenues can be exploited in a similar fashion.
Well, I’ve disabled the “open safe downloads” in Safari. (Default browser is Opera) and I’ve just moved the Terminal program to a new folder, so that should take care of the partuclar shell script attack in question.
And yeah, I’ll be watching these auto-execute commands very closely.
I mean, bad enough if I accidently auto execute one; but I have a recent enough back up and know how to recover from a disaster.
DH, on the other hand … I’d be peeling him off the ceiling.
… since Apple switched to Intel, they have been getting kinda crappy, and starting to remind me of Windows.
. I keep hearing all these security “leaks” and what not. Not cool Apple Computer, Inc. not cool at all. Maybe you should a stuck with PPC.
They also should take MORE time between releases of OS X and make damn sure there’s no security problems. I’d hate to see Apple become like WinDoze.
/my 2 yen
… since Apple switched to Intel, they have been getting kinda crappy, and starting to remind me of Windows.
. I keep hearing all these security “leaks” and what not. Not cool Apple Computer, Inc. not cool at all. Maybe you should a stuck with PPC.
Try not to become a FUD victim. Yes you have been hit by the F for “Fear” in FUD. There’s been a barrage lately of OSX security stories and really this one (which is the same one as the Safari bug) is the first with any real meat to it.
Incidently this focus on “virusses for mac” started after the switch to intel as you rightly noted. Coincidence? Maybe it’s just because the focus is on Apple at moment, but it sure smells fishy to me and I don’t put on my tinfoil hat often. A company in a transition is a vulnerable company after all.
Seems like… you are speaking from ignorance.
These recent “viruses” have nothing at all to do with the intel transition, and they target vulnerabilities that existed long before. As others have mentioned before, they expoit ambiguity that arises from having two different ways of determining file type. This is a legacy of design decisions made long ago, before Windows even existed.
It’s not the Intel processors itself, but think about it: With one move (Intel switch) Mac OS X became ???illions of computers compatible with it. And with it ??? times more users and ??? times more hackers who understand that OS X is not about 2-3% of OS market any more (we live in a real world, so for 1 user who bought Mac OS X with Apple hardware will be min. 2 users who downloaded it).
This and for sure more other security holes wasn’t discovered before not because it was hard to find, but because no one really needed it. It was like searching for the security flaws in Zeta (not that Zeta has none
). Why bother if we had Windows with it 95% of OS market? With all the new Mac OS X users searching of the new bugs/holes/conceptual errors/… becomes much more attractive now.
So let me get this right. In the less than two months that apple has been shipping intel based macs, they have sold “???illions” of computers? That must be a lot of “???illions” to account for the “???”-fold increase in their user base. I guess it was inevitable that this sudden explosion in the number of mac users would attract the attention of “??? times more hackers.”
Thank you for setting me straight with these facts. I was especially surprised to learn that “we live in a real world” where 2 out of 3 copies of OSX are pirated.
>… In the less than two months that apple has been shipping intel based macs, they have sold “???illions” of computers?
What???!!! Who’s talking about Apple hardware? Do you really think Mac OS X runs only on Macs?
Ok, link to news goes next (I don’t know if the message with such kind of news (for you) will be removed or not. If so – google for it)
> I was especially surprised to learn that “we live in a real world” where 2 out of 3 copies of OSX are pirated.
Jeez… Welcome to the Intel world! Did you know that it doesn’t looks better for Windows?
Croco:
I am perfectly aware that there are hacked versions of OSX available that will run on (some) x86 hardware. I am also aware that this accounts for a miniscule fraction of OSX installations, and it has had only an insignificant effect on the OSX installed base.
A few teen hackers may want to spend their time downloading “warez” and hacking device drivers, but most (by a wide margin) computer users never download any OS. They use the system that came pre-installed on their computers, and they upgrade their OS when they buy a new one. In my “real world” time is money, the apple store is less than 5 miles away, and I can just buy a working apple system anytime I need it. Most grown-up professionals live in this world.
Attributing the three recent malware announcements to Apple’s intel transition is just factually incorrect. If you think I’m wrong, then give me some real numbers. Citing statistics like “???illions of computers”, “??? times more users”, and “??? times more hackers” just makes you look like an idiot.
@macintroll
rtfm. google: “software piracy statistics”
“…Even in the United States and Western Europe, where the issue is addressed very seriously, the average piracy rate averages 30%-40%, rising up to the 75% range in other regions. Russia and Asia have the most active pirate markets, with peaks of up to 90% of all the their software being illegitimate copies. In 1994, Vietnam and China led the list with astounding 100% and 97% rates respectively. Those rates have since declined over the years (a 1999 survey estimated them at 98% and 91%), but Asian markets are still plagued with enormous piracy rates. Former Soviet countries are also high in this list…”
And OSx86 is now a kind of product that can be pirated and downloaded or bought by for example any chinese oder russian guy for $2 in any russian software shop (here I know what I’m talking about
). It wasn’t reasonable before because PPC-Mac OS X can’t run on Intels, but now you can add to the happy OS X users and hackers anyone in China/Russia/Ukraine/… who just want to install it. It’s time to do your math now. 
P.S. “…just makes you look like an idiot.” please don’t adress any text to me anymore – I will not answer.
You are right. The 12 year old statistics from “gamespy.com” that you cite have convinced me that 2 out of 3 OSX installations are pirated.
These tens of millions of pirates must more technically savvy than “cavemonkey50” who seemed to have quite a bit of trouble installing his copy:
“A few lucky individuals have got 10.4.4 to boot without trouble. Personally, I’m still waiting for the install to complete”
No answer is required. I am persuaded.
@macintroll
http://cavemonkey50.com/2006/02/the-first-bootable-osx86-1044-dvd/
you are a troll.
No, a troll would have posted something like:
“Seems like since Apple switched to Intel, they have been getting kinda crappy, and starting to remind me of Windows.”
This isn’t exactly a great example to prove how much further ahead than Microsoft Apple supposedly are: launching JPEGs by “running” them and watching them drop through various different subsystems, each trying their own thing in the name of “helping” the user.
This isn’t exactly a great example to prove how much further ahead than Microsoft Apple supposedly are: launching JPEGs by “running” them and watching them drop through various different subsystems, each trying their own thing in the name of “helping” the user.
It’s not exactly the same: OSX KNOWS this is a shell script but it also allows behaviour that would allow a malicious user to disguise that fact (by allowing him to present itself as another icon to the user). A not-so-subtle difference.
It’s a malicious use of an OSX feature to manipulate the user (in effect “social engineering” or conning the user). Not a bug in the traditional Windows sense.
I know how to secure windows and Apple isn’t transparent enough.
You have got to be a troll! Anyone can download the core of Mac OS X (Darwin) is the same true about Windows?
While I certainly agree that there’s a flaw in the OS here – it shouldn’t be displaying something as one type of file and then opening it in another app – the Mail-specific aspect of it is something I misunderstood initially. The original post gets it right but it bears explaining even so IMO: Mail.app will *not* attempt to display (and thus execute) the script as it would display an attached image file. So, simply viewing the message is not dangerous. You have to try to open the attachment. It’s an important distinction: The former might cause me to switch mail clients, while the latter requires the usual level of vigilance making sure messages are what they say they are.
Mac users certainly shouldn’t be complacent. I use a Mac primarily because I think it’s the best, most enjoyable, and most efficient platform for what I do. The fact that it’s safer from malware is a big added bonus, and while I do think some of that safety is inherent in the OS and its configuration, anyone who says Mac users are safe and don’t need to be vigilant is fooling himself.
As the first major holes are discovered and the first viruses appear, Mac users will have to weather the exaggerated response from the press, and the rush by antivirus companies to cash in.
I tried the proof of concept of Heise, and it does not work neither with Safari neither through Mail. The file Heise.jpg appears but when the system tries to open it, the terminal opens but nothing else happen. The hiden shell script does not execute.
I saw on several forums that many other mac users have observed the same thing, the script shell does not work on their system. I dont know really what causes this, at least it shows that the danger of this flaw is not constant or true for everyone.
I am logged in without the administrator rights, it could explain why the exploit does not work, but its not sure. Also i tried the Heise file on an another account with administrator rights on the same system and it worked this time. It would be intersting to find what exactly causes the exploit to fail….
I can’t get the exploit to do anything on my machine.
OS X 10.4.5
Mail 2.0
What am I doing wrong here?
-Fuji
Ok, I figured out the answer to m own question. I had renamed my Terminal.app to Terminal OS X.app. I did this a while a go after reading an article about the Safari “launch safe-files after download…” issue.
I realize this is not a condition for the typical user, but it seems to prevent the exploit.
-Fuji
By default root access is disabled. But on a fresh install you can do a sudo passwd in the terminal, it will give you a nice message on how you should be responsible and that your system administrator has told you about the dangers of being root and afterwards you can type in a new password resulting in the root account being unlocked.
How difficult will it be to write a script which does this automaticly, gain access and is able to destoy a working system.