[MW Forums]

Apple's new security update closes recently reported exploits in iChat and Safari, as well as Mail. more

[spimster]

yay!
I can be smug and flippant again!
. . .
just kidding ...somewhat smug but will continue reasonable caution with unknown files
installed & no issues so far

[OM_user]

Just out of curiosity, I installed the Safari update (& other security fixes released today) rebooted, and then re-enabled the "open safe files" option in Safari. I went back to Secunia's test page here (http://secunia.com/macosxcommandexecutionvulnerabilitytest/) and re-ran it.
Result? It downloaded the file but did not open the disguised .term file. So far so good. But I went and double-clicked on the file, which incidentally STILL shows up as a QT movie file, complete with the QT icon and a .mov extension and guess what? Yep, it ran the terminal and launched Calculator.
So, is this issue fixed? I say yes and no. Yes they fixed it so it wouldn't automatically open a dangerous file which is great, but the Finder still can't tell the difference between a real "safe" file and a possible malicious one disguised as a safe file. Yes, I know some will say you need to be vigilante about what you open, but seriously, most users won't think if a downloaded file doesn't automatically open that they need to start examining the file. Many will just locate it and double click it, because it still appears safe.
IMHO, Apple needs to make it so that if a file appears as one thing in the Finder, but will launch in a totally unrelated app, it warns you of this as it is opening, before anything bad can happen.
This update is a quick and dirty fix for the most glaring hole, but doesn't really address the core problem of a file being easily disguised to the end user and opening in some unexpected app when double-clicked.

[leroybrown]

In reply to:

---

This update is a quick and dirty fix for the most glaring hole, but doesn't really address the core problem of a file being easily disguised to the end user and opening in some unexpected app when double-clicked.

---

The core problem is something that required little to no user intervention to infect your machine. That was fixed, and this has moved the ball farther into the user's court: you actually have to manually launch the file. This was always a problem on classic. How often was that exploited?

[OM_user]

It was never exploited in Classic, but then again, classic Mac OS never had anywhere near the exposure that OS X is enjoying. It also never had anything even remotely as dangerous as the Terminal, which could obliterate your entire system with a simple rm command.
I acknowledge the fact you would now need to double-click a malicious file to run it, but I still see an issue with the fact that the Finder, or system, has trouble resolving which application should really be opening the file in question. If I control click on a file with a .jpg extension in the Finder and go to Open With I get a list of applications installed on my Mac that can open a JPEG file. The Terminal doesn't show up there because it couldn't open a JPEG image even if it wanted to. So, on a basic level the OS knows what apps should be allowed to open a file like a JPEG or .mov, etc. When I look at the Secunia test .term file disguised as a QT .mov, I get a list of applications for opening it, including QuickTime, which is listed as the default application, yet it is saying it will open in the Terminal. There seems to be a disconnect there that they should find a more solid solution for.
If the OS knows what apps should open a file with a particular extension, but the file tries to launch an app which is not in that list, why can't it just pop up a simple warning about that? That doesn't seem like an unreasonable thing to ask for.

[jdb8167]

In reply to:

---

the Finder still can't tell the difference between a real "safe" file and a possible malicious one disguised as a safe file.

---

This really isn't possible unless you want Apple to remove the ability to have custom icons in OS X. The only way Apple could make sure the icon matches is to control all the icons in the system. I doubt you want that. If a file can have a custom icon, then I can create a custom icon that looks like a movie file. The computer can't tell that the bits that make up that icon look to you like a movie icon.
If you get a file from an untrusted source, you need to be careful and understand what it is. If you feel you can't be careful enough then you probably need anti virus software. The problem with that is that no AV software would protect you from the problem unless it had already been seen in the wild. It is pretty easy to write a shell script so if this starts to become a problem, it will be hard for the virus companies to keep up.
It is possible that Apple can do some further refinements and make the problem less likely. One suggestion is to have all executables have a badge or a bold name in the Finder. Another possibility is to not allow unix executables to have their execute bit enabled by default. But that wouldn't stop someone from writing a trojan as a normal OS X application bundle. You obviously can't stop people from running Mac applications that they've just downloaded.
Trojans are always going to be a problem if you aren't cautious. But these problems have existed for years and we've dealt with it without incident. I don't see that changing.

[veggiedude]

"If the OS knows what apps should open a file with a particular extension, but the file tries to launch an app which is not in that list, why can't it just pop up a simple warning about that?"
The malicious file would be an executable app, masquerading as a file. The Finder doesn't know that you think it is a file, the Finder sees you opening another application. Do you want a warning to come up on every app you doubleclick to ask if you are sure that is what you want to do?

[OM_user]

In reply to:

---

This really isn't possible unless you want Apple to remove the ability to have custom icons in OS X. The only way Apple could make sure the icon matches is to control all the icons in the system. I doubt you want that.

---

You're right. I don't want that at all. And in truth, a custom icon is not even the issue here. It has more to do with the extension of a file not matching up with the application that will open said file.
As I mentioned, looking at the list of applications that can open the Secunia proof of concept file shows that the OS knows a file with .mov should default to QuickTime, yet Terminal is the assigned application for the file. But Terminal is not even in the laundry list of applications that should be able to open a file with a .mov extension. So, while I'm certain I'm oversimplifying this, why couldn't it just warn a user when a file is about to launch an application which is not even in the list of apps that should be opening the file in the first place? Maybe this is too hard to do, or maybe Apple just doesn't want to do this, in an effort to keep the OS as unobtrusive as possible. I certainly respect that, but I still wonder if it isn't something that should be explored in a future security update.

In reply to:

---

The malicious file would be an executable app, masquerading as a file. The Finder doesn't know that you think it is a file, the Finder sees you opening another application.

---

This is not true at all. At least not in this particular proof of concept file. It's a document, not an application in and of itself, any more than a saved Applescript script file is an application, unless one saves it as an actual compiled application. In other words, if you deleted the Terminal from your Mac and then double-clicked on the Secunia file, I'd be willing to bet that the OS would complain that it has no application to open the file with. If it was a true app, looking at its contextual menu would not give you the 'Open with' line. What else would it open with except itself if it was an app?
You do raise a good point about an actual executable being disguised as a file though, since this would be even harder to defend against.
And of course I don't want a warning every time I launch an app. That's not what I'm getting at. I just think that when there is an obvious mismatch between what applications should open when double-clicking a file and what will open should throw up a small warning dialog.
In fact, isn't this basically what Unsanity's Paranoid Android does? Maybe that's not the ideal example, but it seems some similar functionality should be built-in to the OS.

[805mollybea]

... I'm not sure I feel good about this yet...Does anyone????? /forums/ubbthreads/images/graemlins/confused.gif OHHHH...Poo.

[irolley]

OM_user, you are absolutely right. Apple just pushed the issue a bit further until it re-appears. The simple fact that double-clicking a .jpg file in the Finder could launch the terminal (and delete all my file, for example) is a huge security issue.

[atomrend]

In reply to:

---

Do you want a warning to come up on every app you doubleclick to ask if you are sure that is what you want to do?

---

Actually, I think this is a good idea. Of course, you don't need to have it ask every time an application is run. It really just needs to verify with you the first time. Terminal applications probably should be a little pickier though.

[tabasco_hot]

I agree with what you said. If a file is going to be opened by an Application that is not consistent with the extension, and the icon you should get a double warning.

[SPOOF]

The OS already warns the user on first run of an application.
As for the .mov being opened by terminal, there are two ways this can happen...neither of which can be easily solved.
The first is if a file has old OS 9 type and creator codes. This would, however, assume that a program that recognizes those is installed. OS X has been moving away from this, however, so if it isn't broken within 10.4, I would expect it to be in 10.5.
The second is if you have the system set to hide known file extensions...which is also a huge and common pet peeve on windows machines. If I name a file something like blah.txt.mp3 you'd see blah.txt, and it would open in iTunes. You can find the setting for this in the Finder Preferences under Advanced.
Now, if you have a file that just doesn't have an extension...OS X will try and figure out what can use it, and then launch that program to open it. Results are mixed in how effective this is.
What it all boils down to is...the security hole has been patched, the OS and apps like iChat have been made even MORE robust in warning the user about what they're going to do with their files. The only other thing to do would be to simply not allow the user to do these things, which we don't want. So the problem is now not with the system, but in the hands of the user. If you want to run something you don't know...well, that's your choice. Just make sure you have a backup if you do, because no matter how good, an OS can't save a user from themselves.

[JKT]

In reply to:

---

The OS already warns the user on first run of an application.

---

Not if it is a unix executable or script of any description it doesn't - why do you think this was such a threat. Apple either needs to add these to the list of things that pop-up a warning or FTFF to make it obvious when a file is an application. I think icon badging is the most sensible solution - either add some obvious, yet not intrusive means of identifying anything that is not a document (or alternatively, is a document and not an application) or disallow the use of custom icons for new files until the user has specifically given permission for them. Apple could Sandbox any downloads and strip the custom icon until the identity of the file had been confirmed by the user. Personally I would prefer the badging method.