Mac OS flaw exposes Apple users

By Joris Evers
Staff Writer, CNET News

13 comments

A serious flaw in Mac OS X could be a conduit for attackers to install malicious code on computers running the Apple Computer software, experts warned Tuesday.

The security problem is the third to surface for the operating system in the past week. It exposes Mac users to risks that are more familiar to Windows users: Visiting a malicious Web site using Apple's Safari Web browser could result in a rootkit, a backdoor or other malicious software being installed on the computer without the user noticing anything, experts said.

"This could be really bad," the SANS Internet Storm Center, which tracks network threats, said Tuesday. "Attackers can run shell scripts on your computer remotely just by visiting a malicious Web site."

Apple is developing a patch for the flaw, a company representative told CNET News.com. "We're working on a fix so that this doesn't become something that could affect customers," the representative said, but could not give a delivery date for the update.

Word of the new vulnerability comes after the recent discovery of a Trojan horse and a worm that target Mac users. The operating system had not been in the security crosshairs previously.

The new problem, discovered by Michael Lehn and first reported by Heise Online, lies in the way Mac OS X processes archive files. An attacker could embed malicious code in a ZIP file and host that on a Web site. The file and the embedded code would run when a Mac user visits the site using the Safari browser, experts said.

"Essentially, the operating system is executing commands that come in the metadata for ZIP files," said Alfred Huger, senior director of engineering at Symantec. "That is exacerbated by the problem that Safari will automatically open the file when you encounter it on the Web."

The issue may go beyond archive files, SANS said in updated notes on its Web site. "The attacker doesn't need to send a ZIP archive; the shell script itself can be disguised to practically anything," the note said.

The culprit appears to be the Mac OS Finder, the component of the operating system used to view and organize files, according to the SANS posting. A malicious file can be masked to look innocent--for example, like a JPEG image--yet it will run and execute when opened, SANS said.

This occurs because the operating system assigns an identifying image for the file based on the file extension, but decides which application will handle the file based on file permissions, SANS said. If the file has any executable bits set, it will be run using Terminal, the Unix command line prompt used in Mac OS X, SANS said.

There are no known attacks that take advantage of the flaw, experts said. However, proof-of-concept code that demonstrates the security vulnerability is publicly available online and could be tweaked for use in cyberattacks. "The skill level required to exploit it is very low. Pretty much anyone can do it," Huger said.

In the Windows world, such flaws are often exploited to install spyware or ad-serving software on vulnerable PCs. While such insidious software may be rare for the Mac, there are back doors and rootkits for the operating system, Huger said. "I think you'd likely see those installed with this type of vulnerability," he said.

The vulnerability is rated "extremely critical" by security monitoring company Secunia. Symantec also rates it "fairly high risk," Huger said. "If you have a Mac and use Safari, it is something you should remediate immediately," he said.

Mac OS X users can protect themselves by disabling the "Open safe files after downloading" option in Safari. In addition, users should be cautious when surfing the Web, the Apple representative said. "Apple always advises Mac users to only accept files from vendors and Web sites that they know and trust."

Users of alternative browsers such as Firefox and Camino on the Mac are not exposed to the Web-based attack vector, experts said.

See more CNET content tagged:
flaw, shell script, Apple Mac OS, attacker, Apple Safari

Add a Comment (Log in or register) (13 Comments)

ah the first brick starts to crumble

by capfan12 February 21, 2006 1:17 PM PST

and the first brick starts to crumble

Like this Reply to this comment

Maybe....
by Earl Benser February 21, 2006 1:28 PM PST: .... but right now it's more like a crack easily fixed before anything serious happens. Meanwhile, we still have hundreds of thousands of MS bricks shattered into dust at the bottom of the window.; Like this View all 2 replies Hide replies
Processing

Not really
by MacHeadCase February 21, 2006 1:58 PM PST: As the article says... Simply disable "Open "safe" files after downloading which prevents any file to be automatically decompressed. There is a test online to see if Safari is safe. Mine passed... Test for Safari is talked about in this <a href="#">Ars Technica article</ strong></a> and is available <a href="#">here</a>.; Like this

More Like a Grain of Sand Falling Out of the Industrial-strength Mortar ...
by Joe Blow February 21, 2006 2:23 PM PST: between some pretty solid bricks, and it's only a _potential_ problem if you're using Safari at the moment, that will likely be fixed a lot faster than the typical Windoze critical vulnerability. Some highly-critical Microsloth gaps have been around for more than six months without even being acknowledged by them, much less fixed, even with their endless stream of patches. I'm using FireFox, so I don't need to worry about this OS X issue, and even a newbie Safari user will get an automatic update with a fix offered as soon as it's available, not whenever Microsloth decides to fix it, much less deploy it according to its patch/"upgrade" cycle. Note that this is a vulnerability, and there's no evidence of an exploit (yet - and given Apple's fairly quick response to this kind of thing, it probably won't be worth the time to develop an exploit, as has been the case to this point). Also, an exploit would have to be hosted on a site controlled by "evil-doers" (which your average Safari user isn't going to get to before the fix is installed), or a site run by dweebs who don't know any better than to quarantine uploaded files until they've been screened for malware before they can be downloaded. And, before any other Microsloth-o-philes start trying to pile on, your time would be better spent making sure you've installed the latest security patches, and then complaining to Billy Grates about why there are still so many critical vulnerabilities in his products (not just Windoze) that haven't been addressed. One of these days, some sharp lawyer is going to bother reading the Microsloth End User License Agreements (EULAs) and realize that there are whole classes of users that they don't apply to - government agencies, and large corporations which have maintenance contracts, for instance, and then file class-action lawsuits to demand all of that junk gets fixed, or refunds are in order, with accrued interest since the date of purchase/licensing - treble damages to be awarded, indeed (at last count there were still over 250 lawsuits stemming from Microsloth's conviction as an abuser of monopoly power, so maybe every lawyer who can spell "high-tech" is already gainfully-employed with other law suits). Where are the lawyers when you really need them? Oh, yeah, they're all waiting for Dick Cheney to go on another quail hunting expedition to the deepest, darkest reaches along the Texas Gulf Coast. I'm surprised quail haven't been designated terrorists on the watch lists, yet (maybe Dan Rather should dress up as a quail and try to board an airliner to find out if they have been! :D ). All the Best, Joe Blow; Like this

I don't see it

by corelogik February 21, 2006 1:45 PM PST

I don't see what they are so concerned about. I don't know what configuration they are using, but my Safari does not "automatically" open zip or any other archive files,....

Like this Reply to this comment

It is a serious issue!
by pdude February 21, 2006 2:00 PM PST: I have tried it out and it's as scary as the report says it is. By the way, I program Windows, Mac and Linux. Every application in the OSX is scriptable and IMHO, Mac is a disaster waiting to happen!; Like this View reply Hide reply
Processing

It is only a matter of time...

by coryschulz February 21, 2006 1:47 PM PST

It is only a matter of time before the Mac OS becomes as popular a target as Windows. There will be a direct relationship between its share of desktop systems and the amount of viruses created to attack it. Generally the UNIX based OS has proven more secure, but I do believe that with Vista Microsoft is taking a very serious approach to security issues. They will both be challenging to create viruses for, but there will still be programmers out there who will test their abilities against such a challenge.

Like this Reply to this comment

time?
by moopie23 February 21, 2006 1:51 PM PST: there presently is not a "direct relationship" between market share and the amount of viruses for Mac, so why would that start now? And seriously, Microsoft taking a serious approach to security is a joke. Until they rewrite the core of the OS, they won't have serious security.; Like this

You willing...
by UntoldDreams February 21, 2006 1:52 PM PST: To put money on a Microsoft 1.0 project the size of Vista, and go on record stating that it will probably be secure and challenging to write viruses for? Because if you are I'd be willing to take those odds and put lots of money down...; Like this

(13 Comments)

Latest tech news headlines

The back story on Glitch's back stories
Posted in Geek Gestalt by Daniel Terdiman

February 10, 2010 4:00 AM PST
Hacker 'Mudge' gets DARPA job
Posted in InSecurity Complex by Elinor Mills

February 10, 2010 4:00 AM PST
Facebook, AOL link instant messaging
Posted in Deep Tech by Stephen Shankland

February 10, 2010 3:50 AM PST
See all headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Markets: Market news, charts, SEC filings, and more; Related quotes; Apple (0.00%) 0.00 196.19; Dow Jones Industrials (0.00%) 0.00 10,058.64; S&P 500 (0.00%) 0.00 1,070.52; NASDAQ (0.00%) 0.00 2,150.87; CNET TECH (0.00%) 0.00 1,524.71

Inside CNET News

Scroll Left Scroll Right

Nanotech - The Circuits Blog
Micron to buy Numonyx for $1.27 billion
One of the world's largest flash memory makers agrees to be acquired by Micron Technology in a deal worth approximately $1.27 billion.
Gallery
Images: How Glitch's aesthetic matured
Software, Interrupted
Big IT vendors overcomplicating the cloud
CA and NetApp have joined together on cloud offerings. But are they missing the point of simplifying enterprise IT?
Beyond Binary
Olympic snow still in short supply at Cypress
Olympic organizers have now shortened training, stepped up trucking of snow, and even turned to adding dry ice to the mix to make sure the venue is ready for the start of the Games.
Video
CNET first look at Google Buzz
Deep Tech
Facebook, AOL link instant messaging
Good news: AIM can be used to chat with Facebook pals. Bad news: Instant messaging still has more barriers than openness.
Video
Apple iPad: Is it for you?
Geek Gestalt
The back story on Glitch's back stories
It took Tiny Speck--which announced what it was working on Tuesday--many months to decide what the official back story for its new game was. But before the final version, it considered many options.
Crave
Intel taps student's robot for processor demo
University of Arizona engineering student creates a six-legged Atom-powered bot that can "learn" to walk on its own, and Intel brings it along on the company road show.
Gallery
Images: Stewart Butterfield's new gaming start-up
Crave
Panasonic updates 3-chip camcorders
Though Panasonic's replacements for its 300 series' models have relatively minor updates, they seem like nice enhancements.
Green Tech
A Toyota Prius owner waits for the recall
Last summer, CNET's Martin LaMonica wanted to see if his new Prius could hit the magic 50-mpg mark. Now he's wondering when his spiffy hybrid will get a fix for faulty brakes.