Extremely critical Mac OS X zero-day exploit released

Extremely critical Mac OS X zero-day exploit released

Summary: If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user.

SHARE:
TOPICS: Apple
287

Heise online is reporting that a new critical vulnerability for Mac OS X has been discovered and it appears to have ramifications beyond the Safari brows (thanks to SANS and SunbeltBLOG for the link).  The problem is severe because a user simply needs to visit a malicious website and shell scripts with launch with zero user interaction!

The cause for this problem is that OS X will automatically launch shell scripts (even inside a ZIP file) when it's missing certain syntax at the beginning of the script.

Here is an excerpt from Heise online:
You can determine whether your system is vulnerable by using this online demonstration provided by Heise Security. The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user. At this point, no web pages are known to misuse this vulnerability. However, this could change quickly.

Vulnerabilities don't get any more serious than this since it requires no user interaction.  The recent Mac OS X Leap.A worm attempted to fool users in to launching the malicious code which was disguised as an image file, but this exploit launches the minute you visit a webpage with Safari.  All Apple OS X users should immediately implement the following temporary workaround before Apple releases a patch.

Heise online recommends this temporary workaround:
The best immediate recourse against such an attack is to deactivate the option "Open 'safe' files after downloading" in the "General" section of Safari's preferences. Alternative web browsers such as Camino or Firefox do not support the automatic execution of files. These browsers can be prompted to automatically download a file by using the refresh command in the HTML source code of a web page. However, the file will not be executed. Since the Finder selects the icon for a file based on its extension, users are advised to verify that the OS is using the proper file type. This can be done through the information window or in column view.

[Updated 10:00 AM]  Secunia posted this "extremely critical" advisory along with a demonstration link that automatically launches the calculator.

Topic: Apple

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

287 comments
Log in or register to join the discussion
  • I'll admit I only skimmed the article but is this a

    vulnerability or an exploite? Does something exist out there to
    take advantage of this vulnerability or not? I mean all Os's have
    vulnerabilities/holes that is a given (In my humble opinion OSX is
    less problemantic than ahem others by far) So to me the problem is
    not so much the existance of holes but the availability of exploits
    to take advantage of said.

    Pagan jim
    Laff
    • The article says go here for demo

      That counts as an exploit. A benign one certainly, but absolutely an exploit.
      wolf_z
      • Technically yes you ae correct but it is in and of itself

        hardly dangerous....and as it stands if that is it barely a concern.

        Pagan jim
        Laff
        • Do you know what a shell script can do?

          Do you know how easy it would be to change the example's shell script into one that deletes all of a user's personal files? Let me help:
          rm -rf ~/

          Done! That is one of the legitimate advantages of *nix style OSs, [b]everything[/b] can be done through shell script. Even the most basic shell is 100 times more powerful than the relatively primitive DOS commands you find on Windows. So just because the posted example doesn't do anything bad, it would take 30 seconds and a complete novice script kiddie to make this harmful. Unless you consider the loss of all your personal files... how did you put it? [i]barely a concern[/i]!
          NonZealot
          • 30 seconds? Man are you a slow typist.....:)

            My point was that yes all OS's have vulnerabilities however until
            a harmful exploit has been created and distributed it is still only
            a theory. Once it is created and an effective method of
            distribution has been utilized then I will be concerned.
            Forinstance I don't go to a great many random web sights. (Not
            my nature) I don't open strange emails (Not my nature) I am one
            of those who checks regularly with Apple for patches and
            upgrades. (My nature) Also I don't type in my administrative
            password when simply requested to do so. (My nature) Granted
            this vulnerability does not require that....just thought I would
            mention that one on my own.

            You Windows folk have been flooded with malware for years now
            and some of those have been quite REAL and SERIOUS and still
            you manage. So taking a QUE from you guys and gals this one
            none issue does not phase me.

            Pagan jim
            Laff
          • My Goodness! I can hardly beleive it!!!

            Someone who dosnt use a Windows OS saying that Windows users seem to get by even with all the so called exploits about!? Wow. I take my hat off for it having finally being said! Such words should be taken to heart by all OS users, a properly protected and secured system is pretty tough to get through no matter what the OS, and that includes XP. Its time for the users of other..lets say OSs' to stop trying to sell the reputation of their respective OS by claiming vastly superior security. What ever advantage there may be in security, it isn?t vast by any means, not even as good as XP if the XP box has been secured and the alternative OS has not been secured.
            Cayble
          • Same as windows

            Like I said nothing is perfect...I knew as soon as this happened
            Windows users would start comparing a grain of sand to a desert.
            Exactly what is going on now. No, OSX is not on the same level as
            Windows when it comes to security. I don't know how anyone could
            make that statement at this point.
            SquishyParts
          • windows dosn't use DOS

            as of win 2k dos was seperated from the OS and now windows uses shell scripts. and is full vunerable to the same shell scripts. or host scripts.
            IceTheNet@...
      • No effect here

        First I never let anything open "automatically". Secondly "Paranoid
        Android" (http://sourceforge.net/projects/paranoidandroid/) alerts
        me of anything funny. But leave it to george to blow anything Mac
        out of proportion. Makes you wonder how much MS is paying him,
        doesn't it?
        Rick_K
        • proportion

          george didn't blow anything out of proportion this time. the article is all just facts about a vulnerability that is deemed "critical." for those people who aren't the most computer saavy, this is important information that might save them a lot of trouble. simple steps to solve this problem, and people should be aware that they should make their system secure. seems fair to me.
          glocks out
        • but how many people have that

          and even if they do, did you gave your browser permition to execute. and if the install is automatic and recognized as a service your computer think's should be ordinary.
          IceTheNet@...
    • Who cares?

      [i]So to me the problem is not so much the existance of holes but the availability of exploits to take advantage of said.[/i]

      So unless an exploit has been reported to the mainstream media (and most wouldn't publish it anyway since no one would believe them), a vulnerability is no big deal? There is no chance that people would use this without first sharing their code with the authorities? There is no chance that someone would create an exploit and not tell CNN?

      Okay, that was negative. Now I have to find something positive to say about Apple so you can't accuse me of being 100% against Apple. Hmm. How about: this shows that OSX is gaining marketshare (a good thing) because marketshare is the only reason that there have been so few exploits on OSX in the past!
      NonZealot
      • Malware creators everywhere care.

        The only possible reason to publish an exploit is to make life easier for script kiddies and hijackers everywhere.

        Someone who wanted to protect computers instead of facilitating attacks on them would not publish the exploit code, but provide it to an organization which can confirm it and publicize its existence.
        The organization can tell CNN.

        And Apple need not be gaining market share to be the subject of malicious exploit publication. People who can afford Apple are an unusually rich target, worth a lot to identity thieves.

        I wonder if exploit publishers are paid by malware writers for doing their groundwork. If not, a substantial amount of income is being missed by the named villains.
        Anton Philidor
        • Well I for one ain't rich.....:)

          someone is waisting their time...heh heh heh

          Pagan jim
          Laff
          • Buying Macs will do that to you.

            Suppose someone had published an exploit which you could easily use to attack Windows or OS X users.

            You want to use an under-the-radar approach, so that you can obtain only a few thousand victims without the notice of the AV companies.

            Would you set your published exploit to work on Windows or OS X?

            Given that you want to make the most money possible, I expect the median family income of users would make Mac's a better target.

            Jim, among Mac users you're an outlier.
            Anton Philidor
          • well.. its true that...

            well its true that most Mac users generaly are better income wise. But that isnt why they have macs. They just have them bucause generally the are more educated, and have better reasoning skills. This allows them to get good job and money easier, and also lets them make better decisions in buying a computer.
            doh123
          • Plus

            ....we're also much better looking, are taller than the average
            computer user, and have rich, lustrous hair styled in the latest
            fashion.
            tic swayback
          • RE: well.. its true that...

            >>...They just have them bucause generally the are more educated, and have better reasoning skills...<<

            'N they cn spel beter, two.
            richdave
          • Another outlier

            Bill Gates. Does that skew the numbers? One must hope Warren Buffett uses a Mac...
            Real World
          • That's why I said median income...

            ... instead of average.

            Bill Gates skews the GDP of the US.
            Another resemblance to John D. Rockefeller.
            Anton Philidor