“In addition to attacks via the Safari web browser, Apple Mail also executes scripts without asking in certain circumstances,” heise online reports. “It suffices to disguise a script with the ending “jpg” and assign the Terminal application for opening it. If this script is then sent in the AppleDouble format as an attachment, the information is passed along so that the recipient’s system also opens it with the Terminal. Apple Mail displays the attachment with a JPG file symbol, but when users click on it, the script executes within Terminal without further prompting. This has been tested on Apple Mail 2 and Mac OS X 10.4. Older versions display a warning.”
“You can use heise Security’s Emailcheck to have a harmless e-mail sent to you that demonstrates the problem… A protective measure is to move the Terminal application from /Applications/Utilities into a different folder. But the best idea is not to open any files if you don’t know where they came from,” heise online reports.
Full article here.
MacDailyNews Note: Be careful out there. For now, move your Terminal application from /Applications/Utilities into a different folder until Apple appropriately addresses the issue. As usual, only accept and open files from vendors and Web sites that you know and trust.
Advertisements:
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related articles:
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
Safari web browser auto executes shell scripts; disable ‘Open ‘safe’ files after downloading’ option – February 21, 2006
What ever happened to it being more secure? Now I’m starting to get a wee bit worried..
MDN magic word: rather. Given this, I’d rather still use mac os x.
I look forward to the day when these resource forks no longer exist. The cause all sorts of issues like this. it also makes it harder to exchange files with other platforms and breaks some utilities like rsync. Rsync kind of supports resource forks, but only halfway.
Eh, compared to all the Windows things, this is dust. You just need to use some common sense to avoid this.
I’m glad this is happening. We Mac users have been too complacent for too long. Every human invention has security issues so we always need to be on guard.
Frigging Apple!!
I know it’s blasphamy, but actually I’m quite pleased Apple is getting all this bad press lately.
They are soft, they have become pompus and their staff is acting like they are gods.
Pride comes before a fall and Apple is headed right for the cliff of death.
Of course this could all be a proganda stunt to get us to accept Trusted Computing’s strict control over our hardware and security companies are falling right for it.
The Problem has nothing whatsoever to do with the resource fork. The “shebang” mechanism is a workaround from the resource-less Unix world which seeks to emulate the resource-based creator/owner mechanism of the older MacOS.
The Problem right here appears to be that the Finder still first looks at the “shebang” BEFORE using its own file type associations. The reverse would be proper (and the Finder should still give a warning before launching unknown scripts).
Actually one can do even more, take the darn Terminal.app and change it’s extension to Terminal.zzzapp, using Get Info.
Then place the damm thing in a folder and turn it’s permssions completely “No Access”
Then move the folder into your System folder, you’ll need to authenticate.
optional: Then go change your password to something incredibly long and complicated, more than 20 characters, preferable over 40. That’s right 40.
Because “hash’s” can be run through a program like John The Ripper if your password is too weak.
http://www.openwall.com/john/
So if a pasword is incredibly long, it takes a incredily long time to crack the hash’s.
Learn more sneaky stuff by visiting MacHacking.com
wait… I tried send my friend an apple script as a joke.. changed the icon..and changed the extension to .jpg.. and Mail still labeled it as an application… I thought this could not be done….
I want an Applescript that, when I attempt to get a system update or to open Software Updater, prompts me to move Terminal back to /Applications/Utilities
“What ever happened to it being more secure?”
Yeah, OS X isn’t perfect. It’s still MORE secure than Windows.
Tough concept
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
(with apologies to the Little River Band)
An open source AV program called ClamXav is available for PPC G3,4 & 5 Macs. It has a standard scan mode and an active background monitor. Install the app, the engine, update the definitions, set up your scan & update prefs, tell it what files/folders you want it to scan and you are in business.
Definitions for the stuff getting all the attention this week ARE in the current definitions file. Remember to update the definitions after you install. Remember to launch the Sentry after you do your setup and it will launch on login and actively monitor whatever folders you choose. Dropping a user’s home folder would be a good and easy choice for non-Admin users.
The software has issues with Rosetta, so if you have a new Intel Mac, you will have to wait or look elsewhere. It is an open source app, so show the developer some love. A PayPal button is on the home page. The software is free.
http://www.clamxav.com/
Ok for those wondering what this Emailcheck says after they send you the file.
They receive this Mail on your requirement. It contains the file Heise.jpg as appendix of file. If you open this file under Mac OS X with Apple Mail, a terminal application starts and implements the contained instructions. If no terminal opens windows or if you are asked, what them with the file to do to want, they are not directly vulnerable. To your protection you should open appendices of file in principle only if you requested these explicitly or that insures them personally well-known senders for example at the telephone reliably that the Mail comes from him and is harmless contents.Yippie! I’m protected!!
Of course I boxed Ternimal.app like I mentioned in my previous post.
(changed the .app to .zzzapp, put the app in a folder and “No access” to anything the permissions and then placed the folder in my System folder which needs admin access)
Damn insiduous effect of Pop culture: i read ping’s explanation and what comes to mind upon reading “shebang”? William Hung…
” width=”19″ height=”19″ alt=”downer” style=”border:0;” />
Kill me now
I’d be more worried if any of this could even remotely happen without my ever touching the keyboard or clicking the mouse – which is more like what happens to M$ users when the latest e-mail worm wends its happy way through millions of Outlook address books simply by arriving in their inbox.
Since these purported security breaches of OS X cannot do anything of the sort and from everything I’ve read and seen about such “exploits” – that some sort of user permission is required for ANYTHING of a detrimental nature to happen on my machine – I’ll take all the “run for the hills” warnings with a grain of salt. Not that I won’t pay attention to the threat and what’s going on, mind you, it’s just that I’m remaining skeptical that it’s a viable, spreadable threat.
I just think it’s funny – okay, more sad than funny, really – that the major news outlets have glommed on to these puny reports and blown the whole thing so far out of proportion when compared to the astronomically large amount of actual physical and monetary damage that has been done by M$ and their Titanic of an OS and embedded browser and email client due to their lack of security when it comes to protection against worms and virii and trojans and malware and spyware and etc., ect…
I’ve used MS OSes for going on 20 years now. In all that time I’ve seen maybe 4 or 5 viri/worms/trojans on my systems. Not bad for such a buggy insecure system. Why?
“As usual, only accept and open files from vendors and Web sites that you know and trust.”
The sage advice from MacDailyNews has been used by me and many others to avoid the worst of infection problems. Treat the internet like a dark alley, a good defense is the best offense. Wouldn’t think people would need this kind of advice in this day and age.
You forgot one note… “Windows not affected!”
” width=”19″ height=”19″ alt=”tongue laugh” style=”border:0;” />
To combat the two script attacks posted in the last couple of days, I have simply created a new administration account and made my day to day account not have admin priv’s.
I have renamed the Utilities folder to Utilities-1.
Neither of the scripts or variants of them can affect me at this point.
I tried the email test referenced in the article and when I attempt to open the Heise.jpg file I get “Couldn’t open the file. It may be corrupt or a format that Preview does not recognize.”
Could it ever be this easy on a PeeC?
I’m glad we’ve been getting hit lately with these security issues. We mac users needed a little humbling…
This doesn’t seem so scary. If I get a supposed JPEG attachment in Mail but it doesn’t display in the message, I’m going to get very suspicious. But I suppose this means Macs are being taken seriously now.
hello security update. I hate all this “i told you so” crap, well at least apple doesnt take its sweet ass time to fix these things.
Can we just throw Terminal away? Secure Empty Trash?
If not, why not? I’ve yet to use it. I’ve been using OSX since Nov 2002.
Could we put it on a ‘thumbdrive’ for ‘a rainy day’?
MacDude, yeah it’s gotta be “proganda” try propaganda moron.
Dumbass writes: “Can we just throw Terminal away? Secure Empty Trash?
If not, why not? I’ve yet to use it. I’ve been using OSX since Nov 2002.
Could we put it on a ‘thumbdrive’ for ‘a rainy day’?”
Terminal is an interface to the UNIX world inside your Mac. Getting rid of it doesn’t get rid of the vulnerability. Besides, having the Terminal available can help diagnose problems and fix them when other things fail. Getting rid of the Terminal is a bad idea.
Who uses Mail.app anyway? It thoroughly sucks ass.
“Terminal is an interface to the UNIX world inside your Mac. Getting rid of it doesn’t get rid of the vulnerability. Besides, having the Terminal available can help diagnose problems and fix them when other things fail. Getting rid of the Terminal is a bad idea.”
I agree, but I want to make a point on this:
One thing I want to bring up – OS X is VERY powerful and it’s Unix underpinnings are the engine of that power. However, <u>forcing the average user</u> to use the terminal in ANY way seems anti-thetical to the original Macintosh OS ideology. The exclusion of a CLI was one of the very foundations of the Mac OS – the GUI. I’m NOT saying that it is bad to have the Terminal, but, my point still remains – <u>The average user should not have to deal with such things.</u>
Apple needs to continue to improve on issues like these and remember where they came from. I personally like having a CLI at my disposal, if I choose to use it, but it should not be a necessity.
And furthermore – MDN should be slamming Apple up one side and down the other on the last point I just made. Have some balls MDN!
Why? – Because if Apple does not pay attention to these Unix/terminal issues, then the old slogan of “Macintosh – The computer for the rest of us” will have become a farce.
I’m not saying that Apple should “dumb-down” the OS by any means, but they sure as hell better start integrating the Unix underpinnings with the overlaying UI better – for the average user’s sake. They shouldn’t have to deal with these sorts of issues or need to go into terminal and move things around etc. etc. ad infinitum. (Yeah, I know they’re working on it (software updates) – but the point still stands))