Apple may go further with ‘download validation’ to increase protection from Mac OS X trojans

On March 1, Apple released Security Update 2006-001 which “added a function called ‘download validation’ to the Safari Web browser, Apple Mail client and iChat instant messaging tool. The function warns people that a download could be malicious when they click on the link. Before that change, clicking on a link could have resulted in the automatic execution of code on a Mac,” Joris Evers reports for CNET News. “But Apple failed to address a key part of the problem, the fix should be at a lower, operating system level, experts said. It is now still possible for hackers to construct a file that appears to be a safe file type, such as an image or movie, but is actually an application, they said.”

“With its security update for Safari, Mail and iChat, Apple believes it cut off access for such Trojans. ‘The tools most people use (now) have built-in validation for things before they even get to the desktop,’ [Apple VP Phil Schiller] said. ‘The point of where people get the file is often through the browser and mail and instant messaging.’ Apple’s security fix is an important first step, said Michael Lehn, doctoral candidate and research assistant at the University of Ulm in Germany. ‘I think Apple did the right thing,’ said Lehn, who first disclosed the Mac OS X vulnerability. ‘The fact that a script gets executed automatically had to be fixed immediately. They just have to go further.'”

“The unresolved vulnerability is due to a problem with the Mac OS Finder, the component of the operating system used to view and organize files, Lehn said. The operating system assigns an identifying image, or icon, for a file based on the file extension. However, it decides which application will handle the file based on information that is stored separately from the file, called metadata,” Evers reports. “Apple is thankful for the feedback, Schiller said. The company recognizes that adding more validation, perhaps at a deeper level in the operating system, could help protect users of applications other than Safari, Mail and iChat.”

Full article here.

MacDailyNews Note: As usual, do not download, install and/or double-click files from untrusted sources. Use the Finder’s “Get Info” command to check any file about which you are unsure before you double-click it.

Related MacDailyNews article:
Apple releases Security Update 2006-001 for Mac OS X; includes fixes for Safari, Mail, iChat issues – March 01, 2006
Apple releases Mac OS X Tiger Update 10.4.1, fixes Dashboard widget auto-installation issue – May 16, 2005

16 Comments

  1. So, are these guys MORONS? What will the postal department do to stop Anthrax being sent by regular mail?

    If people are stupid enough to click on a link that they have no clue about, then they deserve it.

    I hope the government launches a lot of p0rn sites with such files as links just to erase their drives off..

  2. Regardless of whether or not this is a first step, I think Apple should be applauded for addressing the issue so quickly and taking steps to cut off any potential security threats. I wonder if the Windows brethren would have received a fix so quickly from Microsoft?

  3. ALL people need to do is use their common sense.

    e.g. – you get an email from an unknown address/person with an attachment. YOU DO NOT CLICK ON IT OR DOWNLOAD IT!

    Simple as that – bloody common sense.

    I have setup my junk mail filter so that ALL emails I get that are not in my address book go straight in the trash (I get 200+ emails a day and 185 of them will be spam).

    The odd one I want goes in there too – but I just add the details to my address book – problem solved.

    Education and awareness is the key… WHEN WILL PEOPLE LEARN??

  4. S,
    on the contrary. The fix only works if you have “Open safe files” checked. Otherwise, you’ll get a .zip file, and as soon as you double-click it, you’re f*cked.
    The guy who discovered the crack in the system, Michael Lehn, I guess he may have a job offer coming once he finishes his thesis.

  5. Apple’s patch fixed the worst part of the problem which was where a nefarious ne’er-do-well would put a link on a web page that appears to go to a new html page, but really links to a malicious script which is so small that it downloads before you can stop it and then launches in Terminal before you even know what happened. This was what was really scary, so it’s great that we don’t have to worry about that anymore.

    As for downloading files, the user has certain responsibilities here, as always. There are some things that Apple could do to further protect the user but in the end the user is the one who needs to use their head.

  6. 1. Not all files have metadata.
    2. The Finder isn’t broken.
    3. It doesn’t matter anyway. Apple will transition
    to Microsoft Vista in 2007.

    Why else would they move from PowerPC to intel?

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.