“FrSIRT (the French Security Incident Response Team) reports on a newly demonstrated flaw affecting versions of Safari in Mac OS X 10.4.8 and prior where maliciously crafted disk images — which are used to distribute most Mac OS X software packages — can allow an attacker to crash or gain control of the target system,” MacFixIt reports.
The reported workaround for this issue is to turn off the “Open safe files after downloading” option in Safari as follows:
1. Open Safari
2. Open “Preferences” under the “Safari” menu
3. Click on the “General” tab at the top
4. Un-check the “Open ‘safe’ files after downloading” box
5. Close Safari’s preferences
MacFixIt reports, “Note that your system will still experience a kernel panic if you double-click the downloaded malicious disk image in order to mount it.”
Full article with links here.
MacDailyNews Note: As usual, do not download links from untrusted sources.
MacDailyNews Note: 8:30pm EST: We have banned the posting of links to .dmg files in the “Reader Feedback” section.
Related MacDailyNews article:
Mac OS X flaw crashes Safari, Finder – March 29, 2006
Safari web browser auto executes shell scripts; disable ‘Open ‘safe’ files after downloading’ option – February 21, 2006
I recall a previous vulnerability where a file was opened after downloading automatically. At that time, MDN and others advised turning this off. Mine is still off.
Well, a few hours ago my system crashed after it downloaded a file called MOKB-20.dmg. And I mean ‘it’ downloaded a file because I did not. I was away from my iMac for a few minutes. Ironicaly, Safari was open on … MDN. Be carefull!
This is not news. Anyone can “craft” poorly written software that causes a crash or kernel panic, etc. Anyone that’s used a computer for more than a few years has surely run across this kind of bad programming and the resultant hangs, etc.
What will be news is if/when someone uses this purposefully and in order to harm another user’s computer. DMGs are, of course, a good mode of distribution, especially if auto-mount is active in Safari.
just my 2c
People are going to make a big deal out of this, but it’s dumb. Does whoever opens this unknown image also be told not to swallow nails?
Sorry, eaxit. Let me direct you to the emergency room…
” width=”19″ height=”19″ alt=”rolleyes” style=”border:0;” />
Kinda weird having this file linked in posts on this very site a few threads ago. Open safe is turned off already on my computer. I’m guessing that Symantec and MS are going to be getting very creative to try and blunt the Apple sales juggernaut this holiday season. This is just a first salvo.
I was talking about this before. It was identified in the Month of Kernel Bugs program. The MOKB-20.dmg file is proof of concept. An interesting read if you ask me.
http://projects.info-pull.com/mokb/
– David
Question: What makes a download source trustworthy?
Remember when any app could freeze the entire OS? heheheh
So, some group releases a kernel freeze every month, and someone around here just puts it up for a download with a name like, Cheap Macbook Pro!?
Sounds juvenile.
I remember this “fix” from a few years ago, then I thought Apple changed something where you could now leave it on.
Just remember, to turn it back on if you’re downloading a widget and want it to load itself into your Library > Widgets folder. Then remember to turn it off again. Or you’ll have to drag and drop it yourself.
I had one that was about to download, but I stopped it once I saw it was a DMG file… Phew, am I glad I did.
So is this actually a virus?
Maybe I’m just used to being attentive to such things, so sorry if your suffering is for real…
Does this cause permanant damage requiring an OS re-install?
No, Safari will not download this or any file on it’s own, you have to actually click on the link AND have automatic opening of safe files turned on before this “vulnerability” can kernel panic your system.
Anthony: “So is this actually a virus?”
Nope. What it is is a corrupt dmg file that causes the dmg mounter application to crash. Being part of the kernel it therefore causes a “kernel panic”, Apple’s label for a crashed kernel. (kernel = guts of the MacOS)
Wake me when someone figures out a way to crash the kernel in such a way that they cause it to execute their own code.
Wake me with a hammer when someone can do that without me asking for it.
I’m with Jimbo – haven’t had that turned on for a long time.
Old News..
Safari now comes with feature turned off.. at least as far as I can tell.
This has been brought up before.
Use Firefox as your default browser, at least that way you have to double-click on the dmg file first before it can do anything. Also, note that your admin password is not needed.
Also, don’t click on ass-munch Hot Mac’s link above.
Buffalo, Use Version Tracker. If you wind up on a page with a program or package which looks like something you could use or you’d like to give it a test drive, scoot over to the Version Tracker site and download it from there. If it’s legit, it’ll probably be there.
And probably best to stay away from P2P sites/programs.
In order to “play” with the linked file, I 1st disabled the opening of “safe” files, downloaded it (I knew what I was receiving, as I always enable the status bar on all my Macs), then reassigned the handling of all .DMG’s to Roxio’s Toast.
Toast ignores the command to mount MOKB-20.dmg, so for now, Safari is once again allowed to open “Safe” files.
Toast ignores the malformed file, and even if it didn’t and crashed in the process of trying, no harm would have (hopefully) been done.
As MDN suggests – just turn off the open files after downloading preference (which – imo – should be off by default…). That way, it’s only an extra click via the downloads window to open whatever gets downloaded – but which places full control in the hands of the user.
“People are going to make a big deal out of this, but it’s dumb. Does whoever opens this unknown image also be told not to swallow nails?”
“It’s idiots like this that carry around cans of spray paint because they have no way (and little enough intellect) to satisfy their underfed egos.”
Get over it. Welcome to the Internet. 90% of Windows viruses require that the user do something dumb.
You need to move through the three phases of Mac Security Denial and Acceptance
First there is outrage, Second a realization that you’re not going to be able to stop these idiots, then finally the installation of antivirus software which makes such links a complete non issue…
PS. Mac OS X never crashes and is invunerable to Malware. Anybody who’s seeing their Mac crash when downloading this link is on some kind of drugs.
help me out here,
I hit the link from an earlier thread, and I had to restart my computer, I dragged it to trash and emptied it.
and follwed your advice with “safe DL” unchecked, and status bar on, “thats neat”
am I ok now??
Gawrsh, I’m so stupid that I clicked on a bunch of links and it crashed my computer. And my IQ is 30. And I had a frontal lobotomy last week. And I’m on crack.
Dear MDN: is it time yet for registered forums instead of anonymous posting? I can only think of one or two reasons for doing so:
1) Ability to boot the asshat posting the corrupt DMG link from every name he can think of.
2) The end of “impersonating” users in order to make them look bad by posting crap under their nom de plume.
3) The beginning of some amount of accountability so that people can actually be identified for posting inflammatory or just stupid remarks instead of always being anonymous, or able to change names every post with no hassle.
4) Requiring registration might just keep a few of the dumbest trolls and Windows lovers from bothering to post their flamebait.
5) Could actually provide a little insight into the credibility of a person’s post by seeing how often they have posted, and being able to search for their previous posts and see their comment history.
Ok, it’s quite a few reasons. Any thoughts?
P.S. Any posts on this thread from blucaso after this one are not mine. I have no intention of following up this comment.
it’s also worth noting that (from my knowledge) the latest version of stuffit expander has auto mount image files enabled by default
Blucaso has it right..
I like the anonymous posting but like anything too open, the occasional pimple dick will wander in, think he’s funny, and
screw around because his Dad bought him a Dell laptop and he’s got wifi access and because ‘math is too hard’ and he’s bored.
Time for registration…or better yet a CLEAR label that if you ARE a registered user of MDN you get an automatic, site generated label next to your name that can’t be forged. That way we can gang up on the real assholes until the spew melts them into the oblivion they deserve.
@ HotinPlaya,
“am I ok now??”
That’s a damn good question. I hope
the answer is yes.