- Joined
- Jan 16, 2006
- Messages
- 541
- Reaction score
- 12
New Serious Flaw On OSX
- Thread starter Kyomii
- Start date
Hi Sarah,
yes it is !
It is however not that new... We recommended to turn of the relevant Preferences in Safari in June last year, for similar reasons !
https://www.mac-help.com/forums/showthread.php?t=204
I have added a Movie here, so that everyone can see what happens. The movie is a bit under Res...did it quick !
In the movie I have made a fake JPG file and then changed a few bits (not going into details of how !) then zipped it and placed it on a page...now when the unsuspecting Internet Browser comes along and downloads it...that's when the script would run if Safari is set incorrectly !
In the movie I have amended the file a couple of times just to show you what 'could' happen...In the first bit the file is downloaded...Terminal is launched and a "ls -la" is run ! All this does is list a directory...but you can see where this is going...in example two I have modyfied the code and now when run a Folder is "Magically" created on the Desktop !...In example 3 the Folder id deleted !!!
As you can see in the Movie...it is very easy for someone to write something that could easily wipe your hard drive !
Please note all the example files I used are no longer on this server...
In essence if you are using Safari then a Shell Script can be doctored to make the Mac think it is something else...then when you download it it will auto run.
This can be prevented by using Firefox or Camino, they do not allow the Auto execution of Downloaded files.
If using Safari then go to the Safari General Preferences and turn off "Open Safe Files After Downloading". Then this prevents the file from auto running...it will however still execute if you double click on it !
The simplest way of checking a file is to do a "Get Info" on it, once you have downloaded it. If the "Open With..." says Terminal, then don't double click it.
You can drag it onto TextEdit and open it that way, this will show you what is inside. If you are unsure, don't open it !
I have missed out some of the steps in the Movie of "how to do this" for the simple fact that I don't want to propagate the method, for this type of attack. Just doing what I did in the Movie will not make a 'dodgy' file !.
I suppose it was only a matter of time. Looks like we'll all be buying some Anti Virus Software...this isn't a Virus...I presume it would be classed as a Trojan...I'll have to look it up.
Regards
Ric
yes it is !
It is however not that new... We recommended to turn of the relevant Preferences in Safari in June last year, for similar reasons !
https://www.mac-help.com/forums/showthread.php?t=204
I have added a Movie here, so that everyone can see what happens. The movie is a bit under Res...did it quick !
In the movie I have made a fake JPG file and then changed a few bits (not going into details of how !) then zipped it and placed it on a page...now when the unsuspecting Internet Browser comes along and downloads it...that's when the script would run if Safari is set incorrectly !
In the movie I have amended the file a couple of times just to show you what 'could' happen...In the first bit the file is downloaded...Terminal is launched and a "ls -la" is run ! All this does is list a directory...but you can see where this is going...in example two I have modyfied the code and now when run a Folder is "Magically" created on the Desktop !...In example 3 the Folder id deleted !!!
As you can see in the Movie...it is very easy for someone to write something that could easily wipe your hard drive !
Please note all the example files I used are no longer on this server...
In essence if you are using Safari then a Shell Script can be doctored to make the Mac think it is something else...then when you download it it will auto run.
This can be prevented by using Firefox or Camino, they do not allow the Auto execution of Downloaded files.
If using Safari then go to the Safari General Preferences and turn off "Open Safe Files After Downloading". Then this prevents the file from auto running...it will however still execute if you double click on it !
The simplest way of checking a file is to do a "Get Info" on it, once you have downloaded it. If the "Open With..." says Terminal, then don't double click it.
You can drag it onto TextEdit and open it that way, this will show you what is inside. If you are unsure, don't open it !
I have missed out some of the steps in the Movie of "how to do this" for the simple fact that I don't want to propagate the method, for this type of attack. Just doing what I did in the Movie will not make a 'dodgy' file !.
I suppose it was only a matter of time. Looks like we'll all be buying some Anti Virus Software...this isn't a Virus...I presume it would be classed as a Trojan...I'll have to look it up.
Regards
Ric
- Joined
- Jan 16, 2006
- Messages
- 541
- Reaction score
- 12
Hi Ric, thanks for the reply. I thought it was serious, but needed confirmation. Out of interest, someone (on another forum) has recommended doing the following:
Rename /applications/utilities/Terminal.app
to _Terminal.app (or you could choose something like My_Terminal)
Then create a workflow containing:
Ask for Confirmation
Launch Application
In the Ask for Confirmation, say something like Are you sure you wish to launch the Terminal? Give the security reasons why.
Launch application - > Point to _Terminal.app
Save the workflow as an application called Terminal.app in /applications/utilities
Now whenever /applications/utilities/Terminal.app is called, it will request your permission.
Will this work Ric? I have not had a chance to try it yet, but it is a good workaround if it does!
IMHO though, based on the above, carefully changing the terminal name should do the trick since the nasty would not be able to find the application that it needs (terminal) to execute its payload. You would have to remember to change any command lines you have for terminal to the new name though otherwise they would not be able to run either.
Rename /applications/utilities/Terminal.app
to _Terminal.app (or you could choose something like My_Terminal)
Then create a workflow containing:
Ask for Confirmation
Launch Application
In the Ask for Confirmation, say something like Are you sure you wish to launch the Terminal? Give the security reasons why.
Launch application - > Point to _Terminal.app
Save the workflow as an application called Terminal.app in /applications/utilities
Now whenever /applications/utilities/Terminal.app is called, it will request your permission.
Will this work Ric? I have not had a chance to try it yet, but it is a good workaround if it does!
IMHO though, based on the above, carefully changing the terminal name should do the trick since the nasty would not be able to find the application that it needs (terminal) to execute its payload. You would have to remember to change any command lines you have for terminal to the new name though otherwise they would not be able to run either.
Hi Sarah,
Thats definitely one way of solving the problem...it should work I'll give it a go later.
Apple will release a security update to stop Safari running code such as this, so as long as people keep their Macs up to date it should soon get fixed on an OS level.
The easiest fix is just to change the prefs in Safari, then the code can't run automatically. Then most people can physically remove Terminal from their machines...not that many 'regular' users, use it.
I'll give the rename App a go later...
regards
Ric
Thats definitely one way of solving the problem...it should work I'll give it a go later.
Apple will release a security update to stop Safari running code such as this, so as long as people keep their Macs up to date it should soon get fixed on an OS level.
The easiest fix is just to change the prefs in Safari, then the code can't run automatically. Then most people can physically remove Terminal from their machines...not that many 'regular' users, use it.
I'll give the rename App a go later...
regards
Ric
Cory Cooper
Moderator
- Joined
- May 19, 2004
- Messages
- 11,106
- Reaction score
- 497
Go
Yeah, it's ALWAYS best not to have Safari open "safe" files to begin with. For most folks, it's also best not to run as an admin.
It's really not too bad an issue...you just have to be careful and realize that it's doing "abnormal" things.
C
Yeah, it's ALWAYS best not to have Safari open "safe" files to begin with. For most folks, it's also best not to run as an admin.
It's really not too bad an issue...you just have to be careful and realize that it's doing "abnormal" things.
C
- Joined
- Feb 19, 2006
- Messages
- 3
- Reaction score
- 0
Thanx for this Info guys trully helpfull...appreciate the mail informing me abt this....will make the changes as advise!!!
Thanx again!!!
Thanx again!!!
For those of you that are unsure where to make the changes here are the screen grabs...showing you where to make the changes to Safari.
Make sure "Open Safe File's..." is not ticked !
I am investigating this a little further to see how bad this in theory could be...new movie later !
regards
Ric
Make sure "Open Safe File's..." is not ticked !
I am investigating this a little further to see how bad this in theory could be...new movie later !
regards
Ric
I agree that this is a threat, and unchecking that Safari preference helps. I'm also interested in the renaming the Terminal theory. I will do that on all our Macs until we get any update.
But, I read reports that this threat can be executed from other than Safari.
Do Mac users need to Get Info on every new file that they open to see what it's going to be opened with, clearing up the discrepancy between the icon and the extension? Will renaming the Terminal.app be enough?
But, I read reports that this threat can be executed from other than Safari.
Do Mac users need to Get Info on every new file that they open to see what it's going to be opened with, clearing up the discrepancy between the icon and the extension? Will renaming the Terminal.app be enough?
I tried this workflow unsuccessfully. But, I tested it with TextEdit. I wasn't sure how to create a file that would be executable by Terminal, so I pretended it was a TextEdit problem. I first tried just renaming TextEdit to _TextEdit. My TXT document still knew to open _TextEdit. I then created a workflow as above, and my TXT document still knew to open with _TextEdit. If I Get Info on the file and change Open With to TextEdit.app (the new workflow one), and select Apply to all file like this, then it does work - it does ask for confirmation. But... how do we modify all potentially dangerous files to open with the Terminal.app workflow versus the real thing?Kyomii said: