Mac OS X Vulnerability

DavidTO

There's a vulnerability in OS X that was discovered, and unlike most, this one is a cause for concern.

MacFixit has a good description of what it is and possible solutions, of which, this one is my choice:

Make Terminal ask for permission This is the most involved workaround, and probably the most effective. It involves replacing the Terminal application with an automator script that will intercept calls to Terminal and seek your permission to run Terminal before executing.

1. First you will need to download the Automator script, created by a MacFixIt reader, by going to the Finder>Go>iDisk>Other User's Folder... then typing "pehowland" (without quotes) and pressing return.
2. Next, download the file named "Terminal.app.zip" and unstuff it. The resulting file will be an Automator script application named "Terminal.app" or just "Terminal" if you have file extension display turned off.
3. Next, using the Finder, go to /Applications/Utilities and rename Terminal.app to _Terminal.app.
4. Copy the replacement Terminal.app (the Automator script) into /Applications/Utilities
5. Now every time a shell script attempts to launch the Terminal, the automator script will launch instead and demand user permission before the actual Terminal is launched.

If you want to undo this process, just delete my new Terminal.app and rename _Terminal.app back to Terminal.app.

Note: this is a quote from MacFixit. To be clear, you access "Other User's Public Folder" in the iDisk part of the Go menu in Finder. Thanks to Andy for helping me make it idiot-proof!

DavidTO

Given the similiarity to the Widget thing a while back and Apple's quick response to that, I would guess that a Tiger update with a fix is not far off...

Andy

I made the mod, smart one, too. Despite the fact that DavidTO's instructions suck eggz. I will fix them.

DavidTO

All kidding aside, this is a good thing to do. Do it.

Andy

Takes about 25 seconds. I did it on my lappy, too. Nice to be buttoned up!

DavidTO

Apparently you can also just move Terminal.app to another location. Like make a folder in your applications folder called "Other Utilities" and put it there.

CatOne

DavidTO wrote:

Apparently you can also just move Terminal.app to another location. Like make a folder in your applications folder called "Other Utilities" and put it there.

They can update the script to not hardcode an absolute path, and find it. The right way is to disable the launching of safe attachments.

cabbey

hmm... just to prevent panic, perhaps the thread name should be changed to "Safari (Mac OS/X default web browser) Vulnerability" ?

Do we know if this is webkit or safari.app yet?

DavidTO

CatOne wrote:

They can update the script to not hardcode an absolute path, and find it. The right way is to disable the launching of safe attachments.

Actually, I think the Automator action is the right way to do it. Disabling open safe attachments is a great measure of security, but if YOU open it after download, you're still hosed. Better to have Terminal ask permission to open so that it only opens when you expect it. If you open this attachment withtout that action, the terminal opens and you're already too late....

DavidTO

cabbey wrote:

hmm... just to prevent panic, perhaps the thread name should be changed to "Safari (Mac OS/X default web browser) Vulnerability" ?

Do we know if this is webkit or safari.app yet?

See, it's not JUST Safari. Safari makes it easier for this thing to work, but if you downloaded it and opened it, it is exactly the same thing...so Safari's not the only problem. It's an OSX vulnerability. And no, you shouldn't panic, but you should be concerned.

cabbey

DavidTO wrote:

See, it's not JUST Safari. Safari makes it easier for this thing to work, but if you downloaded it and opened it, it is exactly the same thing...so Safari's not the only problem. It's an OSX vulnerability. And no, you shouldn't panic, but you should be concerned.

Everything I've read says the problem is the auto open failing to detect a file as "unsafe". Sure I could use any browser to download any random foo.sh and execute it, allowing it to do bad things... but then that's my own stupidity at fault, not the browser. The vulnerability here is that *if* "Open \"safe\" files after downloading" is checked then after pulling down said random file you downloaded it fails to properly detect that it isn't really a "safe" file and so it executes it. (Doesn't this logic seem back-ass-wards to anyone else?? Wouldn't a white-list approach be better?)

The question if it's Safari or Webkit that is doing the autoopen is interesting because of how many hundreds of applications use webkit internally for fetching things. If it's safari that's doing the "safe" detection and auto open, then the problem is far simpler to solve... uncheck the box in prefs untill apple fixes it. If on the other hand the problem is webkit... well then the question I guess is if that check box in safari actually impacts webkit globably or not?

CatOne

I had someone get me with a test attachment they sent via iChat.

I got a nice picture of a goatse pumpkin ;-)

Andy

David I need support. I don't think this app runs on the Mac Pro.

Help

DavidTO

Andy wrote:

David I need support. I don't think this app runs on the Mac Pro.

Help

Of course it does. It's an Automator Script.

Andy

DavidTO wrote:

Of course it does. It's an Automator Script.

Of course it does. I was just momentarily befuddled. Kinda got that new machine giddyness thing goin on

All is well!