Mac OS X Vulnerability

DavidTO · February 21, 2006

There's a vulnerability in OS X that was discovered, and unlike most, this one is a cause for concern.

MacFixit has a good description of what it is and possible solutions, of which, this one is my choice:

Make Terminal ask for permission This is the most involved workaround, and probably the most effective. It involves replacing the Terminal application with an automator script that will intercept calls to Terminal and seek your permission to run Terminal before executing.

1. First you will need to download the Automator script, created by a MacFixIt reader, by going to the Finder>Go>iDisk>Other User's Folder... then typing "pehowland" (without quotes) and pressing return.
2. Next, download the file named "Terminal.app.zip" and unstuff it. The resulting file will be an Automator script application named "Terminal.app" or just "Terminal" if you have file extension display turned off.
3. Next, using the Finder, go to /Applications/Utilities and rename Terminal.app to _Terminal.app.
4. Copy the replacement Terminal.app (the Automator script) into /Applications/Utilities
5. Now every time a shell script attempts to launch the Terminal, the automator script will launch instead and demand user permission before the actual Terminal is launched.

If you want to undo this process, just delete my new Terminal.app and rename _Terminal.app back to Terminal.app.

Note: this is a quote from MacFixit. To be clear, you access "Other User's Public Folder" in the iDisk part of the Go menu in Finder. Thanks to Andy for helping me make it idiot-proof!

DavidTO · February 21, 2006

Given the similiarity to the Widget thing a while back and Apple's quick response to that, I would guess that a Tiger update with a fix is not far off...

Andy · February 21, 2006

I made the mod, smart one, too. Despite the fact that DavidTO's instructions suck eggz. I will fix them.

DavidTO · February 21, 2006

All kidding aside, this is a good thing to do. Do it.

Andy · February 21, 2006

Takes about 25 seconds. I did it on my lappy, too. Nice to be buttoned up!

DavidTO · February 21, 2006

Apparently you can also just move Terminal.app to another location. Like make a folder in your applications folder called "Other Utilities" and put it there.

CatOne · February 22, 2006

DavidTO wrote:

Apparently you can also just move Terminal.app to another location. Like make a folder in your applications folder called "Other Utilities" and put it there.

They can update the script to not hardcode an absolute path, and find it. The right way is to disable the launching of safe attachments.

cabbey · February 22, 2006

hmm... just to prevent panic, perhaps the thread name should be changed to "Safari (Mac OS/X default web browser) Vulnerability" ?

Do we know if this is webkit or safari.app yet?

DavidTO · February 22, 2006

CatOne wrote:

They can update the script to not hardcode an absolute path, and find it. The right way is to disable the launching of safe attachments.

Actually, I think the Automator action is the right way to do it. Disabling open safe attachments is a great measure of security, but if YOU open it after download, you're still hosed. Better to have Terminal ask permission to open so that it only opens when you expect it. If you open this attachment withtout that action, the terminal opens and you're already too late....

DavidTO · February 22, 2006

cabbey wrote:

hmm... just to prevent panic, perhaps the thread name should be changed to "Safari (Mac OS/X default web browser) Vulnerability" ?

Do we know if this is webkit or safari.app yet?

See, it's not JUST Safari. Safari makes it easier for this thing to work, but if you downloaded it and opened it, it is exactly the same thing...so Safari's not the only problem. It's an OSX vulnerability. And no, you shouldn't panic, but you should be concerned.

cabbey · February 23, 2006

DavidTO wrote:

See, it's not JUST Safari. Safari makes it easier for this thing to work, but if you downloaded it and opened it, it is exactly the same thing...so Safari's not the only problem. It's an OSX vulnerability. And no, you shouldn't panic, but you should be concerned.

Everything I've read says the problem is the auto open failing to detect a file as "unsafe". Sure I could use any browser to download any random foo.sh and execute it, allowing it to do bad things... but then that's my own stupidity at fault, not the browser. The vulnerability here is that *if* "Open \"safe\" files after downloading" is checked then after pulling down said random file you downloaded it fails to properly detect that it isn't really a "safe" file and so it executes it. (Doesn't this logic seem back-ass-wards to anyone else?? Wouldn't a white-list approach be better?)

The question if it's Safari or Webkit that is doing the autoopen is interesting because of how many hundreds of applications use webkit internally for fetching things. If it's safari that's doing the "safe" detection and auto open, then the problem is far simpler to solve... uncheck the box in prefs untill apple fixes it. If on the other hand the problem is webkit... well then the question I guess is if that check box in safari actually impacts webkit globably or not?

CatOne · February 23, 2006

I had someone get me with a test attachment they sent via iChat.

I got a nice picture of a goatse pumpkin ;-)

Andy · August 15, 2006

David I need support. I don't think this app runs on the Mac Pro.

Help

DavidTO · August 15, 2006

Andy wrote:

David I need support. I don't think this app runs on the Mac Pro.

Help

Of course it does. It's an Automator Script.

Andy · August 15, 2006

DavidTO wrote:

Of course it does. It's an Automator Script.

Of course it does. I was just momentarily befuddled. Kinda got that new machine giddyness thing goin on

All is well!

Mac OS X Vulnerability

Comments