Security Update 2006-001, CVE-2006-0848, and the Architecture of Finder

Posted by:
Date: Monday, March 6th, 2006, 07:00
Category: Software

Mac OS X has been the target of a few of proof-of-concept attacks as of late and has addressed them rather quickly. Usually the security community tries to abide by a process of professional courtesy that involves disclosure, an advisory, and releasing the gory details post-patch.
Obviously you shouldn’t rely on the kindness of strangers when it comes to such things, since it should be clearly evident that in the IT world, nobody has to play fair.
But is the issue over and done with? Did Apple really solve the problem? 2006-001 mitigates only a possible method of exposure to the underlaying flaw, without actually addressing the issue. What is the issue? Metadata.
Read More…

Technorati Tags: ,


Mac OS X has been the target of a few of proof-of-concept attacks as of late and has addressed them rather quickly. Usually the security community tries to abide by a process of professional courtesy that involves disclosure, an advisory, and releasing the gory details post-patch.
Obviously you shouldn’t rely on the kindness of strangers when it comes to such things, since it should be clearly evident that in the IT world, nobody has to play fair.
But is the issue over and done with? Did Apple really solve the problem? 2006-001 mitigates only a possible method of exposure to the underlaying flaw, without actually addressing the issue. What is the issue? Metadata.
You can’t trust the Finder. The Finder in Mac OS X is easily lied to and betrays the user by rendering icons based on file extension, when that is ultimately meaningless when you’re using a variety of metadata inside the file. This gives the user a false sense of safety, and allows for a variety of clever attacks against end users.
This isn’t an issue solely limited to Mac OS X — a similar problem has plagued MS Windows for years, where by giving a file different extensions you can trick a user into thinking a filename is safe to open, like a text TXT file, but in reality it is a VisualBasic script that executes an attack on the workstation.
Even today, an attacker could easily create a shell script that executes something nasty or downloads a copy of malware from a remote host and executes it, rename the file to be “From Mom.mp4″ and most people would be none-the-wiser. Ultimately the problem lies in bad user behavior and a disconnect between the actual contents of a file and its extension.
Ultimately, the Finder shouldn’t be relying on a mere file extension to identity a file to the user. Most users of Mac OS X trust the visual cues that are presented to them, even when they shouldn’t.
So while it is good that Apple turned around the Open Safe Files issue in Safari, there is still plenty of opportunity for malicious users to trick an individual into running arbitrary code on their system. The interface between the keyboard and the eyes is always the richest to attack, especially when Mac users have been able to blissfully go about their lives without worrying about wide-scale attacks and have largely ignored the 10 year head start they had on the Windows world.
As I wrote over two weeks ago,

  • Don’t open unknown, unexpected attachments.
  • Don’t talk to strangers.
  • Use plain text email.
  • Don’t be logged in as an administrator unless you need to be an administrator right now.
  • Turn on the firewall Apple gave you. It is awesome and it is free.

Do not let more than a decade of knowledge gained and lessons learned by those less fortunate than you go to waste!

Technorati Tags: ,

Recent Posts