Formulate Affinity
three clicks and a drag… A Kurt Moore blog
«« All I want to do is automatically pirate movies | Main | Everyone is an asshole »»

Finally, a real security hole in OS X
Friday February 24th 2006, 12:16 am
Filed under: Personal

In case you have been living under a turd, or are a Windows user, Safari struck by Zip security warning. In a nut, someone managed to shove some special meta data into a zip archive, and when downloaded and auto unzipped, it is ran. This fires up your terminal, and could be any command a malicious person wanted to run.

It’s particularly neat, at least I think. The real problem with this is it can be shoved into a meta refresh on a website and downloaded automatically. Or, worse, I have heard you can embed it in a email and mail.app will happily execute it as well.

What’s not neat is all the rubbing in my face the Windows crowd likes to send my way. I counted no less than 7 emails from ‘friends’ telling me about it. I mean, for Christ’s sake, they do know I read /. don’t they? Anyway, I guess it is their duty, to let me know the score is now 1 to 9,000,000,000,000. Oh, and it is not even in the wild yet, so at this point, it is just conjecture.

Secunia.com says:

Do not open files in archives or mail attachments originating from untrusted sources.

The vulnerability can be mitigated by disabling the “Open safe files after downloading” option in Safari.

Not a bad idea, I have one better one, and a all out paranoid method as well. Screw “mitigating” the problem, some moron may just click the file anyway. Simply zip up your terminal, 99% of the people out there that would get infected with this will not use the terminal, just zip it up, you are cured.

Next up would be something more aggressive. I would bet, worst case scenario, someone would try to do is this one: 

rm -rf ~

What does that do? Deletes all of your files. So, we could simply drop a hidden file in our home directory, and make it root owned:

cd ~
touch .A
sudo chown root .A

By doing this, the bad script would get an alert:
override rw-r–r– root/haneda for .A?
which would more or less stop it in it’s tracks.

However, one could be tricky about this and issue specific directory paths, so you may want to drop that same file in all your directories, or even do so recursively.

Added Friday, February 24, 2006 12:42:45 PM
The above root owned file is probably a bad idea in retrospect, as that can be worked around pretty easily with some switches.

I was thinking, just alias rm to myrm or something to that effect, should stop at the very least, file deletion.

Reddit | Digg | Del.icio.us
If you enjoyed this, please subscribe via RSS
No Comments so far
Leave a comment

RSS feed for comments on this post. TrackBack URI


Leave a comment
Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

(required)

(required)