RSS RSS Twitter Twitter
troubleshooting/tutorials/security

11/21/2007, 10:45am, EST

Wednesday, November 21st

Leopard quarantine bug discovered

A flaw has surfaced in Apple's Leopard quarantine system that allows unsuspecting Mac users to open specially crafted files that run with nearly any application. The quarantine system included in the latest revision of Mac OS X is designed to alert users when they attempt to open applications or disk images that arrive via Mail, Safari, or iChat. However the safety measure fails to issue a proper warning when Mail attachments posing as pictures arrive containing a resource fork which instructs the Mac to open the file using a specific application.

A proof of concept exploit created by heiss Security -- the firm that discovered the bug -- demonstrates the flaw by printing some harmless text in a terminal window after the user clicks on an image received via email, noting that the shell script could just as easily contain commands to delete all of a user's files.

Intego's sample file using Apple's Mail program appears as an attachment with a JPEG icon that will open in Preview when double clicked, but attempting to view the file with Quick Look reveals the truth about the masked shell script. Users receiving such a file might click the attachment to view the contents, trusting Apple's quarantine security measure to warn them about any unwanted applications received by email or other means.

"Until this bug is corrected in Mac OS X 10.5, Mac users are at risk of receiving maliciously crafted files, pretending to be image files, which could delete all of a user's files, or may contain Trojan horses," Intego said. "It is important that users do not open attachments from unknown senders, especially those that come with spam messages."


Filed under: troubleshooting

, , 8comments, del.icio.us, slashdot, digg, buzz , Twitter



8 comments
Reader Reactions (Please use <i></i> for italic text)

subscribe to comments
for this article




Expand All   Global Settings
ViktorCode
Heiss
0
11/21, 11:18am, EST
Heiss security just cleaned up a bit after their latest FUD. This is indeed a security hole for some of the users.
Fresh-Faced Recruit
Joined Jan 2006
User is offline
wonderllama
common sense
0
11/21, 11:53am, EST
The best quote is this: "It is important that users do not open attachments from unknown senders, especially those that come with spam messages."

That is just good internet common sense, no matter which OS you're using. Apple needs to fix the bug, to be sure, but internet users should always practice common sense.
Fresh-Faced Recruit
Joined May 2007
User is offline
Flying Meat
Re: common sense
0
11/21, 12:56pm, EST
There is that glaring problem with common sense.

It ain't so common.
Fresh-Faced Recruit
Joined Jan 2007
User is offline
testudo
Re: common sense
0
11/21, 2:17pm, EST
Another glaring problem is that viruses can send out mail from one person's box to a user's in their address book. So the mail you get looks like its from a known person.

Oh, and I think Mail automatically displays pictures with emails, without a prompt, so just opening the mail (or highlighting it in your mailbox) may be enough to launch the corrupted graphic.
Fresh-Faced Recruit
Joined Aug 2001
User is offline
iFrankie
Doesn't Sound Good
0
11/21, 3:03pm, EST
For a change, this is one of those "Mac Viruses" that actually has me concerned.
Fresh-Faced Recruit
Joined Jul 2002
User is offline
TheSnarkmeister
Nice...
0
11/21, 3:35pm, EST
Thank you for posting such clear instruction on how to craft one of these bombs
Fresh-Faced Recruit
Joined Jun 2007
User is offline
robttwo
shaking
0
11/21, 11:12pm, EST
my email has 1000s of these in there. Oh my God!!!

relax people.

Doofuses
Fresh-Faced Recruit
Joined Nov 2005
User is offline
Luke MacWalker
re: common sense
0
11/22, 1:54am, EST
"Oh, and I think Mail automatically displays pictures with emails, without a prompt, so just opening the mail (or highlighting it in your mailbox) may be enough to launch the corrupted graphic." Actually, because Mail reads the image data itself of the enclosed image, it cannot run the script. The script is launched because the user launches it by double-clicking on it. For the same reason, any image viewer would not launch the script if the alleged image is open from the File menu. This is also "common (technical) sense"...
Fresh-Faced Recruit
Joined Dec 2005
User is offline
Your Comments

In order to post comments: If you are a registered member, please login with your MacNN Forums username and password otherwise please uncheck the checkbox below.


Registered Member?
macnn forums login:

macnn forums password:

Not a member of the MacNN forums? Register now for free.

MacNN iPodNN Electronista
top searches
1. apple
2. iphone
3. apple TV
4. ipod
5. mac
6. BBC
7. icons
8. icon
9. macbook
10. leopard
search for more ..
RSS Feeds

Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.



  MacNN -all

  MacNN Reviews

  MacNN Podcasts

  iPodNN

  Electronista

  Left Lane News
Want To Sell Your Laptop? Any Condition - receive Top Cash. Get an instant quote. Free shipping www.CashForLaptops.com

Internet Marketing School - 100% Online: Master SEO, SEM, E Commerce, Media & More with a U of San Francisco Certificate.

Buy from The Apple Store, iTunes.com, Amazon.com, TechDepot, OfficeDepot, Computers4Sure, or donate.