Re: New Patch Fixes 43 Flaws In OS X, Many Serious

"GreyCloud" <mist@xxxxxxxxxxx> wrote in message
news:wtWdnfXoXO7kvvPZRVn-sw@xxxxxxxxxxxxxx
Daniel Johnson wrote:
I think I've made my case; but this is not related to it.

You haven't made any case.
First you better understand how the kernel gives out unique process ids
first and also tied to the user id.

Process *ids* aren't tied to user ids; they are assigned sequentially.

Processes themselves are identifies by ids, and associated with
users, and much else.

I
think the answer has not to do with how processes are
started, because I do not think that Timberwoof, or you,
have any answers.

Guffaw!!! Squirming away from the fundamentals of Unix
won't do you any good. It just is the way things are handled
in Unix.

You don't know how things are handled 'in Unix'; this is
evident because all technical details on this point that have
entered our discussion have done by from my hand.

[snip]
Everything coming into any UNIX box thru a browser is automatically set
to read only.

This is not true. Try it yourself; download a text file
and then check to see if you can edit it.

But it is true.

It isn't. Try it.

I did. And I doubt that you are telling the truth here.

What facinating phrasing.

If you tried it, were you able to edit the file you
downloaded?

You should investigate more carefully about this before going on any
further. You've been too closely tied to IE.

IE runs on the Mac.

Yeah, 5.5 version from a long time ago.

It's like wine. It's better if you let it age. :D

And guess what... the kernel controls that process as well.
IE 5.5 does not equal IE 6.0. Matter of fact, IE 5.5 doesn't even
resemble the M$ version at all. Where are the trojans for OS X?

There have been but a few, and those quite crude.

But no magic pixy dust in Mac OS X prevent those from
working.

[snip]
No; even if a browser were written that did mark all
downloads as read-only, it would do not good.

That's what you think.

It is quite correct, I assure you.

And it does do a great deal of good. It prevents malware from executing
and seeing that the downloaded object has no id or user id available, the
kernel will not execute it.

No. Read-only files *do* have a user id and a group id.
(To see this, view them with "Get Info" in the Finder)

They *can* be executed. Indeed, it is very important that
this should be so. If a file had to be writable to be executable,
then setuid-root files would all be open invitations to abuse:
you would need to merely rewrite them with your own,
Evil (tm) code, and execute. setuid-root files, to work as
designed, must be read-only but executable.

[snip]
No; Mac acolytes seem terribly attached to this notion, but
it was never true. There have been exploitable bugs in IE,
but they didn't involve the user downloading things; they
were things that happened while browsing web pages.

(Which, if anything, is worse, but never mind that. :D )

Guffaw!! IE 6.0 has always executed stuff sent to it.

Sure: Javascript and so on. :D

Those are, however, not downloaded in the usual sense:
they are embedded in a web page.

Don't know about IE 7.0, but that remains to be seen.

It works much the same way as IE 6.0.

Ever have your browser hijacked while surfing?

No.

Same for OE.

As a rule, what happens to OE is that it hosts IE to render
HTML mail, and if IE is exploitable, OE is too.

It's a lot like Apple's Mail and WebKit, actually.

But actually not.

In what way is it different? It looks exactly the same
to me. WebKit=MSHTML; Safari=IE; Mail=OE.

[snip]
Interestingly, Safari has some trouble here. To this day it
still installs downloaded dashboard widgets for you.

It does? I've never seen it do it.

I have. The security features (such as they are) now
appear to work, but the basic "auto install" feature remains.

Try using Apple's widget directory web page. You won't
have to hand-install the widgets, if you are using Safari.

This does not actually run them, but it makes it all to easy
to do by accident.

Heh. I have to go to apple for widgets and select the ones I want.

Does "go to apple" mean "go to Apple's web page"?

If so, it sounds like you *have* seem auto-installed
widgets. You did not have to drag the widget icon
into your Widgets directory, did you?

At least the "first run" warning actually works now.

Of course, Safari has also had a few bugs where downloaded
executables would run automatically, as well as the usual
buffer overflows and such.

Such as?

Here's one I dug up with a quick Google search on
"Safair Vulnerability":

http://www.heise.de/english/newsticker/news/69862

[snpip]
The registry is much simpler: the keys that tell the OS
how to work with the app must be put there explicitly.
You must have an installer to do this, but the user must
explicitly *run* the installer. It won't be done for him.
There's no 'smart' auto-configuration, and no self-repair.

So? The registry is the one basket mechanism. If you drop the
basket all your eggs are broken.

There is, for once, truth in what you say. The lack of
an auto-repair facility is more secure, but less reliable.

One may argue that given Microsoft's vast market share,
and Apple's tiny one, they have both made the correct
choices- it is just that the best choice for an specialty OS
with few and more sophisticated users need not favor
security so much.

[snip]
They do have the user's uid and gid, of course. Most of
the recent Safari bugs are buffer overflows; injected code
will then run inside Safari with the user's uid and gid.

Do you know how a buffer overflow works?

Yes.

This type of code and bug is easily fixed.

Yes, once you know about it. But it is easily
written as well.

The best way to avoid it is to sacrifice performance
by using a safer, but slower, programming language-
something neither Microsoft nor Apple has been
willing to do too much.

The auto-execute-downloaded-file bugs are Finder bugs,
and auto-exected files will be launched by the Finder, but
it's the same uid and gid.

What other would you expect?

I expect that you are wrong.

Why so? Just general principles?

I've yet to have anything auto-execute on me from the internet.

Me neither.

This is where the id/gid process permissions come into play.

Sure. But their behavior is simple and well documented.

[snip]


.

Relevant Pages

  • Re: SP3 potential problem
    ... Enquire, plan and execute ... download the Net framework updates. ... Net Framework items from my machine. ...
    (microsoft.public.windowsxp.basics)
  • RE: File extensions spoofable in MSIE download dialog
    ... notepad.exe (as a file with the usual ".log" extension would be) ... In no instance was I able to "silently" download and execute an executable ... These are the two browsers I tested with: ...
    (Bugtraq)
  • Re: Trojan Horse
    ... NewCrapNet is not classified as a virus, ... > Download and install Ad-aware SE ... > signature files and install them before performing the scan. ... > Execute; CLEAN.EXE ...
    (microsoft.public.windowsupdate)
  • Re: Trojan Horse
    ... Download and install Ad-aware SE ... DOS disk boot images can be obtained from; ... Execute; CLEAN.EXE ... It would be a good idea to scan in Safe Mode and in Normal Mode and save a copy of the HTML ...
    (microsoft.public.windowsupdate)
  • Re: Dashboard, Malware and a Theory.. Vindicated!
    ... Dashboard widgets are no different than regular applications. ... What other installation system does that. ... And Apple also makes it easy to ... You can download an application from an email, ...
    (comp.sys.mac.advocacy)