Re: If you want a "technical insight" into "Safari Vulnerability"

Eric Lindsay <NOSPAmar2005@xxxxxxxxxxxxxxx> writes:

Obviously if you double click to open the ".jpg" file, the shell script
executes. Safari was not involved at all. This vulnerability exists
regardless of how the file reaches your system, whether via a browser
download (any browser), ftp, mail, anything.

The vulnerability consists basically in the fact that with OS X a file
can have an arbitrary icon and an arbitrary application to be opened
with and this information is attached to the file (instead of saved
locally on the machine). This is not a bug, but a feature. If it is a
feature one wants to have is another question. How often there have been
people bragging about how you could assign a file to be opened with
Photoshop, give it to another user and also on his system the file would
be opened by Photoshop, even if he has configured his system to open
images with another app. There. You can't have the cake and eat it, too.

And the shell script actually does not execute, it is handed over to
Terminal that executes it (since Terminal is an app to execute lines of
shell commands). It's just a document, the same way as a Word file is a
document (and even may contain code that is executed by Word). This is
also a feature, not a bug. The only thing looking somewhat like a bug is
Safari offering to automatically open certain documents.

OS X has lots of convenience features -- what's new is the fact that
there are people looking hard at these and find ways to do not so
convenient things with them. This is hard to fix without compromising
convenience. There is no real bug to blame here, all of this has been
innocently added as features. Apple already had to cut back some Mac
specific conveniences: In Tiger you can't have a JPG file ending in .mp3
anymore, since suffixes count now (and rightly so, you don't want to
have a file ending with .dmg and still being treated as application).
They will have to cut back some more. There is no magic way to avoid
such vulnerabilities and have everything else staying the same.


Jochem

--
"A designer knows he has arrived at perfection not when there is no
longer anything to add, but when there is no longer anything to take away."
- Antoine de Saint-Exupery
.

Relevant Pages

  • e: [funsec] RE: [Full-disclosure] WMF round-up, updates and de-mystification]
    ... In fact, it is a bug. ... it is a feature that is used in some instances. ... buffer overrun vulnerability in it was a bug. ... such records does not lend itself to such legitimate purposes. ...
    (Full-Disclosure)
  • newly could that continuing washing
    ... Iman never executes until Abdullah interrupts the wrong ... featured as well as the beach. ... The folk before the provincial rebellion is the feature that ... by my nest. ...
    (sci.crypt)
  • [UNIX] Multiple Vulnerabilities in Tiny HTTPd
    ... compromising of the whole system due to command execution vulnerability). ... 111 if (!cgi) // because cgi is not, ... And that the function that executes the CGI in line:185. ... bash$ cat> test; chmod +x test ...
    (Securiteam)
  • Re: MFC UI Threads, OnIdle, and Temp Map Headaches
    ... You should go here and submit a bug report: ... My application is written using VS2005 and MFC 8.0 and can be ... else if (lCount>= 0) ... executes both, and lCount> 0 only executes block 2). ...
    (microsoft.public.vc.mfc)
  • Re: Switch statement help
    ... Also remember a very annoying cross-language bug in switch ... it executes all underlaying branches unless you stop it with ... the gazillion errors created by unwary programmers through the years. ...
    (comp.lang.javascript)