Friday, February 24, 2006

The security flaw in OS X: bad

Macintouch has the first decent and clear analysis of what Apple did wrong. The way OS X "identifies" a file is a hack, a kludged compromise between Mac Classic, UNIX, BeOS, Windows, and NeXTStep. The results include some fundamental contradictions which can be easily exploited.
MacInTouch: timely news and tips about the Apple Macintosh

[MacInTouch Reader] The initial press coverage of the (misnamed) Safari/Terminal vulnerability has a number of folks barking up the wrong tree.

This vulnerability has nothing to do with Safari, other than Apple's design mistake of having Safari by default open "safe files" making the exploit far easier.

This vulnerability has nothing to do with Terminal, other than Terminal being a convenient way to run arbitrary scripts. There are other bundled apps that handle provided scripts. For example, compiled applescripts in 10.3 can be run despite being renamed as a jpg or the like via a metadata reference to Script Runner.

This vulnerability is not specific to zip files. Any archive file type that can contain metadata in an OS-X-standard way can be used. Examples are zip, tar, ...

This vulnerability is two mistakes together, involving the application and use of improper metadata.

The first mistake is in the OS routines and example code that allow writing usro or other resources which are inconsistent with a file's extension. The applications that take advantage of these routines/examples, and which can consequently be used to extract exploits, include at minimum the default BOMArchiveHelper (OS X 10.3 or newer), and StuffIt Expander 10.

The second mistake is in the OS routines that have the Finder, Mail, and likely many others displaying the file type branding (icon) based on the extension (.jpg, .mov, etc.), while then opening the file based on the non-matching type and owner in the usro metadata.

The second is more critical to fix, across the board, as malicious files can potentially be written to disk by an attacker without using traditional archivers like BOMArchiveHelper or StuffIt Expander.
I've long suspected that the kludged history of OS X would make it very vulnerable to attacks. That's why I've never boasted of the fundamental security of O X. I suspect security experts felt likewise. So why now? I wonder if this had anything to do with the hacked betas of OS X/Intel that are circulating. A whole new audience may be playing with OS X ...

It will be amusing if it turns out that the primary security feature of OS X was that malicious hackers couldn't afford the hardware to allow them to develop attacks. Now they can. If so, there will be a lot of others coming.

Apple is being characteristically silent. They've known this would happen, it's a bad sign that they haven't fixed the problem long ago ...

Update 3/6/06: Matt Neuberg has a very good summary of this problem. Fundamentally he agrees with me, but he knows more.

No comments: