|
|
New Security Update out today (Mar. 1)
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jul 2005
Location: Cooperstown '09
Status:
Offline
|
|
Installed just fine here.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2003
Location: London
Status:
Offline
|
|
downloaded, restarted tried oompa loompa demo file:
http://www.heise.de/security/dienste.../Heise.jpg.zip
file contents:
Code:
/bin/ls -al
echo
echo
echo "heise Security: Sie sind verwundbar."
echo
echo
lists your home directory. that's all, drag the file over a text editor and it'll show you the text.
The new update now tells me this file isn't what it's supposed to be.
Everything else (OS wise) seems to run fine.
(
Last edited by moodymonster; Mar 1, 2006 at 09:02 PM.
)
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Mar 2002
Location: CT
Status:
Offline
|
|
It does warn you but it still leaves a safe looking Heise.jpg file on your desktop. All this update does is stop all of this from happening automatically, however it doesn't stop code from hiding inside a file that looks just like a jpg. The system should really warn you if a .jpg .mov, etc try to open using Terminal. There is no reason for that. It shouldn't just warn you it should completely block it, and tell you to go to File -> Open in Terminal if you wish to open this file.
Also if you have Virex running with 'active scanning' enabled downloading this file will cause Safari to crash.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jul 2005
Location: Cooperstown '09
Status:
Offline
|
|
Originally Posted by moodymonster
What does the code in that file do exactly?
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Aug 2002
Location: Safe House
Status:
Offline
|
|
Open safe files after download is still checked!
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jul 2005
Location: Cooperstown '09
Status:
Offline
|
|
Originally Posted by Orion27
Open safe files after download is still checked!
Umm, why do you think it would have been unchecked? Nowhere does Apple state this update is supposed to change that setting.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jul 2005
Location: Cooperstown '09
Status:
Offline
|
|
Originally Posted by Chris Grande
It does warn you but it still leaves a safe looking Heise.jpg file on your desktop. All this update does is stop all of this from happening automatically, however it doesn't stop code from hiding inside a file that looks just like a jpg. The system should really warn you if a .jpg .mov, etc try to open using Terminal. There is no reason for that. It shouldn't just warn you it should completely block it, and tell you to go to File -> Open in Terminal if you wish to open this file.
I totally 100% agree with you. Apple has only partially addressed this issue.
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status:
Offline
|
|
The code in the test file causes Terminal to open and it runs a script to show you the contents of the top level of your home directory. That is all.
This is a band aid fix for this hole, but at least it is doing something - one suspects it is going to take a lot longer to fix the underlying flaw that means the file still looks innocuous in the Finder.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jun 2005
Status:
Offline
|
|
Everything feels snappier®.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Originally Posted by moodymonster
downloaded, restarted tried oompa loompa demo file.
This has nothing to with the oompa/loompa Leap-A thing.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2002
Location: Durham, NC
Status:
Offline
|
|
It doesn't seem worth starting a new thread in Applications for this, so:
What's Safari's build number after the update?
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2003
Location: London
Status:
Offline
|
|
Originally Posted by slugslugslug
It doesn't seem worth starting a new thread in Applications for this, so:
What's Safari's build number after the update?
Version 2.0.3 (417.8)
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2002
Location: Durham, NC
Status:
Offline
|
|
Originally Posted by moodymonster
Version 2.0.3 (417.8)
Oh, good, then I don't have to go editing Saft's .plist. Thanks.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: May 2005
Location: Somewhere they can't find me
Status:
Offline
|
|
Not quite sure what forum etiquette is here, but I just picked up this posting from VL-Tone at MacRumours:
"Well the security fix is more deep than what you think. With the update, the Heise.jpg file won't open in the terminal even when double-clicked .
Do a get info on the file, and you'll see a difference from before the update. The get info box shows "Kind: JPEG Image" instead of "Kind: Terminal Document". If you double-click it, Preview tries to open it and report a "corrupted file" error.
Sure the actual data inside the file can be a malicious script, but there is now no way to make it execute unless you manually remove the extension after downloading and force the terminal to open it.
If you do a get info after removing the extension, you see that it shows: "Kind: Unix Executable File".
So you say "Someone can still put a custom icon on these and make people click on it!" without doing get info. Wrong! Double click this Unix Executable and what happens? It opens in TextEdit!!
It means that also squashes the Leap.A trojan to pieces. Try to download Leap.A, double click on it and it opens in TextEdit, showing you the malicious terminal code!
Apple took these issues seriously and it shows.
From now on, with this update, there is no known way to make a trojan on OS X that doesn't have the .app extension, which is forced to appear even with "show extensions" off. And each of those .app will warn you the first time you run them. And Safari will warn you if it finds .app files or a compressed file it cannot check before completing the download."
This is excellent from Apple! Nothing can run as a trojan unless it has a .app file name, and any new application being opened for the first time will ask you if you want to run it! Only seven days since Leap-A - very impressive Steve and co.!
|
"Believe nothing, no matter where you heard it, or who has said it, not even if I have said it, unless it agrees with your own reason and your own common sense."
Buddha
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
^ This is just not true. The Heise example still opens in the Terminal when double-clicked on my iMac.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jul 2005
Location: Cooperstown '09
Status:
Offline
|
|
Originally Posted by CharlesS
^ This is just not true. The Heise example still opens in the Terminal when double-clicked on my iMac.
Exactly.
|
|
|
|
|
|
|
|
|
Forum Regular
Join Date: May 2005
Location: Somewhere they can't find me
Status:
Offline
|
|
Sorry! I'm just following it over there and so I'd better keep it going a bit! And it's 3;30 am here! Bugger! If 'Open Safe Files after downloading' is ON in Safari it will open in the application related to the file name. So Leap-A with it's .jpg would give you a Preview error message saying 'corrupt file' - so the concealed .app cannot run.
|
"Believe nothing, no matter where you heard it, or who has said it, not even if I have said it, unless it agrees with your own reason and your own common sense."
Buddha
|
|
|
|
|
|
|
|
Forum Regular
Join Date: May 2005
Location: Somewhere they can't find me
Status:
Offline
|
|
...or you could go to MacRumours yourself and let me go to bed!
|
"Believe nothing, no matter where you heard it, or who has said it, not even if I have said it, unless it agrees with your own reason and your own common sense."
Buddha
|
|
|
|
|
|
|
|
Forum Regular
Join Date: May 2005
Location: Somewhere they can't find me
Status:
Offline
|
|
|
"Believe nothing, no matter where you heard it, or who has said it, not even if I have said it, unless it agrees with your own reason and your own common sense."
Buddha
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jul 2005
Location: Cooperstown '09
Status:
Offline
|
|
Originally Posted by allblue
Sorry! I'm just following it over there and so I'd better keep it going a bit! And it's 3;30 am here! Bugger! If 'Open Safe Files after downloading' is ON in Safari it will open in the application related to the file name. So Leap-A with it's .jpg would give you a Preview error message saying 'corrupt file' - so the concealed .app cannot run.
But if the option is OFF within Safari it doesn't follow that behavior? Hmm, that doesn't make any sense.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Mar 2002
Location: CT
Status:
Offline
|
|
Originally Posted by rickey939
But if the option is OFF within Safari it doesn't follow that behavior? Hmm, that doesn't make any sense.
And its not true, if Open Safe files is on it gives you the warning but doesn't try to open the file. The file is just on your Desktop. If you double click it Terminal still opens. Apple didn't fix the larger issue. I'm not sure what the person over at MacRumors is doing.
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Dec 2000
Status:
Offline
|
|
Yeah, it's actually safer to have the "safe" files thing on now, since that's the only way you'll get warned...
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2003
Location: London
Status:
Offline
|
|
there's PA that does offers some protection:
http://www.unsanity.com/haxies/pa/
Paranoid Android can now notify you when a file is launched with a custom application (one other than the default one for the document's file type). This does not affect opening documents from within applications.
Updated to mitigate the recent Safari/LaunchServices exploit described in detail here.
Last time something like this happened, Apple's solution was basically what unsanity did.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jul 2005
Location: Cooperstown '09
Status:
Offline
|
|
Originally Posted by moodymonster
Wow, that works beautifully...just what Apple should have done. Thank you!
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2000
Location: USA
Status:
Offline
|
|
After installing the update my Mail.app is pretty much gone. ? for the doc icon and an applescript icon in the applications folder that doesn't do anything.
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2000
Location: USA
Status:
Offline
|
|
Disregard post about new widgets. Figured out I hadn't booted up the iMac since the last update added them :-)
(
Last edited by iKevin; Mar 3, 2006 at 04:13 PM.
)
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jul 2002
Status:
Offline
|
|
Those were in a previous update.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Feb 2003
Location: NY²
Status:
Offline
|
|
@iKevin, those came with 10.4.5. Pretty sure it was .5. I'll be corrected if I'm wrong.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jul 2005
Location: Cooperstown '09
Status:
Offline
|
|
Originally Posted by mdc
@iKevin, those came with 10.4.5. Pretty sure it was .5. I'll be corrected if I'm wrong.
v10.4.4 brought the new and updated widgets.
|
|
|
|
|
|
|
|
|
Grizzled Veteran
Join Date: Nov 2000
Location: USA
Status:
Offline
|
|
Yeah, i'm an idiot and hadn't booted the iMac in a while. . . . Thanks for the info though
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2002
Location: Silicon Valley
Status:
Offline
|
|
I downloaded that file and it ran in my terminal.... Ummmmm did this just mess my system up?!?!
I was expecting a message like you guys said!!!
help!
|
Anyone who would letterspace blackletter would steal sheep. - Frederic Goudy
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jul 2005
Location: Cooperstown '09
Status:
Offline
|
|
Originally Posted by Webscreamer
I downloaded that file and it ran in my terminal.... Ummmmm did this just mess my system up?!?!
I was expecting a message like you guys said!!!
help!
The code in the test file causes Terminal to open and it runs a script to show you the contents of the top level of your home directory. That is all. Your system is not messed up.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2003
Location: 127.0.0.1
Status:
Offline
|
|
Another half-baked "security" update from Apple.
This fix only takes care of the symptoms but avoids the real problems going back to resource forks, but that's for another discussion.
If you insist on using Safari, first quit it and open the Terminal. Enter the following command all in one shot:
sudo defaults write com.apple.Safari AutoOpenSafeDownloads -bool NO;defaults write /Library/Preferences/com.apple.Safari AutoOpenSafeDownloads -bool NO
This effectively places a Safari preference file at the root Library level that will prevent "safe" files from automatically downloading for any new user. It's the equivalent of unchecking the box in the General prefs. If you were to edit com.apple.Safari.plist and remove AutoOpenSafeDownloads, the default of "Open Safe Files" will be checked once again. You have to tell it NO (either by unchecking the box) or performing the command to make it a system-wide setting.
As far as the PithHelmets and Safts breaking with every Safari update, I recommend using Privoxy. I found it a lot easier to configure and even though it has very strict filtering out of the box, you can freely customize it however you want. And it won't break.
One last caution: Fink and Darwin Ports users will find that rsync is broken by this update. Simply install rsync via Fink and/or Darwin Ports and you'll be back in business.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|