Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Intego Security Memo: Mac OS X Leopard Quarantine Bug Allows Users to Launch Malicious Attachments in Mail

November 2007 by Intego Security Alert

Exploit: OSX.Exploit.MetaData.B

Discovered: November 20, 2007

Risk: Low

Description: Mac OS X 10.5, Leopard, provides a “quarantine” system that alerts users

when they attempt to open applications that arrived via Mail, Safari or iChat, or that
came in disk images via these programs. It also alerts users the first time they launch
any other application they have installed or manually added to their Applications folder.

This system should inform users of all cases when such executable files are being
opened, but a bug in the quarantine system, discovered by Heise Security on November
20, 2007, can allow users to launch attachments, which may be malicious, from Mail.

The principle behind this system is Leopard’s LaunchServices database, which records
all applications or executable files that are added to a user’s Mac. However, when some
executable attachments arrive by e-mail, this protection does not operate correctly. The
current proof-of-concept example is a shell script in a file with a .jpg extension. The file
also contains such information as a resource fork, telling which application should open
it (in this case, Terminal). The file also has appropriate executable permissions.
Within Mail, this file shows as an attachment with a JPEG icon showing that Preview
will open it. But attempting to view the file with Quick Look shows that it is not an
image file:

A user receiving this file might be tempted to click it to see what it contains. While this
proof of concept merely displays some text in a Terminal window, it would be simple to
create a similar file with a single command that, when executed in Terminal, would
delete all of the user’s files.

When a user clicks on an attachment to an e-mail message in Mail, the program stores a
copy of the attachment in the user’s Library/Mail Downloads folder. This folder allows
the Finder to then open the attachment. When malicious attachments arrive in Mail
containing a script and a resource fork (its usro resource tells the Finder to open the file
with a specific application), a user can open these attachments once without Mac OS X
displaying the quarantine alert. When a user opens the attachment at a later time, this
alert displays, saying that the attachment may be an application, and informing the user
that it will be opened by Terminal.
The bug causing this has to do with the way Leopard manages quarantines. The first
time a user opens an attachment, Mail opens the file directly without passing through
the quarantine system. Subsequent openings of the same attachment cause Mail to no
longer open the attachment directly, but rather open the file it has saved in the Mail
Downloads folder.
If a user receives a second message with the same attachment, the situation is worse:
they will receive no alert at all. Since the attachment has been saved to the Mail
Downloads folder, but from a different message, Mail does not attempt to open the
original attachment, but makes a copy of it (named: -1, <attachment
name>-2, etc.), and opens this attachment with no warning.
Until this bug is corrected in Mac OS X 10.5, Mac users are at risk of receiving
maliciously crafted files, pretending to be image files, which could delete all of a user’s
files, or may contain Trojan horses. It is important that users do not open attachments
from unknown senders, especially those that come with spam messages.
Intego VirusBarrier X4 with its virus definitions dated November 21, 2007 protects
against this problem. Since this bug allows maliciously crafted files to execute with a
single click from Mail, users are advised to check for new virus definitions regularly,
with NetUpdate, to make sure that they are protected against any new exploits that may
arrive.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts