Feb 24 2006
It seems that we can’t go a few days before someone warns of a possible way that a hypothetical someone might conceivably exploit an obscure flaw in Mac OS X. So far none of these warnings has amounted to much save for a bit of paranoia from Mac users and a lot of unwarranted glee from jealous PC users.
It’s been a couple of days since the Safari shell script vulnerability (zero-day exploit) was described, so it must be time for another doomsday scenario to be revealed…The Mac OS X Metadata Exploit…
I received the following from Intego this morning:
Exploit: Mac OS X metadata exploit
Discovered: February 24, 2006
Description: Compressed archives can contain resource forks and HFS metadata stored in an invisible “__MACOSX” folder. Data contained in these resource forks and HFS metadata can mask the real type of a file in the archive, causing shell scripts to execute if users double-click such files.
The risk inherent in this exploit is that any compressed archive may contain such resource forks and metadata, and that decompressing an archive and double-clicking a resulting file can execute a shell script contained in the invisible __MACOSX folder.
Safari users who have not turned off auto-execution of â€œsafeâ€? files will download the malicious Zip archive, which will then execute. Even if this option is turned off, the Zip archive will download, and a user may double-click it to decompress it, then double-click its contents, causing the file to execute.
An additional exploit has been discovered, by which a malicious user can hack a web site, and add a script to a page that will generate a zip archive containing executable code. A user merely needs to visit a web page: the script actually creates the zip archive; the file itself does not need to be on the hacked server or any other server.
The ramifications of this are quite serious. While the first example above requires that a user double-click a file twice (if auto-execution of â€œsafeâ€? files is turned off), in the second case, users may go to a website where they expect to download legitimate files (zipped graphics, video, or even applications), and end up with a potentially dangerous executable.
When clicking on a link for a legitimate download, the script generates a zip archive that the user expects to receive. The user then decompresses the archive and expects the resulting file (an image, video or application) to be a graphic or application.
Means of protection: The first way to protect against this exploit is to uncheck the option Open â€œsafeâ€? files after downloading, found in Safariâ€™s General preferences. (This option is on by default, and Mac OS X would be more secure if it were set to off.) But to fully protect against the possibility of accidentally executing code in a file downloaded intentionally, Intego VirusBarrier X and X4, with their virus definitions dated February 23, 2006, offer protection from this type of hidden executable file.
Scared? Don’t be.
This is just a warning of a possibility. We have nothing to fear but anti-virus companies plotting to profit from your fear itself. There have been no reports of anyone actually being infected or harmed by a malicious file leveraging this exploit. Do not be alarmed.