***WARNING***
Extremely Nerdy Mac Security Stuff Follows – it is however important to read if you are a Mac user.

I’ve playing around with the proof of concept security scares – mainly the safari executing shell scripts thing and the Inqtana Bluetooth thing.

First the Safari “__MACOSX” ZIP Archive Remote Code Execution Exploit:
Synopisis
There is still a viable attack vector for malware on OS X. Attachments or downloads can launch arbitrary code on your machine when you open them. User intervention is required to launch the disguised file but the admin password is not required unless the malware contains code that requires admin privileges.

Good Info [here](http://isc.sans.org/diary.php?storyid=1138&rss), [here](http://www.heise.de/english/newsticker/news/69862), and how this also affects Apple Mail [here](http://www.heise.de/english/newsticker/news/69919)

You can download a working demo to test with [here](http://www.heise.de/security/dienste/browsercheck/demos/safari/Heise.jpg.zip)
You can also get a demo emailed to you for testing Apple Mail [(in German!)](http://www.heise.de/security/dienste/emailcheck/demos/go.shtml?mail=apple)

The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and have Safari opening “safe” files, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user.
If Safari is set to not open safe files but you unzip the file and then double click on the resulting jpeg – then the exploit still works and a shell script is executed. This is bad. This demo attack only lists files in a folder but even if you are not an admin user the script could do things like delete all your files.

OK just going to do the same test after running Apple Security Update 2006-001 – this update (which “came out” tonight) fixes 15 security holes and should be run on all 10.3.9 and 10.4.5 systems, including OS X Server.
I installed the update, turned on “Open safe files” in Safari preferences and downloaded the above demo once more..
I got a warning this time: “The safety of this file cannot be determined. Are you sure you want to download ìHeise.jpgî?” Clicked on Download button, file downloaded and the zip file decompressed leaving a file called Heise.jpg. Double clicking on this file causes Terminal to launch and the contents of my home folder to be displayed.

So – the good news is that the shell script did not launch even with Open safe files selected. I also got a warning (that most users will ignore).
The bad news is that a file that looks like a JPEG picture launchs a shell script when opened -In my opinion this is still a viable attack vector for delivering a destructive payload.

If you turn off “Open safe files” and manually unzip the file using terminal you see this:
adam% unzip Heise.jpg.zip
Archive: Heise.jpg.zip
inflating: Heise.jpg
creating: __MACOSX/
inflating: __MACOSX/._Heise.jpg

The Hiese.jpg file is a shell script and the ._Heise.jpg file in the newly created __MACOSX folder is a binary metadata file (aka Resource fork) that tells OS X to use Terminal to open the Heise.jpg file. Because of the .jpg extension however, the finder displays this file as a picture that will be opened by Quicktime.

This is the crux of the problem – the attacker gets to choose what application opens the file while the user thinks that it will be opened by another application based on the icon displayed.

Email attack vector.
If the disguised script is sent as an attachment encoded in the AppleDouble format then double clicking on the file in Apple Mail will launch the shell script. Most (all) OS X email clients send attachments in this format and it handily allows for resource forks to be sent with files. Apple Mail automatically analyses these resource forks and will honour them. Again the icon displayed is based on the .jpg extension but Apple Mail will open the file in terminal because the resource fork metadata tells it to.
NOTE that after installing the Apple 2006-001 Security patch Apple Mail now displays a warning dialogue when you try to open the file saying that it contains an application and is may not be trusted – this is a step forward.

Summation.
To be sure of what you’re running when you open a file – copy any attachments to a folder and then unzip them in the Terminal to see what you are unzipping.
Check what application will launch when you open a file by clicking once on the file and getting info (Get Info under the file menu) if it says “Open With: Terminal” – don’t open it.
You can also drag the file onto TextWrangler, TextEdit etc to see if the file you’ve downloaded is a shell script or not.

Code for the Apple Mac OS X / Safari “__MACOSX” ZIP Archive Remote Code Execution Exploit is [here](http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.php)

More info on todays Apple security patch [here](http://docs.info.apple.com/article.html?artnum=303382) and [here](http://www.frsirt.com/english/advisories/2006/0791)

Secondly, the Inqtana Bluetooth Worm.
Synopsis
Fixed with a few of last years Apple security updates.

OSX/Inqtana-A is a worm for Mac OS X that spreads by copying itself to other computers via a bluetooth connection. The worm copies 3 files; w0rm-support.tgz, com.openbundle.plist and com.pwned.plist
When the worm is run it will create folders named Users/de and Users/javax containing a number of JAVA library files

Summation
RUN Software Update you goose!

I have finally found a solution to the recently discovered vulnerability with Mac OS X.
Just to remind you – the vulnerability is that a virus, masquerading as a normal document, can execute commands (run shell scripts) using your terminal application.
The solution consists of a shell script called A Bit More Secure Terminal (abmst) that you can download [here](http://www.ugsoft.de/intl/abmst/demo/addr-mac.html)

1. Download and install abmst.
2. Launch your Terminal utility and open “Preferences…” under the Terminal menu.
3. Select the radio button next to “Execute this command (specify complete path):”
4. Enter exactly the following underneath this line (the space is important):
/usr/local/bin/abmst-en /usr/bin/login

Now whenever something tries to run a shell script in your terminal abmst will ask you if you really want to run the command and give you the option not to. I have tested this and it works well.

Randy B. Singer is the author of The MacAttorney Newsletter. The
MacAttorney Newsletter is a FREE electronic newsletter sent out via
e-mail for attorneys, law students, and legal professionals to keep them
informed about the latest Macintosh news, events, products for law office
use, and special promotions for attorneys.

At this writing there are well over 5,500 law firms subscribed to The
MacAttorney Newsletter!

To subscribe, send e-mail to: randy@macattorney.com
With the word: “Subscribe”
in the SUBJECT line of the message.

There is a huge Web site with a list of software for attorneys who use
the Macintosh computer at:

The Law Office Software List for the Macintosh Computer
[http://www.macattorney.com](http://www.macattorney.com)

Hi All,

Yesterday another proof-of-concept piece of malware was announced:
[http://secunia.com/mac_os_x_command_execution_vulnerability_test/](http://secunia.com/mac_os_x_command_execution_vulnerability_test/)

REMEMBER THIS IS A PROOF OF CONCEPT – IT IS NOT YET MALEVOLENT.
However it does show a working attack vector that may exploited by spotty 14 year old uber-geek-lords.

Sooo with the latest outbreak of these two little applications that prove you can compromise Mac OS X – what should you do to stay safe, alert and only marginally alarmed?

FIRST: In Safari, select “Preferences…” under the “Safari” menu. In the window that then appears select the “General” icon at the top left and make sure that the checkbox next to “Open “safe” files after downloading” is NOT checked.

SECOND: Don’t download files from untrustworthy sources, such as peer to peer filesharing networks like LimeWire, or sources such as Hotline. (Yeah right – whatever.)

THIRD: If you attempt to open a downloaded file, and you are asked for your administrator password, DON’T GIVE IT! Files (i.e. documents, graphics, spreadsheets, MP3’s, etc.) don’t ask for passwords. However, malicious applications masquerading as files do ask for passwords.

FOURTH: Your client files and work product are irreplaceable data. You cannot afford to lose them. You should back up all of your data to keep it safe. Everyday, or more often.

FIFTH: Buy Intego Internet Security Barrier X from Coretech. The product that we use and most recommend. It looks for and handles all known Mac malware. It works seamlessly and causes no performance slowdowns or software incompatibilities. It includes automatic updating, so that you are protected as soon as possible when a new threat arises, and it has a pretty cool interface too.

SIXTH: For a more complete sense of security and well-being, do not use the owner account of your machine. Rather, create a new account that has administrator rights and then take the administrator rights off your existing account.

Here’s How (Tiger only):
NOTE That Coretech accepts no responsibility whatsoever for any problems or data loss that may result from anyone following these guidelines – if you’re at all concerned please call us on 02 9016 4475 and book a service call.
You have been warned.

1. From the Apple menu, choose System Preferences.
2. Click the Accounts icon.
3. Click the New User button, and follow the prompts to create a new user. I have called this new user Admin User with a short name of adminuser.
(Under 10.4 the add user button is a small + symbol underneath the list of users. You may have to “Click the lock to make changes.”)
4. Select the user you just created from the accounts list on the left of the window.
5. Select the “Allow user to administer this computer” checkbox.
6. Now select your original user and de-select the “Allow user to administer this computer” checkbox.
7. Quit System Preferences and log out (under the Apple menu).
8. Log in as your usual account.

Now all your documents and applications will still be available as per normal.
Note that when you want to install anything you will be prompted for an administrator name and password – use the new account name and password you’ve just created.

Many Thanks to Randy B. Singer of the MacAttorney’s Email list for his kind permission to use some of his most excellent newsletter.

We’ve updated quite a machines with 10.4.5 with no problems.

You have been cleared for take off.

Some sites (macfixit) are reporting problems after running the 10.4.4 to 10.4.5 updater. They recommend using the combined updater instead.

Other sites and mailing lists are reporting a smooth and pain-free upgrade.

Our advice, as always is to never be the first nor last person to try a new medication. Please standy for further input…..

A new malware programme that attacks Mac OS X has appeared. Called (by some) Ooompa-Loompa (aka OSX/Oomp-A) it doesn’t appear to be too dangerous and requires user input to be installed. It appears in the form of a file called “latestpics.tgz” purporting to be images of the new OS X 10.5. It’s icon makes it look like a jpeg file. It’s sole purpose appears to be to self-propogate via iChat but there may be other undiscovered payloads.

In short – do not open any file called “latestpics.tgz”.

In length see:
[http://www.ambrosiasw.com/forums/index.php?showtopic=102379](http://www.ambrosiasw.com/forums/index.php?showtopic=102379)
and
[http://www.macrumors.com/pages/2006/02/20060216005401.shtml](http://www.macrumors.com/pages/2006/02/20060216005401.shtml)

from the first link above::
You cannot be infected by this unless you do all of the following:

1) Are somehow sent (via email, iChat, etc.) or download the “latestpics.tgz” file
2) Double-click on the file to decompress it
3) Double-click on the resulting file to “open” it
…and then for most users, you must also enter your Admin password.

You cannot simply “catch” the virus. Even if someone does send you the “latestpics.tgz” file, you cannot be infected unless you decompress the file and then open it.