Mac OS X Command Execution Vulnerability Test

elektro80

http://secunia.com/mac_os_x_command_execution_vulnerability_test/

If you have run all the security updates, Safari will tell you that the file secunia.mov.zip is a program.

If you are like any other computer user out there, this message will make a lot of sense and sure.. "a movie file that is a program.. YES.. I really need to run that program RIGHT NOW!!!"

Laughing

I reckon there is only a handful of seasoned computer users ( read: old farts ) who thinks like:

a movie file= an executible = a really bad idea= ma, we have a trojan!

brinxmat · Joined: Oct 24, 2005 Posts: 262 Location: Norway

I post this one because I am nice. Please user-test this one thoroughly. It's a PDF, honest guv.

ProofOfConcept.tar.gz

Description:

This is a PDF, not a program, honest.

Download (listen)

Filename:

ProofOfConcept.tar.gz

Filesize:

20.11 KB

Downloaded:

557 Time(s)

elektro80 · Posted: Wed Mar 08, 2006 5:09 am Post subject:

yeah yeah.. PDF.. sure.. nice app though

brinxmat · Joined: Oct 24, 2005 Posts: 262 Location: Norway

It worked? *shock*

elektro80 · Posted: Wed Mar 08, 2006 5:45 am Post subject:

Well, not quite. But you aren´t running Tiger now are you? Another matter is that I have various stuff hammering away on all downloads so this one made my mac jump with alerts. I did however run your PDF app on my honeypot box. Nice message!

mosc

elektro80 · Posted: Wed Mar 08, 2006 2:02 pm Post subject:

I am using various versions of Firefox. Right now I have 1.0.6 active. Default behaviour for this version is returning proofofconcepttar_133.gz

as text.

brinxmat · Joined: Oct 24, 2005 Posts: 262 Location: Norway

Woo! hot download! I reckon you should try bzipping it too, because a stacked bzip-gzip-tar might obliviate the contents. I am sure someone will find a way of fooling this enitrely 'doze way of building city walls. Apple need slapping and telling to sort themselves out. I mean, honestly!

elektro80 · Posted: Wed Mar 08, 2006 2:39 pm Post subject:

What we are talking about here is like dad leaving the gun cabinet unlocked and all the famly has free access to his excellent collection of 50 caliber rifles. And dad has all his candy coloured M-67 hand grenades in there too.

What Apple did was simply adopting the old nice smooth Microsoft way of accessing resources on the internet. This has been corrected some, but the way I see this there is still things to be improved. Seasoned computer users won´t have much of a problem with the current model, but personally I think the whole model for how to handle "foreign" files should be changed a bit. Basically we are really lacking a sensible security model for any platform out there for handling this issue.

mosc · Posted: Wed Mar 08, 2006 8:15 pm Post subject:

I agree with that. The reason I asked about Firefox is that the security should be application independent. In fact, the entire OS should be application indepent to whatever degree that is possible.

I would guess Microsoft would build in a virus/security checker into windows these days but since there are companies selling these tools they might get sued. Maybe Apple isn't in that situation, but there are commercial anti-virus tools for OSX, so maybe they are. Juli's school district which gives Macs to every teacher has a lisence for Symantic for OSX.

I don't like allowing gz, rar, or zip files as attachments on this site because of possible secruity problems, but banning these files would be more trouble than the security problems that might be there.

Still, a lot of kids get killed every year from guns in Daddy's closet. Mad

Kassen · Posted: Wed Mar 08, 2006 9:16 pm Post subject:

elektro80 · Posted: Thu Mar 09, 2006 5:20 am Post subject: