The UK's IT Week reports on a possible new Mac OS X exploit. A proof of concept appears on the Info-pull.com website, claiming that corrupted UDTO HFS+ image structures are vulnerable to denial of service attacks. If true, this same issue may affect FreeBSD installations. The article suggests disabling "open 'safe files' after downloading", which realistically speaking you've probably already done a long time ago if you've been worried about possible OS X attacks.New Mac OS X Exploit?
The UK's IT Week reports on a possible new Mac OS X exploit. A proof of concept appears on the Info-pull.com website, claiming that corrupted UDTO HFS+ image structures are vulnerable to denial of service attacks. If true, this same issue may affect FreeBSD installations. The article suggests disabling "open 'safe files' after downloading", which realistically speaking you've probably already done a long time ago if you've been worried about possible OS X attacks.
Reader Comments (Page 1 of 1)
11-21-2006 @ 11:32PM
Matt said...
or switch to a BonEcho build for you processor - fast, reliable, free, open-source, extensible, and compatible :D
Reply
11-21-2006 @ 11:41PM
Garbanzo said...
I dugg down to the actual website reporting the bug, and they make it sound a lot less sinister than the article IT Week seems to think it is.
From The website that reported the exploit.
Mac OS X fails to properly handle corrupted UDTO HFS+ image structures (ex. bad sectors), leading to an exploitable denial of service condition. Although it hasn't been checked further, memory corruption is present under certain conditions (in this particular case, unlikely to allow arbitrary code execution).
Reply
11-22-2006 @ 12:26AM
James said...
This why I have ClamXav Sentry always watching my Desktop (where I download files), my Applications folder, my Home folder, and my mailbox. It's only ever gone off three times; first time was using that test file you can get; second was testing a real virus from Limewire; third was an oversized ZIP in the CoD2 demo (which was a false alarm of course).
Reply
11-22-2006 @ 3:24AM
Daniel said...
Matt,
"and compatible :D", yup it's great using a browser which doesn't hook into any of OS X's features, like keychain.
Garbanzo,
You can still corrupt blocks of memory using this and any security researcher knows that once this happens, you have a clear understanding that Apple have ZERO understanding of secure coding or creating robust applications which can handle malicious activity.
Reply
11-22-2006 @ 4:09AM
Nick Mediati said...
James,
Someone correct me if I'm wrong, but I don't know if antivirus would be able to protect against such an exploit. It seems that any attempt to uncompress the disk image to read it would result in a kernel panic.
Reply
11-22-2006 @ 1:06PM
Keith said...
Daniel,
I don't follow your logic. How does "corrupting blocks of memory" lead you to the conclusion that "Apple have ZERO understanding of secure coding."
Of course any reasonable person would conclude that somewhere with in Apple someone must have some understanding of secure coding, so really your statement was just meant to be inflammatory.
I, for one, think Apple has shown a pretty good understanding of secure computing practices.
Reply
11-22-2006 @ 1:09PM
Keith said...
Just a small sample:
http://developer.apple.com/documentation/Security/Conceptual/SecureCodingGuide/index.html
Reply
11-22-2006 @ 2:49PM
James said...
Nick Mediati
Arbitrary code within the disk image is executed when it's opened. That's the flaw here. Right now I'm downloading the proof of concept and the newest version of ClamXav to see if the code can be picked up.
...
And it can't, it seems it can't scan compressed images but once opened it can, which kind of defeats the purpose here. But who cares, is the developer of ffmpegX suddenly gonna put malicious code in his DMGs? No way.
Reply