Print this article  |  E-mail this article  |  Comment on this article

Zero-Day Mac OS X Exploit Disclosed

By Ed Oswald, BetaNews

November 21, 2006, 6:39 PM

A researcher has posted proof-of-concept code for a zero-day flaw within Mac OS X dealing with its handling of disk image (.dmg) files. The issue causes a memory corruption vulnerability that could allow attackers to execute arbitrary code.

The disclosure of the bug comes as part of a larger effort by an anonymous security researcher that posts to his blog using the initials "LMH." He plans to release one kernel bug every day during the month of November.

Security firm Secunia rates the vulnerability as "highly critical," its second highest rating. Currently there is no known patch for the issue, although Apple has traditionally been very quick to address serious issues in its software.

So far, however, the Cupertino company has remained mum on the disclosure.

"This issue is remotely exploitable as Safari loads DMG files from external sources (ex. visiting an URL)," LMH wrote in a detailed description of the issue. "This can be prevented by changing the Preferences and deactivating the functionality for 'opening "safe" files after downloading'."

As a workaround, Secunia recommends Mac OS users deactivate the "open safe files after downloading" option in Safari users and grant only trusted users access to vulnerable systems.

Traditionally, Mac OS has been considered one of the safest operating systems available. However, the increased popularity is leading malware writers to increasingly looking for vulnerabilities within the platform.

Add a Comment (62 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By NeoTrunks

posted Nov 23, 2006 - 4:59 PM

The day that I get called in to a client to clean out a Mac full of viruses is the day that I will believe a lot of these trolls here.

Score: 0

By dhjdhj

posted Nov 22, 2006 - 10:55 AM

If you're going to quibble with fanatics who claim ZERO vulnerability, then of course you can have a flame war but that's a waste of time.

For the most part, Mac OS X is more secure than Windows for the same reasons that Linux is more secure than Windows. CLearly, OS X is not perfect - but I think it's a significant improvement - and that's what counts in practice.

Score: 0

By Metshrine

edited Nov 22, 2006 - 1:38 PM

Lack of usage does not equate to better security, just lack of attempts to exploit.

Score: 0

By Tenoq

posted Nov 22, 2006 - 9:52 PM

And nor does lower usage equate to numerous undiscovered exploits.

By design, OSX is more secure than XP. Thus all the 'catchup' changes made in Vista.

Score: 0

By dhjdhj

posted Nov 22, 2006 - 2:11 PM

Half the internet (probably more by now) is run by Unix boxes (Linux, FreeBSD, others) - plenty of opportunity to attempt to exploit - but those systems remain pretty solid.

Score: 0

By Metshrine

posted Nov 22, 2006 - 2:15 PM

Yes, thats why on a standard ubuntu install, or suse, or what have you, I get at least 20 updates per day (not to mention the 300+ you have to download on a base install)

Score: 0

By PC_Tool

posted Nov 22, 2006 - 2:52 PM

Only 300? I could have sworn the last 6.06 install I did of Ubuntu had quite a bit more than that...

Of course, that's not just the kernel, but nearly *every* app they install by default as well.

Most of the linux updates are program updates, not kernel (OS Security) updates. :)

Score: 0

By PC_Tool

posted Nov 22, 2006 - 1:50 PM

lack of attempts to exploit = better security.

:)

Glad I could help ya with that.

Score: 0

By Metshrine

posted Nov 22, 2006 - 2:14 PM

But, is the product really more secure? I mean, would it fair up the same if it were in the majority?

Score: 0

By PC_Tool

posted Nov 22, 2006 - 2:50 PM

No, and it's not that I don't understand the point you are trying to make, but, as far as the average Joe is concerned:

Less viruses = more secure.

Score: 0

By GCoder

posted Nov 22, 2006 - 9:41 AM

GOODMORNING. NOBODY USES SAFARI!

Case closed, thanks for stopping by to flame though...

Score: 0

By wincement

posted Nov 25, 2006 - 1:38 PM

Ummm... actually, my company just ran stats on visitors last month. 1.2% of visitors to their website, which describes services available only to Windows users, used Safari.

I think that's pretty considerable for something that "nobody uses."

Score: 0

By NeoTrunks

posted Nov 23, 2006 - 4:48 PM

I use Safari...

Score: 0

By Heero

posted Nov 22, 2006 - 12:58 AM

Here we go again....

Score: 0

By Hollywood__

posted Nov 22, 2006 - 12:47 AM

OSX, the safest o/s that nobody uses.

Score: 0

By PC_Tool

edited Nov 22, 2006 - 9:36 AM

LOL.

What about Linux? No-one uses that either. :-P

Score: 0

By 33Nick

edited Nov 21, 2006 - 11:04 PM

It will be patched, whoever uses Safari and the Safe download feature shouldn't. It can be turned off. It was stupid to start with. Worse case scenario, you lose your files not the OS. Just use Firfox for now and be careful, regardless what OS you use.

Now let Windows users go back to their maddening race at patching, updating, repatching, installing, uninstalling, upgrading and on, and on, and on...

Score: 0

By rayz66

edited Nov 22, 2006 - 5:45 AM

Worse case scenario, you lose your files not the OS.

I'm always baffled when people say this. In what universe, is losing your family pictures, holiday videos, business accounts and God knows what else, considered to preferable to getting your OS hosed?

Now let Windows users go back to their maddening race at patching, updating, repatching, installing, uninstalling, upgrading and on, and on, and on...

An icon lights up on the toolbar, saying that there are patches are available. It asks if I would like to install them now; I say, 'yes'.

It's a no trouble no brainer ....

Score: 0

By crashoverride

posted Nov 22, 2006 - 5:15 PM

"I'm always baffled when people say this. In what universe, is losing your family pictures, holiday videos, business accounts and God knows what else, considered to preferable to getting your OS hosed?"

Three Bs
Backup, Backup, and guess what.....Backup. If anyone loses their files it's out of pure ignorance..Whether it be through bad security practices or being dumb enough not to back everything up.

Score: 0

By rayz66

posted Nov 23, 2006 - 12:42 AM

So it's a shame that Apple doesn't actually give you a backup program without gouging $99 a year, for the privilege isn't it?

Oh, and given the notorious unreliability of Apple's backup, I would add 'TR' to your list of Bs.

'Test Restore'.

A good idea for any backup program though.

Score: 0

By THZGryphon

posted Nov 22, 2006 - 12:28 AM

Patch downloads in background hands free, installs when I shut down....that is maddening?

Score: 0

By mjm01010101

posted Nov 21, 2006 - 11:23 PM

maddening? I'm on a Windows XP install that has an uptime of several weeks, and was installed the day after XP came out. Still chugging along...

Score: 0

By dhjdhj

posted Nov 22, 2006 - 8:56 AM

Several "weeks"?

Wow!

Score: 0

By PC_Tool

posted Nov 22, 2006 - 9:35 AM

Yeah, wow.

Apparently he's missed a few patch cycles.

Uptime for windows is meaningless. Windows (at least the desktop OSes) was never designed to have unlimited uptime.

Score: 0

By id242

posted Nov 22, 2006 - 10:51 AM

I believe the Win2K server at one of my locations is going on 140+ days or so (there was a power outage several months ago). This sort of uptime for the Microsoft server products is normal.

Score: 0

By PC_Tool

posted Nov 22, 2006 - 11:24 AM

Gee, you wonder if that might be why I specified desktop operating systems?

Ya think?

Maybe?

Score: 0

By Metshrine

posted Nov 22, 2006 - 1:39 PM

Is that why my home XP box has an uptime of 3 months WITH patches being installed monthly?

Score: 0

By Arakiel

posted Nov 22, 2006 - 4:38 PM

There have been at least 2 occasions over the last few months where patches have required a reboot. So either you are passing on the "you must reboot" nag screen every 10 minutes for the last few months OR your using autoupdate and you just didn't notice the reboot when it happened.

Score: 0

By PC_Tool

posted Nov 22, 2006 - 1:52 PM

Then you're missing updates, you failed to reboot after applying them, or at the very least, your performance is suffering.

XP was not designed for extended uptime.

Score: 0

By iNsuRRecTiON

posted Nov 22, 2006 - 4:37 PM

Hey,

XP maybe not, but Vista definitely will..
Further more, Vista is based on an much improved Windows 2003 Server SP1 Kernel..

best regards,

iNsuRRecTiON

Score: 0

By burfadel

posted Nov 26, 2006 - 3:12 AM

Vista is NOT based on the Windows Server 2003 SP1 Kernel. Its not based on any currently released operating system.

It is a complete new OS like Windows 2000 was. Windows 2000 was Windows 5.0, XP is 5.1 and Server 2003 is 5.2

What you're thinking of is Windows XP x64 edition. That is based on Server 2003 SP1 x64. Actually it is Server 2003 x64 edition with the security realigned to Windows XP, a few features added like system restore. It uses the exact same updates as Windows Server 2003. Now the SP1 edition of Server 2003 is the equivalent of XP SP2.

Windows Vista is version 6.0

Score: 0

By Arakiel

posted Nov 22, 2006 - 4:40 PM

Um...Metshrine said "XP" so XP is the topic, not Vista.

btw...your caps lock is busted.

Score: 0

By foxfyre

edited Nov 21, 2006 - 9:37 PM

Let’s see…

I agree with btn regarding his assessment of the auto-open feature...
And one wonders regarding the actual real world threat of the old auto-play trojan which could (evidently) also load a malevolent CD into the drive that it was supposed to play...a very talented trojan! Well, unless the trojan was responsible for autoplaying Helen Reddy's greatest hit! Everybody run!

But, here is the underlying contention that seems to be in play here:
OSX fans maintain that OSX is a more secure OS than Windows.
Let’s rephrase that…: ...that OSX is a substantially more secure OS than Windows.

But we can always continue to speculate about the speculation based upon an abstract speculation that does not exist in the real world. But then that sounds rather like a discussion of the concept called Window’s security, doesn’t it?

When you find a real world OSX breach that exists outside of some martini glass at a press party, then we can examine it. And we can marvel that a real breach has been accomplished.

Then, and only then, the score regarding security breaches will be OSX: 1; Windows: let’s be nice, shall we, and say >>1.

Relatively speaking, the relationship between the security assessment doesn’t change. But it is quaint how Windows fans seem to equate the potential for a breach to be equal to the myriad number of real world breaches that occur everyday in their OS of choice. But then, they did declare ‘new math’ a failure, didn’t they?

Score: 0

By Arakiel

posted Nov 22, 2006 - 4:46 PM

"But it is quaint how Windows fans seem to equate the potential for a breach to be equal to the myriad number of real world breaches that occur everyday in their OS of choice. But then, they did declare ‘new math’ a failure, didn’t they?"

You just couldn't resist could you? You actually had a well thought out argument, thoughtfully put forth for a change and then you go and RUIN it with your a****** superiority complex.

Oh and btw mister high and mighty, for someone so smart you'd think you would know better then to start a sentence with "But".

Score: 0

By foxfyre

edited Nov 24, 2006 - 8:41 AM

There were references to BOTH Mac and Windows fans. And both are valid.

Funny how so many Windows "nobodies" are worrying so much over an OS that "nobody uses"...
And then, when a butthead like yourself cannot rebut an issue and who offers no insight into the issue at hand, prefer instead to quible over gramatical suggestions that are not rules, and instead prefers to end his quaint pathological obsession with his head up his posterior.

Its quite entertaining to watch so many Windows HS kiddies worry about an OS that they say no one uses. It is fun to watch the Windows kids crowd like moths around a light at the possibility that someone just might develop the first real world virus for OSX - as if that would prove anything! Don't worry, I think we can confidently anticipate the malware writers focusing on Windows for some time to come! And to think such a minor OS can still be more secure that the mighty OS that still can't get a object-oriented operating system down that was implimented in the Pick OS over 30 years ago! ...And please, tell us about Cairo...or is that WinFS...or is that more appropriately called "dead"?
Or explain why if OSX is so insignificant why MS is the largest OSX developer...You might think that MS would have learned something by now, but I guess there is no one to buy to acquire new functional innovation, as MS seems impotent to develop such technology internally.

Score: 0

By Arakiel

posted Nov 27, 2006 - 9:46 AM

Thank you for proving my point yet again

Score: 0

By foxfyre

posted Nov 27, 2006 - 11:16 AM

Come your hair properly, and no one will notice the point.

Score: 0

By Arakiel

posted Nov 27, 2006 - 2:10 PM

Keep going, every comment you make just proves what an arrogant turd you are. Isn't it about time you tell me to graduate from high school or something? One of these days you'll actually discuss something without being a complete d*** and when that day dawns people might actually take you seriously.

Score: 0

By zhengx

posted Nov 21, 2006 - 8:46 PM

I am wandering who's LMH.

Score: 0

By btn

posted Nov 21, 2006 - 8:04 PM

The option to automatically open a "safe" download has always been a silly idea, IMHO. I always disable it on Macs that I configure. Apple seems to have forgotten about the auto-play Trojan that used to take advantage of Mac OS' mechansim to automatically begin playing a CD pre-Mac OS X. It didn't propagate because it's hard to reproduce when you crash the system. This new disk image vulnerability causes a kernel panic...

At the end of the day, I am more concerned about the 10 new Windows virus et. al. strains reported so far this week by Sophos.

Score: 0

By Mark Gillespie

edited Nov 21, 2006 - 7:52 PM

I wonder where all the people ranting about how secure MacOS is, and how crap Windows is..

Perhaps they are patching up their systems...

Score: 0

By alphatrigon

posted Nov 21, 2006 - 9:45 PM

They're probably made to work and be efficient with Windows PCs instead of making little juvenile claims as their flagship commercials mimic...hehe, did I make a juvenile stab? maybe, but it applies

Score: 0

By Tenoq

posted Nov 21, 2006 - 8:28 PM

They probably realise it's futile pointing out how many actual viruses are released each day for Windows.

Score: 0

By rayz66

posted Nov 22, 2006 - 5:33 AM

The number of viruses is not that relevant. It's a popular platform made by an unpopular company, so there are always going to be new viruses released.
What matters is how much damage these viruses actually cause.

Score: 0

By Tenoq

posted Nov 22, 2006 - 9:31 PM

True. Pretty hard for a virus to cause damage if it doesn't exist (ie, Mac viruses). :P

Score: 0

By rayz66

posted Nov 23, 2006 - 12:48 AM

But that doesn't mean the system is secure; it just means it doesn't have viruses; which I think is the point here.

Score: 0

By Desides

posted Nov 21, 2006 - 7:53 PM

I suppose they're getting work done.

Score: 0

By Mark Gillespie

posted Nov 21, 2006 - 8:28 PM

Unlikely, as they won't be able to find any software to run on the Mac, unless they boot Windows on it.. LOL...

Score: 0

By Desides

posted Nov 21, 2006 - 8:46 PM

Except they can and do.

What is it with you and playing favorites?

Score: 0

By alphatrigon

posted Nov 21, 2006 - 9:40 PM

mark is right...and if you're a Mac fan you should whole heartedly agree with him. Why? Mac commercial says so, lol

Score: 0

By Tenoq

posted Nov 21, 2006 - 10:29 PM

Right about what? The only apps that I'd want on a Mac that I can't get are games. Everything else has been ported or has a better alternative. The compatibility argument has been dead for years... even in the '90s it was wearing thin.

Score: 0

By rayz66

posted Nov 22, 2006 - 5:37 AM

Well, that's the problem I find with the Mac. Yes, they have alternatives that LOOK better, but they rarely match the level of functionality that I need.

The Mac doesn't have a personal finance package that comes anywhere close to MS Money (for me, that means it had to work in the UK and connect to my bank).

And I also like to play the occasional game.
And watch TV on my PC
And use it as a full-blown media centre.

Score: 0

By dhjdhj

posted Nov 22, 2006 - 10:53 AM

Quicken Mac 2007
--->The Mac doesn't have a personal finance package that comes anywhere close to MS Money (for me, that means it had to work in the UK and connect to my bank).

Me too, and I do!
--->And I also like to play the occasional game.

I use Slingbox with Mac - works great - although you can certainly get a TV tuner for the Mac if you want.
--->And watch TV on my PC

I've never figured out what a "media centre" actually is but you can probably do it - certainly the new toy (iTV?) supposedly coming from Apple early next year will help.
--->And use it as a full-blown media centre.

Score: 0

By rayz66

posted Nov 23, 2006 - 12:56 AM

Me too, and I do!

No, I don't think that you do ...

http://www.quicken.co.uk/

Quicken 2007 for the Mac is not available in the UK. In fact, neither is Quicken for Windows anymore. This leaves MoneyDance and iBank. Neither of which cuts the mustard, and also don't connect to the bank. CaChing looks good, but isn't really a full blown personal finance application.


I've never figured out what a "media centre" actually is but you can probably do it - certainly the new toy (iTV?) supposedly coming from Apple early next year will help.

Well, as far as I can tell, iTV will not let you record TV programmes; Apple would rather you buy them, assuming that the ones you want are available.

Score: 0

By Grazer

posted Nov 21, 2006 - 8:00 PM

Must take longer to do on Mac ;)

Score: 0

By Das mod

posted Nov 21, 2006 - 7:23 PM

wow ....... no comments ??

i guess the MAC OS fan boys are too busy changing their preferences to avoid this flaw instead of posting in this article .....

..............

Score: 0

By FubarJeb

posted Nov 21, 2006 - 7:50 PM

That’s funny...

IN MY OPINION, I believe ONE of the reasons why MAC OS has been so "safe" from worms and exploits like this is because the majority of people who look for these exploits could care less about MAC OS. There after the big kid on the block, which is Microsoft. Let’s face it more businesses prefer it over any other OS. They have the largest market share in Client OS's.

In server OS's I'm not 100% sure but I believe MAC OS Server is least used in most business today compare to it's competition, from Microsoft, UNIX, Sun, etc..

Who knows, if MAC OS becomes more popular, maybe someone will create more viruses and find more exploits for it.

Any Apple fans care to contribute?

Score: 0

By Tenoq

posted Nov 21, 2006 - 8:30 PM

Seems reasonable to me. If MacOS had 90% of the OS market, it would be the target for the majority of malware. Although I'm inclined to think the extent of the problem would be far less than it has been with XP.

Can only hope Vista plays catchup a little better this time. So far it looks like it's a more secure leap forward, particularly in the x64 version. Such a shame x64 is still not practical for many users. :(

Score: 0

By bugmenot

posted Nov 22, 2006 - 8:27 AM

see, this is the thing I don't get why MS wouldn't push for 64bits OS. I mean, everyone who purchased a machine within the last 12 month are most likely equip with a 64 bits cpu.

Score: 0

By rayz66

posted Nov 23, 2006 - 12:57 AM

Good point.

Compatibility reasons?

Score: 0

By mocha

posted Nov 21, 2006 - 11:10 PM

True... although I have been running Vista x64 for a while pretty successfully, I don't use a huge array of apps.

It's sad though that I have to use the 32-bit IE because there still isn't a 64-bit version of a Flash plugin. Get with it Adobe!

Score: 0

By shinji257

posted Nov 22, 2006 - 11:05 AM

I emailed Athena SmartCard Solutions earlier this week. They sent me the 32-bit drivers and apparently are working on the 64-bit ones. The thing is that in the 64-bit version of the OS drivers must be signed or else you have to press the F8 key to disable the check for that bootup. The 32-bit version of the OS can get that check disabled completely.

Score: 0

Nov 21 - 4:32 PM ET New Adobe Media Player ushers in AIR 1.5

Nov 21 - 2:11 PM ET AT&T to add Pantech's low-cost C630 phone to 3G lineup

Nov 21 - 1:11 PM ET iPhone gets firmware 2.2 update

Nov 21 - 11:51 AM ET The Dell surprise: Higher earnings on lower revenue

Nov 21 - 11:11 AM ET Verizon admits Obama's cell records were violated

Nov 21 - 11:06 AM ET A tale of two houses, or, 'It looks like you're baking a casserole...'

Nov 20 - 6:13 PM ET Microsoft says it 'has always preferred' DRM-free content

Nov 20 - 5:48 PM ET With the petaflop barrier broken, is it time to change the benchmark?

Nov 20 - 4:17 PM ET Actors' union threatens to strike over Internet TV

Nov 20 - 3:43 PM ET Mozilla prepares for bad times, and an audit