Freely subscribe to our NEWSLETTER

Exploit: OSX.Exploit.MetaData.B

Discovered: November 20, 2007

Risk: Low

Description: Mac OS X 10.5, Leopard, provides a “quarantine” system that alerts users

when they attempt to open applications that arrived via Mail, Safari or iChat, or that came in disk images via these programs. It also alerts users the first time they launch any other application they have installed or manually added to their Applications folder.

This system should inform users of all cases when such executable files are being opened, but a bug in the quarantine system, discovered by Heise Security on November 20, 2007, can allow users to launch attachments, which may be malicious, from Mail.

The principle behind this system is Leopard’s LaunchServices database, which records all applications or executable files that are added to a user’s Mac. However, when some executable attachments arrive by e-mail, this protection does not operate correctly. The current proof-of-concept example is a shell script in a file with a .jpg extension. The file also contains such information as a resource fork, telling which application should open it (in this case, Terminal). The file also has appropriate executable permissions. Within Mail, this file shows as an attachment with a JPEG icon showing that Preview will open it. But attempting to view the file with Quick Look shows that it is not an image file:

A user receiving this file might be tempted to click it to see what it contains. While this proof of concept merely displays some text in a Terminal window, it would be simple to create a similar file with a single command that, when executed in Terminal, would delete all of the user’s files.

When a user clicks on an attachment to an e-mail message in Mail, the program stores a copy of the attachment in the user’s Library/Mail Downloads folder. This folder allows the Finder to then open the attachment. When malicious attachments arrive in Mail containing a script and a resource fork (its usro resource tells the Finder to open the file with a specific application), a user can open these attachments once without Mac OS X displaying the quarantine alert. When a user opens the attachment at a later time, this alert displays, saying that the attachment may be an application, and informing the user that it will be opened by Terminal. The bug causing this has to do with the way Leopard manages quarantines. The first time a user opens an attachment, Mail opens the file directly without passing through the quarantine system. Subsequent openings of the same attachment cause Mail to no longer open the attachment directly, but rather open the file it has saved in the Mail Downloads folder. If a user receives a second message with the same attachment, the situation is worse: they will receive no alert at all. Since the attachment has been saved to the Mail Downloads folder, but from a different message, Mail does not attempt to open the original attachment, but makes a copy of it (named: -1, -2, etc.), and opens this attachment with no warning. Until this bug is corrected in Mac OS X 10.5, Mac users are at risk of receiving maliciously crafted files, pretending to be image files, which could delete all of a user’s files, or may contain Trojan horses. It is important that users do not open attachments from unknown senders, especially those that come with spam messages. Intego VirusBarrier X4 with its virus definitions dated November 21, 2007 protects against this problem. Since this bug allows maliciously crafted files to execute with a single click from Mail, users are advised to check for new virus definitions regularly, with NetUpdate, to make sure that they are protected against any new exploits that may arrive.