[OT] [Ti] Intel Mac Mini? now Security
Tarik Bilgin
tarik at opalblue.com
Sun Feb 26 06:16:40 PST 2006
Bob Jacobsen wrote:
> At 2:00 PM -0600 2/25/06, Chris Olson wrote:
>
>> On Feb 25, 2006, at 1:43 PM, Thomas Fulton wrote:
>
>>
>>> What are you talking about?? "JPEG images that can automatically
>>> execute shell code on OS X and wipe out entire user accounts"
>>
>>
>> Anybody who wants a demonstration, please email me off-list. I'll
>> send you a link to download a JPEG image file, that when you try to
>> view it will completely wipe out every one of your user files.
>
>>
>> WARNING: This is NOT a joke, nor proof-of-concept like the various
>> exploits shown on the web for Mac OS X. This is the real McCoy.
>> Make certain you have your userspace backed up, and are absolutely
>> certain you are able to restore your files before trying my demo.
>
>
> Or, if you were actually interested in helping people understand
> whether this was true or not, you could point to some external
> evidence from a reliable source. Is there a CERT advisory? Public report?
>
> Bob
Right OK.
The vulnerability Chris is referring to is probably related to this one:
http://www.securityfocus.com/brief/145
and the German researcher who wrote some proof of concept code to
execute a shell script when you download a "safe" file into Safari has a
link that you can use to test it (this is safe and won't wipe your
files) here:
http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx.html
(First link on that page).
--
Chris I grant you that OS X is now seeing the kind of "battle hardening"
that Windows has seen over the last 10 years. But for me at least, the
discovery of some trojans and worms possible in OS X does not mean the
sky is falling, but that yes sadly there are bugs in OS X.
When I do a default install of OS X, I am running as a user with the
potential to have administrator level privileges but my password is
validated before making any major change like installing software.
Windows is not like that at all out of the default install. A default
install of XP will give you an administrator level account with full
priveleges without validating them again before an important step. The
documentation for XP recommends that if you want to be more secure you
should set up a restricted account for working with day to day, but
sadly there is so much 3rd party software out there which demands
Administrator privilege to run.Yes it can be locked down, but we know
that takes effort, and I have (at least in the UK) seen the state of the
IT systems in two primary schools. They are definitely not locked down
systems.
--
Tarik
More information about the Titanium
mailing list