I have to get his off my chest: When are you going to fix the punditCon image?
The image is 175x296 pixels but that's not the size your html img tag specifies, and the slightly resized image looks crap in my browser and it hurts my eyes.
Always has.
Thomas Ptacek
· 3 years ago
Thanks, Alex. FWIW, the PunditCon has been stuck at Lindstrom ever since I switched to MacIntel and Illustrator stopped working. =)
Rich Mogull
· 3 years ago
Any advice on something inane to say to get on the PunditCon? I hate to let Amrit beat me at anything.
Dave G.
· 3 years ago
Don't worry Mogull, the punditCon sees and knows all. It is like Santa Claus, only without the breaking and entering (or the presents).
Bryan Burns
· 3 years ago
Nice writeup.
One thing that somewhat mitigates this vulnerability in my mind is that 99% of the time I'm downloading a .dmg it contains an executable (.app) that I'm about to run w/o dropping into IDA to test its non-evil nature etc.
So, by the time I double-click the dmg to mount it, I've already agreed to let you run whatever code you want w/o the headache of kernel shellcode. (You had me at hello?)
So, while this still is a valid and scary vulnerability, I'm probably not going to change my behavior over it. While it's bad, it just doesn't make things much worse..
Dave G.
· 3 years ago
Part of the issue here is that the average user doesnt need to knowingly click on a DMG to have Safari start downloading one for you. Any website you go to could have an" <IFRAME src="boom.dmg">" and Safari will by default download it and mount it, no questions asked.
Yes, if you have turned off Open "Safe" Files in Safari the risk of this impacting you without interaction is much smaller (if not completely removed).
Andrew Jaquith
· 3 years ago
Ok, so while I believe that Tom's got the cork in a little tight in general when it comes to all things Gruber, I agree that this DMG issue is Not Good. It is true that a consequence of disk images is that you've got a much larger attack surface because you've got to worry about all of the filesystems that the format supports. Also, I laughed hard at the line; "For the time being, remote filesystem vulnerabilities are 'Designed by Apple in California.'" Heh.
But saying that disk images are a "terrible idea" is going too far. From a utility point of view, disk images are a TERRIFIC idea, especially encrypted disk images for storing secret company documents and the like. Disk images also underpin the FileVault home directory encryption feature. How is this not goodness?
Other points, from you, Dave G, Rich, Bryan and others are spot-on. Apple should clearly audit that code with a fine-toothed comb, and take steps to turn of the "safe" file option. The past five years should have taught us that no files obtained remotely should ever be considered "safe."
Thomas Ptacek
· 3 years ago
Two responses:
As a mechanism for distributing software products, disk images are irredeemable.
and
If you can reconcile it with the Unix privilege model OS X depends on, I see the value in having ONE SIMPLIFIED filesystem available, unionfs/portalfs-style, to unprivileged users. But that's not what OS X did. They have a metaformat that exposes multiple filesystems that were never meant to be exposed to hostile environments.
ivan
· 3 years ago
minor comment, let not forget: Remote filesystem vulnerability design was pioneered by Sun Microsystems in California. Had they patented them, today they would be able to crawl out of their botomless pit.
Chris_B
· 3 years ago
I'm just surprised that the press hasnt soiled themselves on this one yet. Anyways, nice summary of facts on the ground.
Mike Heinz
· 3 years ago
Caveat Blogger: I write device drivers for Macs and Linux for a living.
That said, I have to say I was one of those taken aback by this - it had never occurred to me and, yeah, it's nasty.
But to your comment that other OS's don't support mounting images, I note that I can browse an ISO image on my ubuntu install; what are they doing differently?
Thomas Ptacek
· 3 years ago
Mike: first, Ubuntu delegated root's ability to mount an ISO to normal users; that's an Ubuntuism, and perhaps (ok, certainly) a modern-Unix-ism, but it's not a part of the Unix security model. It's also something you can disable.
Second, ISO9660 isn't a complex filesystem or a metaformat. On the other hand, DMG's abstract disks, and contain filesystems such as HFS+.
alastair
· 2 years ago
Just to add to this, I also like Thomas's writeup. It's very balanced, and I happen to agree with most of it. I will just correct a couple of points though:
I didn't actually say that this is all exaggerated. I said that Brian Krebs' remarks were exaggerated, the difference being that Krebs (a journalist) jumped from the presence of a panic.log file on his machine directly to the assumption that this was a dangerous exploit. Maybe it is, maybe it isn't, but a crash is not an exploit so you can't just jump from one to the other. (You might adopt a precautionary approach and assume that it could be exploited, but that's a different matter.)
As for other systems, it is true that other systems sometimes let normal users mount filesystems. Windows certainly does, and Linux is often configured to (ala Ubuntu). It's somewhat less common for users of other systems to mount downloaded images, which does make this primarily (at present) a Mac problem.
That was really my point. Windows and non-OS X Unix-like systems aren't totally immune from these types of problems, though the potential for vulnerability is somewhat lower.
BTW, on the Windows Vista disk image topic, see:
(It isn't quite the same as Apple's DMG files, because it isn't sector based; it's more like a file-based ramdrive image, from what I can tell, which arguably makes it easier to guarantee security.)
alastair
· 2 years ago
Ah, sorry. I meant to include a link, and wrote angle brackets to it's been removed; here it is again:
All Comments
The one thing you missed was direct advice for Mac users worried about this, so I posted some at:
http://securosis.com/2006/11/22/take-the-latest...
I have to get his off my chest: When are you going to fix the punditCon image?
The image is 175x296 pixels but that's not the size your html img tag specifies, and the slightly resized image looks crap in my browser and it hurts my eyes.
Always has.
One thing that somewhat mitigates this vulnerability in my mind is that 99% of the time I'm downloading a .dmg it contains an executable (.app) that I'm about to run w/o dropping into IDA to test its non-evil nature etc.
So, by the time I double-click the dmg to mount it, I've already agreed to let you run whatever code you want w/o the headache of kernel shellcode. (You had me at hello?)
So, while this still is a valid and scary vulnerability, I'm probably not going to change my behavior over it. While it's bad, it just doesn't make things much worse..
Yes, if you have turned off Open "Safe" Files in Safari the risk of this impacting you without interaction is much smaller (if not completely removed).
But saying that disk images are a "terrible idea" is going too far. From a utility point of view, disk images are a TERRIFIC idea, especially encrypted disk images for storing secret company documents and the like. Disk images also underpin the FileVault home directory encryption feature. How is this not goodness?
Other points, from you, Dave G, Rich, Bryan and others are spot-on. Apple should clearly audit that code with a fine-toothed comb, and take steps to turn of the "safe" file option. The past five years should have taught us that no files obtained remotely should ever be considered "safe."
As a mechanism for distributing software products, disk images are irredeemable.
and
If you can reconcile it with the Unix privilege model OS X depends on, I see the value in having ONE SIMPLIFIED filesystem available, unionfs/portalfs-style, to unprivileged users. But that's not what OS X did. They have a metaformat that exposes multiple filesystems that were never meant to be exposed to hostile environments.
That said, I have to say I was one of those taken aback by this - it had never occurred to me and, yeah, it's nasty.
But to your comment that other OS's don't support mounting images, I note that I can browse an ISO image on my ubuntu install; what are they doing differently?
Second, ISO9660 isn't a complex filesystem or a metaformat. On the other hand, DMG's abstract disks, and contain filesystems such as HFS+.
I didn't actually say that this is all exaggerated. I said that Brian Krebs' remarks were exaggerated, the difference being that Krebs (a journalist) jumped from the presence of a panic.log file on his machine directly to the assumption that this was a dangerous exploit. Maybe it is, maybe it isn't, but a crash is not an exploit so you can't just jump from one to the other. (You might adopt a precautionary approach and assume that it could be exploited, but that's a different matter.)
As for other systems, it is true that other systems sometimes let normal users mount filesystems. Windows certainly does, and Linux is often configured to (ala Ubuntu). It's somewhat less common for users of other systems to mount downloaded images, which does make this primarily (at present) a Mac problem.
That was really my point. Windows and non-OS X Unix-like systems aren't totally immune from these types of problems, though the potential for vulnerability is somewhat lower.
BTW, on the Windows Vista disk image topic, see:
(It isn't quite the same as Apple's DMG files, because it isn't sector based; it's more like a file-based ramdrive image, from what I can tell, which arguably makes it easier to guarantee security.)
http://www.microsoft.com/technet/windowsvista/e...
http://www.alastairs-place.net.