Matasano Chargen - Latest Comments in Is The New OS X DMG Threat Real?

Re: Is The New OS X DMG Threat Real?

Thomas Ptacek — Tue, 28 Nov 2006 13:18:35 -0000

In the spirit of fairness: I've also been kind of mean to Alastair on his blog:

http://www.alastairs-place.net.

Re: Is The New OS X DMG Threat Real?

Thomas Ptacek — Mon, 27 Nov 2006 13:01:43 -0000

Mike: first, Ubuntu delegated root's ability to mount an ISO to normal users; that's an Ubuntuism, and perhaps (ok, certainly) a modern-Unix-ism, but it's not a part of the Unix security model. It's also something you can disable.

Second, ISO9660 isn't a complex filesystem or a metaformat. On the other hand, DMG's abstract disks, and contain filesystems such as HFS+.

Re: Is The New OS X DMG Threat Real?

Mike Heinz — Mon, 27 Nov 2006 11:12:34 -0000

Caveat Blogger: I write device drivers for Macs and Linux for a living.

That said, I have to say I was one of those taken aback by this - it had never occurred to me and, yeah, it's nasty.

But to your comment that other OS's don't support mounting images, I note that I can browse an ISO image on my ubuntu install; what are they doing differently?

Re: Is The New OS X DMG Threat Real?

Chris_B — Mon, 27 Nov 2006 00:19:48 -0000

I'm just surprised that the press hasnt soiled themselves on this one yet. Anyways, nice summary of facts on the ground.

Re: Is The New OS X DMG Threat Real?

ivan — Thu, 23 Nov 2006 01:41:47 -0000

minor comment, let not forget: Remote filesystem vulnerability design was pioneered by Sun Microsystems in California. Had they patented them, today they would be able to crawl out of their botomless pit.

Re: Is The New OS X DMG Threat Real?

Thomas Ptacek — Wed, 22 Nov 2006 21:02:38 -0000

Two responses:

As a mechanism for distributing software products, disk images are irredeemable.

and

If you can reconcile it with the Unix privilege model OS X depends on, I see the value in having ONE SIMPLIFIED filesystem available, unionfs/portalfs-style, to unprivileged users. But that's not what OS X did. They have a metaformat that exposes multiple filesystems that were never meant to be exposed to hostile environments.

Re: Is The New OS X DMG Threat Real?

Andrew Jaquith — Wed, 22 Nov 2006 20:38:10 -0000

Ok, so while I believe that Tom's got the cork in a little tight in general when it comes to all things Gruber, I agree that this DMG issue is Not Good. It is true that a consequence of disk images is that you've got a much larger attack surface because you've got to worry about all of the filesystems that the format supports. Also, I laughed hard at the line; "For the time being, remote filesystem vulnerabilities are 'Designed by Apple in California.'" Heh.

But saying that disk images are a "terrible idea" is going too far. From a utility point of view, disk images are a TERRIFIC idea, especially encrypted disk images for storing secret company documents and the like. Disk images also underpin the FileVault home directory encryption feature. How is this not goodness?

Other points, from you, Dave G, Rich, Bryan and others are spot-on. Apple should clearly audit that code with a fine-toothed comb, and take steps to turn of the "safe" file option. The past five years should have taught us that no files obtained remotely should ever be considered "safe."

Re: Is The New OS X DMG Threat Real?

Dave G. — Wed, 22 Nov 2006 16:38:12 -0000

Part of the issue here is that the average user doesnt need to knowingly click on a DMG to have Safari start downloading one for you. Any website you go to could have an" <IFRAME src="boom.dmg">" and Safari will by default download it and mount it, no questions asked.

Yes, if you have turned off Open "Safe" Files in Safari the risk of this impacting you without interaction is much smaller (if not completely removed).

Re: Is The New OS X DMG Threat Real?

Bryan Burns — Wed, 22 Nov 2006 15:48:55 -0000

Nice writeup.

One thing that somewhat mitigates this vulnerability in my mind is that 99% of the time I'm downloading a .dmg it contains an executable (.app) that I'm about to run w/o dropping into IDA to test its non-evil nature etc.

So, by the time I double-click the dmg to mount it, I've already agreed to let you run whatever code you want w/o the headache of kernel shellcode. (You had me at hello?)

So, while this still is a valid and scary vulnerability, I'm probably not going to change my behavior over it. While it's bad, it just doesn't make things much worse..

Re: Is The New OS X DMG Threat Real?

Dave G. — Wed, 22 Nov 2006 14:52:06 -0000

Don't worry Mogull, the punditCon sees and knows all. It is like Santa Claus, only without the breaking and entering (or the presents).

Re: Is The New OS X DMG Threat Real?

Rich Mogull — Wed, 22 Nov 2006 14:28:37 -0000

Any advice on something inane to say to get on the PunditCon? I hate to let Amrit beat me at anything.

Re: Is The New OS X DMG Threat Real?

Thomas Ptacek — Wed, 22 Nov 2006 14:16:36 -0000

Thanks, Alex. FWIW, the PunditCon has been stuck at Lindstrom ever since I switched to MacIntel and Illustrator stopped working. =)

Re: Is The New OS X DMG Threat Real?

Alex Holst — Wed, 22 Nov 2006 14:06:53 -0000

Nice stuff on perceived risk vs. actual risk.

I have to get his off my chest: When are you going to fix the punditCon image?

The image is 175x296 pixels but that's not the size your html img tag specifies, and the slightly resized image looks crap in my browser and it hurts my eyes.

Always has.

Re: Is The New OS X DMG Threat Real?

LonerVamp — Wed, 22 Nov 2006 13:46:13 -0000

Excellent narrative.

Re: Is The New OS X DMG Threat Real?

Rich Mogull — Wed, 22 Nov 2006 13:42:55 -0000

Great writeup. I think this might be the first vector in a while that makes a mass exploit on Macs more viable.

The one thing you missed was direct advice for Mac users worried about this, so I posted some at:

http://securosis.com/2006/1...