TUCoPS :: Macintosh :: ciacm013.txt

OS X Downloading Applications Vulnerability 


[CIAC] INFORMATION BULLETIN

M-013: Mac OS X Downloading Applications Vulnerability

[Microsoft Security Bulletin MS01-053]

November 1, 2001 22:00 GMT
  ------------------------------------------------------------------------
 PROBLEM:           A vulnerability results because of a flaw in the way
                    Mac OS X and Mac IE 5.1 interoperate when BinHex and
                    MacBinary file types are downloaded.
 PLATFORM:          Mac IE 5.1 for Mac OS X
 DAMAGE:            An application that is downloaded can execute
                    automatically once the download is complete.
 SOLUTION:          Apply available patch.
  ------------------------------------------------------------------------
 VULNERABILITY      The risk is LOW. A user would first have to choose to
 ASSESSMENT:        download a file and allow the download to fully
                    complete before the application could execute. Also,
                    users can choose to disable the automatic decoding of
                    both these file types.
  ------------------------------------------------------------------------

 LINKS:
   CIAC    http://www.ciac.org/ciac/bulletins/m-013.shtml
 BULLETIN:
   ORIGINALhttp://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/bulletin/MS01-053.asp
 BULLETIN:
   PATCHES:http://www.apple.com/macosx/upgrade/softwareupdates.html
  ------------------------------------------------------------------------

[***** Start Microsoft Security Bulletin MS01-053 *****]

Downloaded Applications Can Execute on Mac IE 5.1 for OS X.

Originally posted: October 23, 2001

Summary

Who should read this bulletin: All users of Microsoft® Internet Explorer 5.1 for

Macintosh®

Impact of vulnerability: Run code of attacker's choice

Maximum risk rating: Moderate

Recommendation: Customers should use the Mac OS X v10.1 Software Update utility to

install the "Internet Explorer Security Update"

Affected Software:

Microsoft Internet Explorer 5.1 for the Macintosh

Technical details

Technical description:

The Macintosh OS X Operating System provides built-in support for both BinHex and

MacBinary file types. These file types allow for the efficient transfer of

information across networks by allowing information to be compressed by the sender

and then decompressed by the recipient. This capability is particularly useful on

the Internet, by allowing users to dowload compressed files.

A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1

interoperate when BinHex and MacBinary file types are downloaded. As a result, an

application that is downloaded in either of these formats can execute

automatically once the download is complete.

A user would first have to choose to download a file and allow the download to

fully complete before the application could execute. Also, users can choose to

disable the automatic decoding of both these file types.

Mitigating factors:

The user would have to choose to downoad the application before any attempt could

be made to exploit the vulnerablity. It cannot be exploited without user

interaction.

The application would have to successfully download before any attempt could be

made to exploit the vulnerability. The user can cancel the download at anytime

prior to completion.

The vulnerability could not be exploited if automatic decoding of BinHex and

MacBinary files has been disabled. This is not a default setting however.

Risk Rating:  Internet Systems Intranet Systems Client Systems

Mac OS X  None None Moderate

The above assessment is based on the types of systems affected by the

vulnerability, their typical deployment patterns, and the effect that exploiting

the vulnerability would have on them.

Vulnerability identifier: CAN-2001-0720

Tested Versions:

Microsoft tested Internet Explorer for the Macintosh version 5.1, version 5.1.2 to

assess whether they are affected by this vulnerability. Previous versions of

Internet Explorer for Mac OS X are no longer supported and may or may not be

affected by this vulnerability.

Frequently asked questions

What’s the scope of the vulnerability?

This vulnerability could allow an application to execute unexpectedly. If an

attacker enticed the victim to download a malicious program compressed as a BinHex

or MacBinary file type, the program could execute after the download completed.

For this attack to succeed, the user would have to initiate the download process.

This vulnerability cannot be used to automatically download and excute malicious

code on the users system.

What causes the vulnerability?

The vulnerability results because an issue with how IE and the Mac OS interoperate

when handling downloaded MacBinary and BinHex files.

What are BinHex and MacBinary files?

BinHex is a utility that encodes Macintosh files so that they can travel well on

networks. BinHex encodes a file from its 8-bit binary or bit-stream representation

into a 7-bit ASCII set of text characters. The recipient decodes it at the other

end.

MacBinary is a format for binary transfer of Macintosh documents over a

telecommunication link. It is intended for use between Macintoshes and in

uploading Macintosh documents to remote systems.

How could an attacker exploit this vulnerability?

An attacker would need to host an executable file on a web site, packaged as

either a BinHex or MacBinary file, and then entice another user to visit the site

and initiate a download. Once the download was complete, the executable file would

automatically execute.

What does the patch do?

This patch updates Internet Explorer 5.1 to version 5.1.3 (build 3905) and

prevents the Mac OS from automatically launching MacBinary and BinHex files.

Where can I download the patch or how do I update my OS?

Users must use the Software Update feature of Mac OS X v10.1 to install the

"Internet Explorer 5.1 Security Update."

More information on Software Update is available at:

http://www.apple.com/macosx/upgrade/softwareupdates.html.

Patch availability

Download locations for this patch

Microsoft IE 5.1 for Mac OSX:

Users must use the Software Update feature of Mac OS X v10.1 to install the

"Internet Explorer 5.1 Security Update."

More information on Software Update is available at:

http://www.apple.com/macosx/upgrade/softwareupdates.html.

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Mac OS X v10.1.

Reboot needed: No

Superseded patches: None.

Verifying patch installation:

To verify that the patch has been installed on the machine, confirm that the

version number of Internet Explorer is now 5.1.3.

This can be done by choosing "About Internet Explorer" from the "Explorer" menu

and confirming the version number is "5.1.3 (3905)"

Caveats:

None

Localization:

This patch can be installed on all versions of Internet Explorer 5.1 for Mac OS X

v10.1.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

Security patches are available from the Microsoft Download Center, and can be most

easily found by doing a keyword search for "security_patch".

Patches for consumer platforms are available from the WindowsUpdate web site

All patches available via WindowsUpdate also are available in a redistributable

form from the WindowsUpdate Corporate site.

Other information:

Support:

Microsoft Knowledge Base article Q311052 discusses this issue and will be

available approximately 24 hours after the release of this bulletin. Knowledge

Base articles can be found on the Microsoft Online Support web site.

Technical support is available from Microsoft Product Support Services. There is

no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional

information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is"

without warranty of any kind. Microsoft disclaims all warranties, either express

or implied, including the warranties of merchantability and fitness for a

particular purpose. In no event shall Microsoft Corporation or its suppliers be

liable for any damages whatsoever including direct, indirect, incidental,

consequential, loss of business profits or special damages, even if Microsoft

Corporation or its suppliers have been advised of the possibility of such damages.

Some states do not allow the exclusion or limitation of liability for

consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (October 23, 2001): Bulletin Created.

[***** End Microsoft Security Bulletin MS01-053 *****]

  ------------------------------------------------------------------------
CIAC wishes to acknowledge the contributions of Microsoft for the
information contained in this bulletin.
  ------------------------------------------------------------------------
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can
be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)

    FAX:            +1 925-423-8002

    STU-III:        +1 925-423-2604

    E-mail:          ciac@llnl.gov

    World Wide Web:  http://www.ciac.org/

                     http://ciac.llnl.gov

                     (same machine -- either one will work)

    Anonymous FTP:   ftp.ciac.org

                     ciac.llnl.gov

                     (same machine -- either one will work)

  ------------------------------------------------------------------------
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
express or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, apparatus,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark,
manufacturer, or otherwise, does not necessarily constitute or imply its
endorsement, recommendation or favoring by the United States Government or
the University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
  ------------------------------------------------------------------------
UCRL-MI-119788

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH