I agree, there really is no good mitigation strategy for this one
right now, disabling the checkbox in safari just buys you time until
you mount the DMG manually. Apple needs to provide a long term fix
for this.
If there was a sufficiently enterprising individual or group out
there I'm sure that there's got to be a way to intercept Finder when
someone double clicks on a file and validate the file before handing
it off to the automounter. Unfortunately, my OS X systems
programming skills aren't really up to snuff at this point so all I
can do is wax profound on how useful that would be...
-Marty
On Nov 22, 2006, at 11:04 AM, Roland Dobbins wrote:
>
> On Nov 22, 2006, at 7:25 AM, mfossi (at) securityfocus (dot) com [email concealed] wrote:
>
>> In that sort of case a novice user might be less likely to realize
>> that something bad just happened and chalk the reboot up to a
>> random occurence.
>
> Right, I understand what you mean - I just disagree.
>
> ;>
>
> I believe that emphasis on the Safari automount has clouded the
> public discussion of this problem so far. I believe that the
> Safari automount issue is completely beside the point and that
> conflating it with this .dmg problem isn't helpful in terms of
> discussing the real problem nor communicating the real problem to
> end-users. All the press I've seen about this leaps on the Safari
> browser issue, and gives the mistaken impression that if one
> disables the Safari 'mount safe images' feature, everything's
> dandy, when we all know it isn't.
>
> Disabling Safari's automount feature does not even marginally
> improve the security of any Mac user. Instead, doing what one can
> to verify the provenance and evaluating the risks associated with
> mounting any given .dmg (admittedly, there's little that folks can
> do in this regard, but it actually has more real security value
> than disabling Safari automount) are the best defenses we have
> until Apple can fix this problem.
>
> ----------------------------------------------------------------------
> -
> Roland Dobbins <rdobbins (at) cisco (dot) com [email concealed]> // 408.527.6376 voice
>
> All battles are perpetual.
>
> -- Milton Friedman
>
>
>
- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
Hash: SHA1
I agree, there really is no good mitigation strategy for this one
right now, disabling the checkbox in safari just buys you time until
you mount the DMG manually. Apple needs to provide a long term fix
for this.
If there was a sufficiently enterprising individual or group out
there I'm sure that there's got to be a way to intercept Finder when
someone double clicks on a file and validate the file before handing
it off to the automounter. Unfortunately, my OS X systems
programming skills aren't really up to snuff at this point so all I
can do is wax profound on how useful that would be...
-Marty
On Nov 22, 2006, at 11:04 AM, Roland Dobbins wrote:
>
> On Nov 22, 2006, at 7:25 AM, mfossi (at) securityfocus (dot) com [email concealed] wrote:
>
>> In that sort of case a novice user might be less likely to realize
>> that something bad just happened and chalk the reboot up to a
>> random occurence.
>
> Right, I understand what you mean - I just disagree.
>
> ;>
>
> I believe that emphasis on the Safari automount has clouded the
> public discussion of this problem so far. I believe that the
> Safari automount issue is completely beside the point and that
> conflating it with this .dmg problem isn't helpful in terms of
> discussing the real problem nor communicating the real problem to
> end-users. All the press I've seen about this leaps on the Safari
> browser issue, and gives the mistaken impression that if one
> disables the Safari 'mount safe images' feature, everything's
> dandy, when we all know it isn't.
>
> Disabling Safari's automount feature does not even marginally
> improve the security of any Mac user. Instead, doing what one can
> to verify the provenance and evaluating the risks associated with
> mounting any given .dmg (admittedly, there's little that folks can
> do in this regard, but it actually has more real security value
> than disabling Safari automount) are the best defenses we have
> until Apple can fix this problem.
>
> ----------------------------------------------------------------------
> -
> Roland Dobbins <rdobbins (at) cisco (dot) com [email concealed]> // 408.527.6376 voice
>
> All battles are perpetual.
>
> -- Milton Friedman
>
>
>
- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
iD8DBQFFZJCrqj0FAQQ3KOARArsLAJ0bCuAeNzGoHMqUQU/7s3632Y01CgCeMyXg
6nis2HyFicHbbbsRxBdR9DM=
=aTiS
-----END PGP SIGNATURE-----
[ reply ]