I also found the initial classification as a remote exploit as
somewhat surprising, though could accept it only due Safari's default
behaviour (people don't get to claim arbitrary remote code execution
against OS X often, so I'll give them this one). As explained below
(extract from one of our paid mailing lists) and on the MOKB site,
the actual mechanism is not understood (unlike the denial of service
due to corrupted UDTO HFS+ images that has just been described).
1.1 OS X - Remote Hacker Manual Control
-- Products Affected --
OS X
-- Technical Description --
Memory corruption in OS X when mounting malicious DMG disk images.
Although the exact mechanism has not been described (due to a lack of
adequate API details), it is reproducible and may be used to execute
arbitrary code when the malicious image is mounted.
-- Description --
An issue with the way that OS X handles corrupted disk images has
been published, along with a sample of a corrupted disk image that
could lead to an attacker running software of their choice on a
victim's system provided that the victim can be convinced to mount
the image (normally achieved by double-clicking).
-- Recommended Action --
Concerned users should apply caution to .dmg files downloaded from
untrusted sources, and disable the 'Open safe files after downloading
option in Safari (Safari --> Preferences --> General).
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
Sincerely,
Carl Jongsma
info (at) beskerming (dot) com [email concealed]
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: 0410 707 444 / 08 8283 1154
Sûnnet Beskerming Pty. Ltd.
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise advanced Information Security research. Sûnnet
Beskerming Pty. Ltd. is an Information Security specialist and, in
conjunction with the tools developed in house, provides total
security solutions and services, from the perimeter to internal data
stores, including web application security and security testing and
analysis.
somewhat surprising, though could accept it only due Safari's default
behaviour (people don't get to claim arbitrary remote code execution
against OS X often, so I'll give them this one). As explained below
(extract from one of our paid mailing lists) and on the MOKB site,
the actual mechanism is not understood (unlike the denial of service
due to corrupted UDTO HFS+ images that has just been described).
1.1 OS X - Remote Hacker Manual Control
-- Products Affected --
OS X
-- Technical Description --
Memory corruption in OS X when mounting malicious DMG disk images.
Although the exact mechanism has not been described (due to a lack of
adequate API details), it is reproducible and may be used to execute
arbitrary code when the malicious image is mounted.
-- Description --
An issue with the way that OS X handles corrupted disk images has
been published, along with a sample of a corrupted disk image that
could lead to an attacker running software of their choice on a
victim's system provided that the victim can be convinced to mount
the image (normally achieved by double-clicking).
-- Recommended Action --
Concerned users should apply caution to .dmg files downloaded from
untrusted sources, and disable the 'Open safe files after downloading
option in Safari (Safari --> Preferences --> General).
-- Source --
http://projects.info-pull.com/mokb/MOKB-20-11-2006.html
-- Updates Available --
None Available
-- External Tracking Data --
Not Yet Identified
-- Threat Matrix --
U O
Home User 9 9 (Critical)
Corporate 9 9 (Critical)
Sincerely,
Carl Jongsma
info (at) beskerming (dot) com [email concealed]
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: 0410 707 444 / 08 8283 1154
Sûnnet Beskerming Pty. Ltd.
Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and
commercialise advanced Information Security research. Sûnnet
Beskerming Pty. Ltd. is an Information Security specialist and, in
conjunction with the tools developed in house, provides total
security solutions and services, from the perimeter to internal data
stores, including web application security and security testing and
analysis.
[ reply ]