Re: Mac OS: Vulnerability with StuffIt

[Ben Bucksch]

Ben Bucksch wrote:


To my knowledge, they have been notified by the bug finders from the 
beginning. 

I forgot to mention the bug number:

Re: Mac OS: Vulnerability with StuffIt

[Ben Bucksch]

Chris LeBlanc wrote:


I would send something like this on to the people at StuffIt and Apple 
Quicktime team.

To my knowledge, they have been notified by the bug finders from the 
beginning.

Re: Mac OS: Vulnerability with StuffIt

[Chris LeBlanc]

Ben,

I would send something like this on to the people at StuffIt and Apple 
Quicktime team.  Maybe there could be a special type of mount, or a 
flag, that stuffit uses that would alert Quicktime to not autostart any 
applications but ask the user first.

The problem for the Mozilla team with this is that this is not a Mozilla 
problem.  The only thing that the Mozilla team could do would be to 
force a prompt for StuffIt to open a disk image (basically, prompt 
before calling StuffIt).  The only problem here is that people could 
disable this also.  As I said, this should be an issue for either 
StuffIt or Quicktime or both.

Thanks,

Chris LeBlanc,

Mac OS: Vulnerability with StuffIt

[Ben Bucksch]

There is a severe vulnerability in the combination of browser (pretty 
much any browser), StuffIt and Quicktime on Macs.

Often, StuffIt is configured to automatically open files that it can 
handle on behalf of the browser. For example, if you click on a link 
with a sit file, StuffIt is being called and opens the file. This is a 
normal process to allow the user to use files placed on the web. in 
uncommon formats.

One of the file types StuffIt handles are disk images. When asked to 
open them, StuffIt mounts them directly on the filesystem.

Quicktime has a feature to automatically start applications as soon as 
disks are inserted. That is probably intended for multimedia CDs and 
installers. However, it is also incredibly dangerous, if you insert an 
untrusted medium, because a started, malicious application can do pretty 
much take over the system.

Now, if you take all these together, you get the following 
vulnerability: You visit a malicious webpage. The author offers a link 
to a disk image and tricks you into clicking it or the webpage even 
triggers the opening of the disk image itself, e.g. using JavaScript or 
refresh. The browser will tell StuffIt to open the disk image. StuffIt 
will mount it. Quicktime will start the malicious application that the 
author placed there. The author of the malicious webpage can now take 
over your system.

The problem is eased by the fact that Beonex Communicator by default 
asks before opening external helper applications like StuffIt, but many 
users probably disabled that or don't expect problems in this case.

There is not much that browsers could do against that. In my opinion, 
the main problem is with Quicktime running applications from potentially 
untrusted sources, and part of the problem with StuffIt not guarding 
against that.

Most of that behaviour is adjustable by the user, in any of the 
applications. Please so that. We recommend to disable the autostart 
feature in Quicktime.

Ben Bucksch