__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Mac OS X Downloading Applications Vulnerability [Microsoft Security Bulletin MS01-053] November 1, 2001 22:00 GMT Number M-013 ______________________________________________________________________________ PROBLEM: A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1 interoperate when BinHex and MacBinary file types are downloaded. PLATFORM: Mac IE 5.1 for Mac OS X DAMAGE: An application that is downloaded can execute automatically once the download is complete. SOLUTION: Apply available patch. ______________________________________________________________________________ VULNERABILITY The risk is LOW. A user would first have to choose to download ASSESSMENT: a file and allow the download to fully complete before the application could execute. Also, users can choose to disable the automatic decoding of both these file types. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-013.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview /default.asp?url=/TechNet/security/bulletin /MS01-053.asp PATCHES: http://www.apple.com/macosx/upgrade/softwareupdates.html ______________________________________________________________________________ [***** Start Microsoft Security Bulletin MS01-053 *****] Downloaded Applications Can Execute on Mac IE 5.1 for OS X. Originally posted: October 23, 2001 Summary Who should read this bulletin: All users of Microsoft® Internet Explorer 5.1 for Macintosh® Impact of vulnerability: Run code of attacker's choice Maximum risk rating: Moderate Recommendation: Customers should use the Mac OS X v10.1 Software Update utility to install the "Internet Explorer Security Update" Affected Software: Microsoft Internet Explorer 5.1 for the Macintosh Technical details Technical description: The Macintosh OS X Operating System provides built-in support for both BinHex and MacBinary file types. These file types allow for the efficient transfer of information across networks by allowing information to be compressed by the sender and then decompressed by the recipient. This capability is particularly useful on the Internet, by allowing users to dowload compressed files. A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1 interoperate when BinHex and MacBinary file types are downloaded. As a result, an application that is downloaded in either of these formats can execute automatically once the download is complete. A user would first have to choose to download a file and allow the download to fully complete before the application could execute. Also, users can choose to disable the automatic decoding of both these file types. Mitigating factors: The user would have to choose to downoad the application before any attempt could be made to exploit the vulnerablity. It cannot be exploited without user interaction. The application would have to successfully download before any attempt could be made to exploit the vulnerability. The user can cancel the download at anytime prior to completion. The vulnerability could not be exploited if automatic decoding of BinHex and MacBinary files has been disabled. This is not a default setting however. Risk Rating: Internet Systems Intranet Systems Client Systems Mac OS X None None Moderate The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2001-0720 Tested Versions: Microsoft tested Internet Explorer for the Macintosh version 5.1, version 5.1.2 to assess whether they are affected by this vulnerability. Previous versions of Internet Explorer for Mac OS X are no longer supported and may or may not be affected by this vulnerability. Frequently asked questions What’s the scope of the vulnerability? This vulnerability could allow an application to execute unexpectedly. If an attacker enticed the victim to download a malicious program compressed as a BinHex or MacBinary file type, the program could execute after the download completed. For this attack to succeed, the user would have to initiate the download process. This vulnerability cannot be used to automatically download and excute malicious code on the users system. What causes the vulnerability? The vulnerability results because an issue with how IE and the Mac OS interoperate when handling downloaded MacBinary and BinHex files. What are BinHex and MacBinary files? BinHex is a utility that encodes Macintosh files so that they can travel well on networks. BinHex encodes a file from its 8-bit binary or bit-stream representation into a 7-bit ASCII set of text characters. The recipient decodes it at the other end. MacBinary is a format for binary transfer of Macintosh documents over a telecommunication link. It is intended for use between Macintoshes and in uploading Macintosh documents to remote systems. How could an attacker exploit this vulnerability? An attacker would need to host an executable file on a web site, packaged as either a BinHex or MacBinary file, and then entice another user to visit the site and initiate a download. Once the download was complete, the executable file would automatically execute. What does the patch do? This patch updates Internet Explorer 5.1 to version 5.1.3 (build 3905) and prevents the Mac OS from automatically launching MacBinary and BinHex files. Where can I download the patch or how do I update my OS? Users must use the Software Update feature of Mac OS X v10.1 to install the "Internet Explorer 5.1 Security Update." More information on Software Update is available at: http://www.apple.com/macosx/upgrade/softwareupdates.html. Patch availability Download locations for this patch Microsoft IE 5.1 for Mac OSX: Users must use the Software Update feature of Mac OS X v10.1 to install the "Internet Explorer 5.1 Security Update." More information on Software Update is available at: http://www.apple.com/macosx/upgrade/softwareupdates.html. Additional information about this patch Installation platforms: This patch can be installed on systems running Mac OS X v10.1. Reboot needed: No Superseded patches: None. Verifying patch installation: To verify that the patch has been installed on the machine, confirm that the version number of Internet Explorer is now 5.1.3. This can be done by choosing "About Internet Explorer" from the "Explorer" menu and confirming the version number is "5.1.3 (3905)" Caveats: None Localization: This patch can be installed on all versions of Internet Explorer 5.1 for Mac OS X v10.1. Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Support: Microsoft Knowledge Base article Q311052 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (October 23, 2001): Bulletin Created. [***** End Microsoft Security Bulletin MS01-053 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Center, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) M-003: Hewlett-Packard rpcbind Security Vulnerability M-004: Excel and PowerPoint Macro Vulnerability M-005: Office XP Error Reporting May Send Sensitive Documents to Microsoft M-006: HP-UX telnetd Security Vulnerability M-007: Macintosh OS-X Application Manager Vulnerability M-008: Sun rpc.yppasswdd Security Vulnerability M-009: Red Hat Linux PAM Vulnerability M-010: Red Hat OpenSSH Vulnerability M-011: Oracle Trace Collection Security Vulnerability M-012: Oracle File Overwrite Security Vulnerability