Details on recent Mac OS X exploits (and why they still aren't fixed with the latest update)
Jason Harris of Unsanity wrote up a detailed whitepaper describing the recent LaunchServices vulnerabilities and the exploits still there even after the help issue was patched. The whitepaper has the following example:
- A disk image named “MalwareDiskImage” will be mounted on your desktop.
- LaunchServices will read the “Info.plist” file of the application in this disk image automatically, and register the application as the default handler for URLs with a 'malware' scheme.
- The webpage will wait 10 seconds, and then redirect to “malware:unused”, causing LaunchServices to launch the payload application within the disk image.
- The application within the disk image will write a text file to the user’s home directory called “owned.txt” explaining that the machine has been exploited, will present an alert to the user, and will eject the disk image.
Very clever. Unsanity offers a free utility called Paranoid Android which brings up a dialog when a protocol handler is used that lets the user allow or block the action.
I wonder what Apple's solution will be. I think they'll have to yank the ability to automatically mount disk images. I always thought that seemed a bit dangerous. I can imagine other exploits that could be done based on that.