More on the Safari / ZIP exploit - Not just for web browsers any more!
Just in case it wasn't already bad enough, apparently it is even worse.
SANS have yet another
write up(see update 2), based on the fantastic work at
Heise security. It seems the vulnerability we talked about
previously also effects the Apple Mail application.
In fact the problem with Mail is worse because an attacker does not
need to wrap the file in a zip archive to disguise it, due to the way
Mail implements the
Apple Double File standard for carrying data and resource fork info as MIME data.
Ooops.
First of all, lets keep some perspective here; Apple Macs still
have a superb "real world" security record. Don't trade in your Mac
just yet if this is starting to worry you.
Next up, this does make it all too clear that Apple have allowed "user
experience" to come ahead of user security in their design choices, and
that there may be a rich vein of similar exploits awaiting the curious
hacker who cares to go looking.
I think Apple urgently need to perform a review of how their built in
apps and tools like the Finder make assumptions about the data passed
to them is structured. I also think that Mac users who have previously
taken security for granted may need to approach things with a little
more caution.
Lastly, Microsoft took a lot of deserved criticism for a similar design approach
some time ago, and one way or another have worked very hard at moving
towards a much more grown up approach to secure product design. They're
not perfect but they are trying hard.
It seems that while
Apple are sneering
at Microsoft and suggesting that Longhorn is copying Tiger, Apple could
and should perhaps start their own photocopiers up and learn something
from Microsoft's much more open and honest approach to security of late. And before anyone replies to tell me how bad Microsoft have been at this, I know, that's my point.