[NEWS] Downloaded Applications Can Execute Without Warning on Mac IE 5.1 for OS X

From: support@securiteam.com
Date: 10/30/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Downloaded Applications Can Execute Without Warning on Mac IE 5.1 for OS X
Message-Id: <20011030210356.D436B138BF@mail.der-keiler.de>
Date: Tue, 30 Oct 2001 22:03:56 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Downloaded Applications Can Execute Without Warning on Mac IE 5.1 for OS X
------------------------------------------------------------------------

SUMMARY

The Macintosh OS X Operating System provides built-in support for both
BinHex and MacBinary file types. These file types allow for the efficient
transfer of information across networks by allowing information to be
compressed by the sender and then decompressed by the recipient. This
capability is particularly useful on the Internet, allowing users to
download-compressed files.

A vulnerability results because of a flaw in the way Mac OS X and Mac IE
5.1 interoperate when BinHex and MacBinary file types are downloaded. As a
result, an application that is downloaded in either of these formats can
execute automatically once the download is complete.

A user would first have to choose to download a file and allow the
download to fully complete before the application could execute. In
addition, users can choose to disable the automatic decoding of both these
file types.

DETAILS

Vulnerable systems:
 * Microsoft Internet Explorer 5.1 for the Macintosh

Mitigating factors:
 * The user would have to choose to download the application before any
attempt could be made to exploit the vulnerability. It cannot be exploited
without user interaction.
 * The application would have to successfully download before any attempt
could be made to exploit the vulnerability. The user can cancel the
download at anytime prior to completion.
 * The vulnerability could not be exploited if automatic decoding of
BinHex and MacBinary files has been disabled. This is not a default
setting however.

Patch availability:
Download locations for this patch
 * Microsoft IE 5.1 for Mac OSX:
    Users must use the Software Update feature of Mac OS X v10.1 to
install the "Internet Explorer 5.1 Security Update."
More information on Software Update is available at:
<http://www.apple.com/macosx/upgrade/softwareupdates.html>
http://www.apple.com/macosx/upgrade/softwareupdates.html.

What's the scope of the vulnerability?
This vulnerability could allow an application to execute unexpectedly. If
an attacker enticed the victim to download a malicious program compressed
as a BinHex or MacBinary file type, the program could execute after the
download completed.

For this attack to succeed, the user would have to initiate the download
process. This vulnerability cannot be used to automatically download and
execute malicious code on the users system.

What causes the vulnerability?
The vulnerability results because an issue with how IE and the Mac OS
interoperate when handling downloaded MacBinary and BinHex files.

What are BinHex and MacBinary files?
BinHex is a utility that encodes Macintosh files so that they can travel
well on networks. BinHex encodes a file from its 8-bit binary or
bit-stream representation into a 7-bit ASCII set of text characters. The
recipient decodes it at the other end.

MacBinary is a format for binary transfer of Macintosh documents over a
telecommunication link. It is intended for use between Macintoshes and in
uploading Macintosh documents to remote systems.

How could an attacker exploit this vulnerability?
An attacker would need to host an executable file on a web site, packaged
as either a BinHex or MacBinary file, and then entice another user to
visit the site and initiate a download. Once the download was complete,
the executable file would automatically execute.

What does the patch do?
This patch updates Internet Explorer 5.1 to version 5.1.3 (build 3905) and
prevents the Mac OS from automatically launching MacBinary and BinHex
files.

Where can I download the patch or how do I update my OS?
Users must use the Software Update feature of Mac OS X v10.1 to install
the "Internet Explorer 5.1 Security Update."

More information on Software Update is available at:
<http://www.apple.com/macosx/upgrade/softwareupdates.html>
http://www.apple.com/macosx/upgrade/softwareupdates.html.

ADDITIONAL INFORMATION

The information has been provided by <mailto:secnotif@MICROSOFT.COM>
Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages