Intego Security Memo

News > Press Releases

Macintosh

Dual Protection (Mac + Windows)

Macintosh Enterprise

Free Trial

ContentBarrier FileGuard Internet Security Barrier NetBarrier Personal Antispam Personal Backup VirusBarrier

ContentBarrier DP Internet Security Barrier DP VirusBarrier DP

Remote Management Console VirusBarrier Server and VirusBarrier Mail Gateway

Buy Now Upgrade Update Renew Free Trial

Support Knowledge Base Software Registration User Manuals Software Updates Bug Report

Press Releases Latest Software Releases

Overview Press Releases Careers Contact Us

INTEGO SECURITY MEMO - FEBRUARY 23, 2006
MAC OS X METADATA EXPLOIT

Exploit: Mac OS X metadata exploit

Discovered: February 23, 2006

Risk: Critical

Description: Compressed archives can contain resource forks and HFS metadata stored in an invisible "__MACOSX" folder. Data contained in these resource forks and HFS metadata can mask the real type of a file in the archive, causing shell scripts to execute if users double-click such files.

The risk inherent in this exploit is that any compressed archive may contain such resource forks and metadata, and that decompressing an archive and double-clicking a resulting file can execute a shell script contained in the invisible __MACOSX folder.

Safari users who have not turned off auto-execution of “safe” files will download the malicious Zip archive, which will then execute. Even if this option is turned off, the Zip archive will download, and a user may double-click it to decompress it, then double-click its contents, causing the file to execute.

An additional exploit has been discovered, by which a malicious user can hack a web site, and add a script to a page that will generate a zip archive containing executable code. A user merely needs to visit a web page: the script actually creates the zip archive; the file itself does not need to be on the hacked server or any other server.

The ramifications of this are quite serious. While the first example above requires that a user double-click a file twice (if auto-execution of “safe” files is turned off), in the second case, users may go to a website where they expect to download legitimate files (zipped graphics, video, or even applications), and end up with a potentially dangerous executable.

When clicking on a link for a legitimate download, the script generates a zip archive that the user expects to receive. The user then decompresses the archive and expects the resulting file (an image, video or application) to be a graphic or application.

Means of protection: The first way to protect against this exploit is to uncheck the option Open “safe” files after downloading, found in Safari’s General preferences. (This option is on by default, and Mac OS X would be more secure if it were set to off.) But to fully protect against the possibility of accidentally executing code in a file downloaded intentionally, Intego VirusBarrier X and X4, with their virus definitions dated February 23, 2006, offer protection from this type of hidden executable file.

About Intego
Intego develops and sells desktop Internet security and privacy software for Macintosh.

Intego provides the widest range of software to protect users and their Macs from the dangers of the Internet. Intego's multilingual software and support repeatedly receives awards from Mac magazines, and protects more than one million users in over 60 countries. Intego has headquarters in the USA, France and Japan.

As the dangers of the Internet grow, Intego is hard at work, developing new software to protect users and their Macs from the latest security and privacy threats.

We protect your world.

home | contact