|Security flaw in Mac OS X
||[Jan. 23rd, 2008|09:55 pm]
I filed this with Apple about a week ago, and since they qualify it as "enhancement", I guess they wouldn't mind me publicizing it. It exists in both Tiger and Leopard, and is probably in every version of OS X.
If you run as a non-administrator (you are running as a non-administrator, right?), you aren't as secure as you should be. When you drag a new app to /Applications, Finder asks you for administrator logon credentials. This is all well and good, and is exactly what it should do. However, what happens next is not, and opens you up for other attacks. This dialog is used only for authorization. The credentials are not used again, and the owner of the application is the current, non-administrative user.
To put this in terms of what may happen. You run Firefox, and install it by copying to /Applications. Since it requires authentication to do this, you've increased your safety, or so you think. Now something takes advantage of an exploit, and tries to overwrite the firefox application to do it's nefarious work. Whoops, it succeeds, and your system is now compromised when it should have been protected. Even Windows gets installing as an alternate user correct, why doesn't Mac?
There is fortunately, a simple workaround. Unfortunately, there is not a "Mac" work around, as I just tested that and that has a security flaw as well. Open up Terminal.App, and use su, sudo and chown to set the proper permissions. I'm sorry for the instructions being a little vague, but I will write out a detailed, automated way so that it's regularly scheduled and no intervention necessary.
The "Mac" way would be to right click on the application, and set the owner in the info inspector. This unfortunately, has a net effect of exactly nothing. The ownership of the directory is changed, but the ownership of the contents is not. The ability of malicious software to change the binary is not in any way impacted.