Exploit: Mac OS X metadata exploit

Discovered: February 24, 2006

Risk: Critical

Description: Compressed archives can contain resource forks and HFS
metadata stored in an invisible “__MACOSX” folder. Data contained in these
resource forks and HFS metadata can mask the real type of a file in the
archive, causing shell scripts to execute if users double-click such files.

The risk inherent in this exploit is that any compressed archive may
contain such resource forks and metadata, and that decompressing an archive
and double-clicking a resulting file can execute a shell script contained
in the invisible __MACOSX folder.

Safari users who have not turned off auto-execution of “safe” files will
download the malicious Zip archive, which will then execute. Even if this
option is turned off, the Zip archive will download, and a user may
double-click it to decompress it, then double-click its contents, causing
the file to execute. An additional exploit has been discovered, by which a
malicious user can hack a web site, and add a script to a page that will
generate a zip archive containing executable code. A user merely needs to
visit a web page: the script actually creates the zip archive; the file
itself does not need to be on the hacked server or any other server.

The ramifications of this are quite serious. While the first example above
requires that a user double-click a file twice (if auto-execution of “safe”
files is turned off), in the second case, users may go to a website where
they expect to download legitimate files (zipped graphics, video, or even
applications), and end up with a potentially dangerous executable.

When clicking on a link for a legitimate download, the script generates a
zip archive that the user expects to receive. The user then decompresses
the archive and expects the resulting file (an image, video or application)
to be a graphic or application.

Means of protection: The first way to protect against this exploit is to
uncheck the option Open “safe” files after downloading, found in Safari’s
General preferences. (This option is on by default, and Mac OS X would be
more secure if it were set to off.) But to fully protect against the
possibility of accidentally executing code in a file downloaded
intentionally, Intego VirusBarrier X and X4, with their virus definitions
dated February 23, 2006, offer protection from this type of hidden
executable file.

About Intego
Intego develops and sells desktop Internet security and privacy software
for Macintosh.

Intego provides the widest range of software to protect users and their
Macs from the dangers of the Internet. Intego’s multilingual software and
support repeatedly receive awards from Mac magazines, and protects more
than one million users in over 60 countries. Intego has headquarters in the
USA, France and Japan.

As the dangers of the Internet grow, Intego is hard at work, developing new
software to protect users and their Macs from the latest security and
privacy threats.

We protect your world.