OS X: Zip archive remote exploit
The trojans are definitely coming. As many have probably noticed security researchers found a flaw in OS X that allows attackers to execute arbitrary code. The most popular way is to use Safari and take advantage of the "Open safe files after downloading" feature. The best write-up is from the SANS ISC:
You can find the proof of concept exploit here, and a write-up of how it can be exploited via email here.
There is no patch available. In The mean time:
- Disable "Open safe files after downloading"
- Use firefox on OS X (Which does not appear to be vulnerable)
- Be very careful about opening attachements in email and downloaded files
A good step to take if you are suspicious comes from the ISC write-up:
$ unzip Mac-TV-Stream.mov.zip
Archive: Mac-TV-Stream.mov.zip
inflating: Mac-TV-Stream.mov
creating: __MACOSX/
inflating: __MACOSX/._Mac-TV-Stream.mov
The metadata file in this example is ._Mac-TV-Stream.mov. This is some binary file, but even running simple strings command on this file will reveal what the real utility used to open the main file is:
$ strings ._Mac-TV-Stream.mov
%/Applications/Utilities/Terminal.app
A zip file could be masking malicious code, so be careful. Oh, and HD Moore has added this to metasploit, exploit here.
.com