LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Just another Microsoft worm

Just another Microsoft worm

Posted Jan 29, 2004 13:16 UTC (Thu) by utidjian (subscriber, #444)
Parent article: Just another Microsoft worm

Some months ago on the comp.sys.mac.advocacy Usenet group a discussion came up (as they always do on such forums) about the inherent security of Mac OS X vs Windows. The discussion was "ignited" by the, now common, weekly major Windows worm. It was the usual thing with Windows advocates claiming that such an exploit could just as easily affect Mac OS X if someone would simply write one. It also follows that if Mac OS X were as commonplace as Windows it would spread as easily. The Mac advocates denied that this sort of thing was possible because "Mac OS X is Unix" (or some such). Sound familiar?

The upshot of the discussion was someone actually wrote a little trojan for Mac OS X. He published the source code for the trojan and using his code I adapted it to Linux. The results for Linux are at: http://tinyurl.com/2quhp

I also tested it on Mac OS X and it works as designed with a default installation of Mac OS X (up to and including Panther).

The basic differences between the various OSes is the default behavior when encountering an executeable attachment.

Windows (typical): Will execute attachment, sometimes by merely opening the email, sometimes requuiring the user to open the attachment.

Windows ("secure"): Requires the user to open the attachment but will warn them that such an action might be dangerous.

Mac OS X (typical): Requires the user to open the attachment but will warn the user that such an action might be dangerous.

Linux (typical): Requires the user to save to disk. Saves as mode 0600. The user then has to change the mode to get it to run.

As far as I know (only tested with Mozilla Mail) all Linux email clients save attachments without the execute bit set. As long as this practice continues there will be a considerable hurdle for the average user ( I mean Windows/Mac type of average user) to overcome before the attachment can be executed. For many Linux users this is not that big of a hurdle but it is still a checkpoint.

In short, the current default behavior of Linux email clients, more or less, effectively prevents the kind of exploits that use email as the transport. Let us hope that this does not chnge.

However, we have had problems with some file formats. I seem to remeber that there was a possible exploit from certain graphics file formats last year. IOW one could "run" an exploited JPEG file or PDF file simply by opening it in the default viewer.

-DU-...etc...

(Log in to post comments)

execute bits

Posted Jan 29, 2004 20:39 UTC (Thu) by stevenj (guest, #421) [Link]

As far as I know (only tested with Mozilla Mail) all Linux email clients save attachments without the execute bit set. As long as this practice continues there will be a considerable hurdle for the average user ( I mean Windows/Mac type of average user) to overcome before the attachment can be executed.

...Unless the attachment is compressed, in which case your average friendly untar/unzip tool will happily set the execute bit for you. Not to mention that certain things like desktop shortcuts on GNOME are just files and don't need an execute bit at all to be usable in dangerous ways.

(This is not even getting into actual bugs, mind you, just potential design weaknesses.)

execute bits

Posted Jan 30, 2004 3:20 UTC (Fri) by utidjian (subscriber, #444) [Link]

Unless the attachment is compressed, in which case your average friendly untar/unzip tool will happily set the execute bit for you. Not to mention that certain things like desktop shortcuts on GNOME are just files and don't need an execute bit at all to be usable in dangerous ways.

True. File Roller (or whatever) will unpack it "correctly"... but the email application will not. The user has to save-to-disk, navigate to where it was saved (perhaps on the desktop), doubleclick on it, navigate to where the executeable was saved (perhaps on the desktop), then doubleclick on the executeable. This not a lone feature of Linux or Gnome. The default KDE would be even easier... just singleclicks. There is no "warning" either.

-DU-...etc...

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds