Shell scripts and Applescripts can run in the background without the
user knowing anything is going on. I am not trying to say the sky is
falling, but this is troubling indeed.
Trusted sources are passing e-mail and doc viruses around on a regular
basis, this is a way to break into that much heralded "The Mac is
secure" sense of security that we all have enjoyed for so long.
Jerry
Yes, most of the e-mail virii are being written by the s'kiddies but the
really vicious ones are written by those that know how to exploit this
type of thing.
On Thursday, October 3, 2002, at 04:32 PM, Jesse Walker wrote:
> This advisory speaks to a vulnerability that is very obscure and, in my
> opinion, would be tricky to pull off so that it would cause damage.
> Even if one was to receive a Zip archive that caused a buffer overflow,
> there would also have to be executable script, lying in wait, that
> would then take advantage of this vulnerability. A buffer overflow by
> itself is not something to be terribly worried about, the problem is
> that when it occurs it leaves a window of opportunity for someone to
> take advantage of. Somehow the script would have to be executed as soon
> as the file was expanded (not an easy trick).
>
> So, if individuals on this list do trade zip files it is still unlikely
> that this will pose much of a problem. This is especially true if the
> zip archives are coming from a trusted source. One of the advantages of
> using the Mac operating system is that, generally, it does not go
> around executing invisible files unbeknownst to the user. Now if this
> vulnerability existed on the Windows platform, it would be a serious
> problem because Windows loves to execute little VB scripts without the
> user knowing about it.
>
> My original advice stands. It would be best to wait for a new version
> of Expander before updating. There are simply too many problems with
> the app in its current state.
>
> Although Apple has put up a bulletin on this vulnerability (it would be
> irresponsible not to), I don't see that is particularly dangerous.
>
> my .02
>
> Jesse
>
> On Thursday, October 3, 2002, at 02:28 PM, Jerry Yeager wrote:
>
>> I am not so sure if this (not updating) is a good idea. Many of us
>> swap files with M$ using folks, so we need to be able to trust the
>> .zip file we are getting is a good one. Apple has also issued an
>> advisory about this vulnerability:
>>
>> Apple Security Advisory APPLE-SA-2002-10-02 Stuffit Expander ZIP
>> archives containing files with large filenames can cause a buffer
>> overflow when expanded. Versions 6.5.2 and earlier of the Stuffit
>> Expander utility contain this vulnerability. Affected systems: Systems
>> that contain Stuffit Expander version 6.5.2 or earlier
>>
>> Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2889 bytes
Desc: not available
Url :
http://www.math.louisville.edu/pipermail/macgroup/attachments/20021003/196925b7/attachment.bin
