Mac OS: Vulnerability with StuffIt

[Ben Bucksch]

There is a severe vulnerability in the combination of browser (pretty much any browser), StuffIt and Quicktime on Macs.

Often, StuffIt is configured to automatically open files that it can handle on behalf of the browser. For example, if you click on a link with a sit file, StuffIt is being called and opens the file. This is a normal process to allow the user to use files placed on the web. in uncommon formats.

One of the file types StuffIt handles are disk images. When asked to open them, StuffIt mounts them directly on the filesystem.

Quicktime has a feature to automatically start applications as soon as disks are inserted. That is probably intended for multimedia CDs and installers. However, it is also incredibly dangerous, if you insert an untrusted medium, because a started, malicious application can do pretty much take over the system.

Now, if you take all these together, you get the following vulnerability: You visit a malicious webpage. The author offers a link to a disk image and tricks you into clicking it or the webpage even triggers the opening of the disk image itself, e.g. using JavaScript or refresh. The browser will tell StuffIt to open the disk image. StuffIt will mount it. Quicktime will start the malicious application that the author placed there. The author of the malicious webpage can now take over your system.

The problem is eased by the fact that Beonex Communicator by default asks before opening external helper applications like StuffIt, but many users probably disabled that or don't expect problems in this case.

There is not much that browsers could do against that. In my opinion, the main problem is with Quicktime running applications from potentially untrusted sources, and part of the problem with StuffIt not guarding against that.

Most of that behaviour is adjustable by the user, in any of the applications. Please so that. We recommend to disable the autostart feature in Quicktime.

Ben Bucksch