| Main |

dmg Kernel Panic

Yes, it really is possible to panic your Mac by mounting a dmg file. Those of us who work with the filesystem have known that this is possible for ages; I know I’ve reported at least one instance of this problem to Apple in the past.

Of course, it's more painful for us because it often happens when we're trying to do something new on an external hard disk (yes, it’s possible to get things such that you can’t connect your external disk without the kernel panicking). When that happens, you have to send SIGSTOP to the Disk Arbitration daemon to prevent it from automounting the disk the moment it’s attached. (You can’t just kill it, because it’s automatically respawned if it dies.)

Anyway, this is hardly new. And as usual the reports in the media are distorted, for instance, Brian Krebs writes:

“the crash report generated after I used Safari to click on the file indicated that the exploit had indeed resulted in a "kernel panic," which in most cases means that if someone wanted to use the exploit to install malicious code, they could do so regardless of the security settings or precautions already present on the machine”

conveniently ignoring the fact that this is still just a crash, not an exploit, and that not all crashes are actually exploitable anyway. (This complaint would be valid whatever operating system we were talking about.)

I was also amused to read on the Matasano Security blog comments that make it sound like the problem of user-mounted filesystems is unique to Mac OS X. That isn’t true, of course. Windows lets non-administrators mount all kinds of removable media, and Windows Vista apparently has similar disk image support to Mac OS X. UNIX and Linux set-ups also frequently allow users other than root to mount filesystems, and virtualisation products like VMWare commonly install drivers that allow their users to mount virtual disk images by double-clicking, just like a dmg file.

That said, it is true that Mac users are currently more vulnerable in this regard than people on most other platforms, because downloadable disk images are not nearly so widespread on the other operating systems (yet), which makes John Gruber’s advice to disable Safari’s auto-open feature an even better idea than it already was.

Posted by alastair on November 22, 2006 at 10:28 AM Digg It | | Comments (3) | TrackBacks (0)

Trackbacks

TrackBack URL for this entry:
http://alastairs-place.net/movabletype/mt-tb.cgi/108.

Comments

Blogger that doesn't have a clue writes about technology.

Posted by as usual on November 24, 2006 6:02 PM

Cheek!

I did contemplate just blocking this comment, but those people who know me will probably appreciate just how silly you made yourself look by writing it.

It's also a shame, Ernesto (that is you, right?), that you're too cowardly to put your name to your remarks.

Posted by alastair Author Profile Page on November 24, 2006 9:44 PM

Reply from the MoKB folks, who originally posted this particular exploit:

http://kernelfun.blogspot.com/2006/11/more-mokb-20-11-2006-related-news.html

Posted by Jesse Weinstein on November 28, 2006 5:34 AM

Post a comment

If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thank-you for your patience.

(Your e-mail address will not be displayed or included in any pages served on this site; nor will you get any spam as a result.)

A live preview of your comment will be displayed below. It should refresh automatically when you stop typing, but if not then the “Preview” button above will update it.

Live Comment Preview