Yes, it really is possible to panic your Mac by mounting a dmg file. Those of us who work with the filesystem have known that this is possible for ages; I know I’ve reported at least one instance of this problem to Apple in the past.
Of course, it’s more painful for us because it often happens when we’re trying to do something new on an external hard disk (yes, it’s possible to get things such that you can’t connect your external disk without the kernel panicking). When that happens, you have to send
SIGSTOP to the Disk Arbitration daemon to prevent it from automounting the disk the moment it’s attached. (You can’t just kill it, because it’s automatically respawned if it dies.)
Anyway, this is hardly new. And as usual the reports in the media are distorted, for instance, Brian Krebs writes:
“the crash report generated after I used Safari to click on the file indicated that the exploit had indeed resulted in a “kernel panic,” which in most cases means that if someone wanted to use the exploit to install malicious code, they could do so regardless of the security settings or precautions already present on the machine”
conveniently ignoring the fact that this is still just a crash, not an exploit, and that not all crashes are actually exploitable anyway. (This complaint would be valid whatever operating system we were talking about.)
I was also amused to read on the Matasano Security blog comments that make it sound like the problem of user-mounted filesystems is unique to Mac OS X. That isn’t true, of course. Windows lets non-administrators mount all kinds of removable media, and Windows Vista apparently has similar disk image support to Mac OS X. UNIX and Linux set-ups also frequently allow users other than root to mount filesystems, and virtualisation products like VMWare commonly install drivers that allow their users to mount virtual disk images by double-clicking, just like a dmg file.
That said, it is true that Mac users are currently more vulnerable in this regard than people on most other platforms, because downloadable disk images are not nearly so widespread on the other operating systems (yet), which makes John Gruber’s advice to disable Safari’s auto-open feature an even better idea than it already was.