Signature Detail

HTTP: Apple Disk Image URI

This signature detects disk images in standard URIs in HTML documents. Macintosh computers running Safari and Internet Explorer are vulnerable. Attackers can direct a target to a Web page containing a disk image file; when downloaded, the disk image enables attackers to execute arbitrary scripts or code on the target's computer.

Extended Description

Multiple security vulnerabilities were reported in Mac OS X. A security update has been released to address these issues and provide other enhancements. The following issues were reported: LaunchServices is reported prone to a vulnerability where the LaunchServices utility automatically registers applications. It is reported that an attacker may exploit this issue to register and run malicious applications. DiskImageMounter is reported prone to a vulnerability where the disk:// URI handler may be used to mount an anonymous remote file system. This attack can be achieved using the HTTP protocol. A remote attacker may exploit this vulnerability to write to the local disk. Safari is reported prone to an unspecified vulnerability where the Safari "Show in Finder" button, when invoked, would attempt to execute certain files instead of revealing the files in the finder window. An attacker may potentially exploit this condition to automatically execute files on the file system (including downloaded files). This could lead to privilege escalation or remote compromise. Some of these issues may already be described in previous BIDs. This BID will be split up into unique BIDs when further analysis of this update is complete.

Affected Products

• Apple Mac OS X 10.2.8
• Apple Mac OS X 10.3.4
• Apple Mac OS X Server 10.2.8
• Apple Mac OS X Server 10.3.4

References

• BugTraq: 10486
• CVE: CVE-2004-0485
• URL: http://www.euronet.nl/~tekelenb/playground/security/URLschemes/archive.html
• URL: http://www.kb.cert.org/vuls/id/210606
• URL: http://docs.info.apple.com/article.html?artnum=61798