Of Files, Forks, and FUD
As a level-headed, rational reader of TidBITS, you have, I trust, resisted being swept away on the wave of fear, uncertainty, and doubt spread this past week with regard to the latest variety of Mac OS X security holes to gain wide attention (see Geoff Duncan’s "Significant Safari Exploit Discovered," elsewhere in this issue, for more details). The mass media, not unexpectedly, have eliminated from their "reporting" all historical perspective and technical details in favor of block-busting headlines whose actual semantic content ("Mac OS X has viruses!") is on a par with an inarticulate scream. And then there are the usual fear-mongering press releases from self-interested companies. Let us, however, ignore the hype and consider the facts.
Open Sesame — Those facts mostly involve how documents and applications are associated in Mac OS X. When you look at a document in the Finder, it has an icon supplied by the application that opens it. When you double-click the document, that application is launched and opens the document. How is this association maintained?
Back in the days of Mac OS 9 and before, the answer involved metadata invisibly stored in the file system and looked up through an invisible database. When Mac OS X emerged, though, Apple set out to supersede this architecture with those obnoxious little file extensions that appear, visibly or otherwise, after a period in the name of the file, along with a complicated series of strategies for locating the associated application.
Apple thus suppressed an elegant method of performing document-application associations, one that worked reliably (barring the occasional need to "rebuild the desktop" when the association broke down) and was invisible to the user, in favor of an ugly and often unpredictable system of incorporating a file’s type into its name merely because that’s how other operating systems do things. Except that they didn’t completely suppress the earlier method; instead, they incorporated it into an uneasy Jekyll-and-Hyde alliance. For one thing, a file left over from the pre-Mac OS X days might well have no filename extension. So a file might have type/creator metadata, or a filename extension – or both.
But there’s more. Consider the problem of a generic file type, such as .pdf. Both Preview and Adobe Reader can open a .pdf, so which of them should open this particular .pdf file? You, the user, might answer that question on a one-time basis by dragging the file onto the desired application’s icon in the Dock or the Finder. But what if you wanted to assign the file to one application or the other, so that it would always open with that application when double-clicked in the Finder?
For reasons that aren’t entirely clear to me, Mac OS X does not use the type/creator metadata to handle this situation. Instead, Apple instituted a slot in the resource fork – the ‘usro’ resource – where the user’s custom file association is stored. Thus, when you use the Open With pop-up menu in the Finder’s Get Info dialog, you’re actually setting the file’s ‘usro’ resource. It’s possible for a file to end up with all three – a ‘usro’ resource and a metadata creator code and a filename extension.
Exploring the Exploitation — The trouble, it turns out, is that it is possible to misuse these pieces of information to generate a conflict. Such a conflict lies at the heart of the current set of security exploits. When you download and expand the demonstration file created by Heise, what you end up with is a text file containing shell script commands; but the file has a .jpg extension and a bad ‘usro’ resource. The extension determines the document icon (on my machine, it is a JPEG icon that comes from Preview), but the ‘usro’ resource associates the file with a different application, namely the Terminal. You can tell that in fact this is a Terminal document by examining the file’s Get Info dialog in the Finder.
The fact that this inconsistency is possible is probably a bug in the system. Theoretically, the system ought to be able to detect that the ‘usro’ resource is invalid. When I test the user creator-assignment mechanism, I observe that the file, along with a ‘usro’ resource, gets an ‘icns’ resource which is labelled "Binding Override" and presumably is intended to be the document icon from the newly assigned creator. For example, GraphicConverter’s JPEG icon is different from Preview’s JPEG icon. But Terminal has no JPEG icon, because it doesn’t open JPEG files; and besides, the exploit needs Terminal to treat the file as text, not as JPEG. So the Heise file has no ‘icns’ resource, and this should alert the system that something’s wrong.
Stuff and Nonsense — The fact that the exploit involves a .zip file, which is expanded on your computer in order to generate the invalid document, is irrelevant. True, the document is expanded by either StuffIt Expander or Apple’s own application, BOMArchiveHelper; but these applications play no important part in the story, as they are merely reproducing, correctly, the bad file that was handed to them in the first place. It is also true that the .zip file, internally, is in a special format; but the same thing would apply to any file with a resource fork.
The role of Safari in the story should also not be stressed unduly. It is true that if Safari’s "Open ‘safe’ files after downloading" preference is turned on (which, for many reasons, it should not be), Safari will effectively open the downloaded file twice – once to unzip it, and once to open what it wrongly thinks is a nice safe .jpg file. But this is no different, really, from what you would do with the file in the Finder by double-clicking the .zip file and then the .jpg file.
It has also been observed that Apple’s Mail suffers from the same behavior as the Finder – that is, when this file is sent to you as an email attachment, Mail shows you a JPEG icon (as well as the .jpg extension), but opens the file in the Terminal if you double-click it. However, I’m fairly sure that this is the same behavior as the Finder’s, merely being displayed in another context.
Finally, there has been some misleading talk with regard to the fact that the file in question is an executable – it is a shell script, and its executable permissions are set so that when it is opened by the Terminal the script runs. That there is such a thing as a double-clickable executable shell script is nothing new; any text file with a .command extension and executable permissions will run in the Terminal when double-clicked, and this has always been true. (You might reasonably argue that it shouldn’t be true, and you might also not have been aware of the fact that it is true; that’s a different issue, which I’ll come back to in a moment.) And the fact that an executable can be communicated as a compressed file is nothing new either; were this not so, it would be impossible to send someone else a compressed application. Some reports have stressed the fact that the file has no "shebang" line, but that is a red herring; the exploit works equally well whether or not the shebang line is present.
Conclusions — My conclusion has two parts, and they both amount to an assertion that computer files, as Iago says of men, "should be what they seem, or being not, would that they might seem none."
In the first place, Mac OS X has never fully rationalized its complex scheme of document-application association, and now we see that there is in fact a bug in that scheme. Apple needs to get this straightened out, on the double, so that a file always looks like what it is.
Secondly, an executable, of whatever sort – from a Cocoa application bundle to a lowly executable shell script – is a very special kind of file, and it needs to be marked as such. Data that you read and code that you run are both files, but they are crucially different kinds of file; so executables should look and behave specially. Any file which, if merely opened, will itself run as code, should be "badged" in some prominent and suggestive manner. It might also help if the first opening of every executable were preceded by an alert. Apple did institute something like this after the URL scheme debacle, but they didn’t go far enough – an alert appears the first time you launch an application by double-clicking one of its documents, but not the first time you open the executable itself – whereas the entire problem, as we now see, is that you might not even know that this is an executable. This, when Apple fixes things so that executables can’t be disguised as JPEGs, will make the world a safer place.