M-013: Mac OS X Downloading Applications Vulnerability

[***** Start Microsoft Security Bulletin MS01-053 *****]


Downloaded Applications Can Execute on Mac IE 5.1 for OS X.
Originally posted: October 23, 2001

Summary
Who should read this bulletin: All users of Microsoft® Internet Explorer 5.1 for 

Macintosh® 

Impact of vulnerability: Run code of attacker's choice 

Maximum risk rating: Moderate 

Recommendation: Customers should use the Mac OS X v10.1 Software Update utility to 

install the "Internet Explorer Security Update" 

Affected Software: 

Microsoft Internet Explorer 5.1 for the Macintosh 


Technical details

Technical description: 



The Macintosh OS X Operating System provides built-in support for both BinHex and 

MacBinary file types. These file types allow for the efficient transfer of 

information across networks by allowing information to be compressed by the sender 

and then decompressed by the recipient. This capability is particularly useful on 

the Internet, by allowing users to dowload compressed files. 

A vulnerability results because of a flaw in the way Mac OS X and Mac IE 5.1 

interoperate when BinHex and MacBinary file types are downloaded. As a result, an 

application that is downloaded in either of these formats can execute 

automatically once the download is complete. 

A user would first have to choose to download a file and allow the download to 

fully complete before the application could execute. Also, users can choose to 

disable the automatic decoding of both these file types. 

Mitigating factors: 

The user would have to choose to downoad the application before any attempt could 

be made to exploit the vulnerablity. It cannot be exploited without user 

interaction. 

The application would have to successfully download before any attempt could be 

made to exploit the vulnerability. The user can cancel the download at anytime 

prior to completion. 

The vulnerability could not be exploited if automatic decoding of BinHex and 

MacBinary files has been disabled. This is not a default setting however. 
Risk Rating:  Internet Systems Intranet Systems Client Systems 
Mac OS X  None None Moderate 


The above assessment is based on the types of systems affected by the 

vulnerability, their typical deployment patterns, and the effect that exploiting 

the vulnerability would have on them. 

Vulnerability identifier: CAN-2001-0720 

Tested Versions:
Microsoft tested Internet Explorer for the Macintosh version 5.1, version 5.1.2 to 

assess whether they are affected by this vulnerability. Previous versions of 

Internet Explorer for Mac OS X are no longer supported and may or may not be 

affected by this vulnerability.


Frequently asked questions 

What’s the scope of the vulnerability?

This vulnerability could allow an application to execute unexpectedly. If an 

attacker enticed the victim to download a malicious program compressed as a BinHex 

or MacBinary file type, the program could execute after the download completed. 

For this attack to succeed, the user would have to initiate the download process. 

This vulnerability cannot be used to automatically download and excute malicious 

code on the users system.

What causes the vulnerability?

The vulnerability results because an issue with how IE and the Mac OS interoperate 

when handling downloaded MacBinary and BinHex files.

What are BinHex and MacBinary files?

BinHex is a utility that encodes Macintosh files so that they can travel well on 

networks. BinHex encodes a file from its 8-bit binary or bit-stream representation 

into a 7-bit ASCII set of text characters. The recipient decodes it at the other 

end. 

MacBinary is a format for binary transfer of Macintosh documents over a 

telecommunication link. It is intended for use between Macintoshes and in 

uploading Macintosh documents to remote systems. 

How could an attacker exploit this vulnerability? 

An attacker would need to host an executable file on a web site, packaged as 

either a BinHex or MacBinary file, and then entice another user to visit the site 

and initiate a download. Once the download was complete, the executable file would 

automatically execute.

What does the patch do?

This patch updates Internet Explorer 5.1 to version 5.1.3 (build 3905) and 

prevents the Mac OS from automatically launching MacBinary and BinHex files.

Where can I download the patch or how do I update my OS?

Users must use the Software Update feature of Mac OS X v10.1 to install the 

"Internet Explorer 5.1 Security Update." 

More information on Software Update is available at: 

http://www.apple.com/macosx/upgrade/softwareupdates.html.


Patch availability
Download locations for this patch 
Microsoft IE 5.1 for Mac OSX: 
Users must use the Software Update feature of Mac OS X v10.1 to install the 

"Internet Explorer 5.1 Security Update." 
More information on Software Update is available at: 

http://www.apple.com/macosx/upgrade/softwareupdates.html. 


Additional information about this patch

Installation platforms: 
This patch can be installed on systems running Mac OS X v10.1. 
Reboot needed: No 

Superseded patches: None. 

Verifying patch installation: 

To verify that the patch has been installed on the machine, confirm that the 

version number of Internet Explorer is now 5.1.3. 
This can be done by choosing "About Internet Explorer" from the "Explorer" menu 

and confirming the version number is "5.1.3 (3905)" 

Caveats:
None 

Localization:
This patch can be installed on all versions of Internet Explorer 5.1 for Mac OS X 

v10.1. 

Obtaining other security patches: 
Patches for other security issues are available from the following locations: 

Security patches are available from the Microsoft Download Center, and can be most 

easily found by doing a keyword search for "security_patch". 
Patches for consumer platforms are available from the WindowsUpdate web site 
All patches available via WindowsUpdate also are available in a redistributable 

form from the WindowsUpdate Corporate site. 
Other information: 
Support: 

Microsoft Knowledge Base article Q311052 discusses this issue and will be 

available approximately 24 hours after the release of this bulletin. Knowledge 

Base articles can be found on the Microsoft Online Support web site. 
Technical support is available from Microsoft Product Support Services. There is 

no charge for support calls associated with security patches. 
Security Resources: The Microsoft TechNet Security Web Site provides additional 

information about security in Microsoft products. 

Disclaimer: 
The information provided in the Microsoft Knowledge Base is provided "as is" 

without warranty of any kind. Microsoft disclaims all warranties, either express 

or implied, including the warranties of merchantability and fitness for a 

particular purpose. In no event shall Microsoft Corporation or its suppliers be 

liable for any damages whatsoever including direct, indirect, incidental, 

consequential, loss of business profits or special damages, even if Microsoft 

Corporation or its suppliers have been advised of the possibility of such damages. 

Some states do not allow the exclusion or limitation of liability for 

consequential or incidental damages so the foregoing limitation may not apply. 

Revisions: 


V1.0 (October 23, 2001): Bulletin Created. 

[***** End Microsoft Security Bulletin MS01-053 *****]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org