Author Topic: Security Hole/Bug in Stuffit Expander 7.0.3 (OS X) (Read 2791 times)

pendragon · « **on:** June 06, 2003, 07:50:26 AM »

For many, the Permissions/Access to our Desktop folder is set (the default) to No Access. Thus, what we have in our Desktop folder is private and secure from other users.

But, if one were to DL a .sit and Stuffit Expander 7.0.3 were to expand it, the Permissions/Access would be changed from No Access to Read Only, thus allowing other users to read the contents your Desktop Folder.

Repairing Permissions does not fix the problem.

I am uncertain if this bug applies to all models and configurations, but it may be worth checking, especially if you are on a network or have other users, and you care about having a secure Desktop folder. Otherwise, fugedaboutit.

What version must one revert to preclude this condition? I dunno.

Aladdin is aware of this problem, but the fix is still TBD.

Harv

Mrious_be · « **Reply #1 on:** June 06, 2003, 10:22:47 AM »

QUOTE(pendragon @ Jun 6 2003, 2:50 PM)

But, if one were to DL a .sit and Stuffit Expander 7.0.3 were to expand it, the Permissions/Access would be changed from No Access to Read Only, thus allowing other users to read the contents your Desktop Folder.

I have no idea what this means, hahahaha

Well, ok, i do understand what you mean but i just can't get the reason how Stuffit can have a security leak, and how unstuffing can cause the Desktop to be "seen" by others (in same network).
The thing is (and i guess this is seen to simplistic by my little soul here

), but... in order to unstuff (-zip, -tar, -whatever) a file to your desktop, your (downladed) archive should be on that desktop already? Not?
Orrrrr... before downloading, you can choose where to download file to but than... since others Desktops are secure, you shouldn't be able to download to others?

Hmmm, i'm probably dead wrong in how i look at it... just got me thinking here (once that happens, i better let it happen)

kps · « **Reply #2 on:** June 06, 2003, 11:04:54 AM »

I would think this is only an issue if your downloads go to your Desktop folder (something Marcel touched upon) and get expanded at that location.

But as the owner of that Desktop folder, you must have the ability to change the permissions...either through the Get Info panel or through the CLI. From what you describe, it only changes the Group and Other permissions.

Confirm permissions:

ls -al
drwx------ 4 user_name staff 136 May 20 10:07 Desktop

If owner is not user
chown user_name /Users/user_name/Desktop

If directory not drwx------
chmod 700 /Users/user_name/Desktop

pendragon · « **Reply #3 on:** June 06, 2003, 01:17:58 PM »

As a test, I created a new folder on my HD (not Applications) and ensured the permissions were set to No Access. I then changed Safari's preferences so that all DLs would go to that folder. I then Dl'd a .sit file to that folder. After Stuffit Expander got done doing its thang, the Permissions reverted to Read Only. It seems to me that the problem persists regardless if the .sit is on the desktop or in a separate folder.

No doubt, soon we shall learn that Aladdin is really a subsidiary of M$

Harv

kps · « **Reply #4 on:** June 06, 2003, 04:30:07 PM »

I really find it troubling when third party apps start messing with OS X permissions. I can't think of one reason why Expander would need to change 'group' and 'other' permissions. Prior versions didn't do it, no reason 7.0.3 should.

As I said in my previous post, the issue of security is only compromised if you expand to the desktop and you store sensitive files on the desktop AND those files are accessible by "all". If you do not store anything on your Desktop, than nothing has been compromised. I don't think it's that big a deal if someone sees the content of the 'download' folder.

Now, having said that, I do not think flagrant violations like these should be tolerated.

pendragon · « **Reply #5 on:** June 06, 2003, 05:25:19 PM »

A couple of final thoughts?

I am the only user of my system. So while this condition is of no consequence to me, there are others out there that are affected by this and who have private data on their desktops, but are blithely going about their business in the mistaken belief that they are secure.

I recommended to Aladdin that they publish a public Alert and an email to their registered users.

Any bets as to what Aladdin actually does?

Harv

RobW · « **Reply #6 on:** June 06, 2003, 08:26:14 PM »

QUOTE(pendragon @ Jun 6 2003, 6:25 PM)

A couple of final thoughts?

I am the only user of my system. So while this condition is of no consequence to me, there are others out there that are affected by this and who have private data on their desktops, but are blithely going about their business in the mistaken belief that they are secure.

I recommended to Aladdin that they publish a public Alert and an email to their registered users.

Any bets as to what Aladdin actually does?

Harv

Well, they'll do two things. First, they'll run to their dictionary to look up "blithely". Then, if they're like everyone else, they'll BIOB!

Bill · « **Reply #7 on:** June 06, 2003, 11:02:09 PM »

My desktop is set to Read & Write for the owner.
Group: No Access and Other: No Access

My "D/L" folder on my desktop is set Read & Write for Owner.
Group: Read only and Others: Read only

When I downloaded a (sit) with expander 6.5.1. [which goes to the "D/L folder"] it read the same as the "D/L folder".
Took it out of the "D/L" to the desktop and read the same.

Should I be concerned .... blame it on you know who .... change it.?.

I leave nothing on my desktop. Differently nothing thats even close to the security zone!
Those files I have stashed away where only the admin (me) can get to plus compressed and pass protected. You know, important info like DBs real birthdate. <gr>

pendragon · « **Reply #8 on:** June 07, 2003, 07:17:44 AM »

Bill, It's my understanding that this Aladdin condition (bug) only occurs with Expander v7.x, so you are, as always, in good shape.

Of course, blaming anything/everything of B remains the standard.

Harv

Bill · « **Reply #9 on:** June 07, 2003, 03:45:07 PM »

Kind of figured as much Harv.
I've nothing on the DT worth worrying about anyhoo.

btw. I take it you've your pm turned off.

Al · « **Reply #10 on:** June 08, 2003, 03:56:14 AM »

Interesting security flaw.

I noticed that I do occasionally drop things on my desktop and expand them there, but with Expander 7.0.1. When I went to check permissions for my desktop, it was still locked down tight and not accessible.

So, I am figuring this is actually a flaw with either 7.0.2 and on or just with 7.0.3 of Expander.

Owner: Read and Write
group and others: No Access

Also, ownership and permissions are locked.

Two Macs and both say the same thing. I have a third Mac, but haven't checked it yet.

pendragon · « **Reply #11 on:** June 08, 2003, 06:49:04 AM »

Thanks for clearing that up Al. it's good to know that this problem is with 7.0.3 only not 7.x. At least those with 7.03 and who also have concerns, can reinstall an earlier version and sleep tight at nght

H

Dreambird · « **Reply #12 on:** June 08, 2003, 05:35:13 PM »

QUOTE

You know, important info like DBs real birthdate. <gr>

Huh? Why, April 21, 1977 of course!

News:

Author Topic: Security Hole/Bug in Stuffit Expander 7.0.3 (OS X) (Read 2791 times)