Author Topic: Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)  (Read 2792 times)

Offline pendragon

  • TS Addict
  • *****
  • Posts: 7178
    • View Profile
    • http://www.pendragonservices.com
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« on: June 06, 2003, 07:50:26 AM »
For many, the Permissions/Access to our Desktop folder is set (the default) to No Access. Thus, what we have in our Desktop folder is private and secure from other users.

But, if one were to DL a .sit and Stuffit Expander 7.0.3 were to expand it, the Permissions/Access would be changed from No Access to Read Only, thus allowing other users to read the contents your Desktop Folder.

Repairing Permissions does not fix the problem.

I am uncertain if this bug applies to all models and configurations, but it may be worth checking, especially if you are on a network or have other users, and you care about having a secure Desktop folder. Otherwise, fugedaboutit.

What version must one revert to preclude this condition? I dunno.

Aladdin is aware of this problem, but the fix is still TBD.

Harv
« Last Edit: June 06, 2003, 08:22:29 AM by pendragon »
Those who can make you believe absurdities can make you commit atrocities. ~ Voltaire

Offline Mrious_be

  • TS Addict
  • *****
  • Posts: 3156
    • View Profile
    • http://www.marceldaems.com
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #1 on: June 06, 2003, 10:22:47 AM »
QUOTE(pendragon @ Jun 6 2003, 2:50 PM)
But, if one were to DL a .sit and Stuffit Expander 7.0.3 were to expand it, the Permissions/Access would be changed from No Access to Read Only, thus allowing other users to read the contents your Desktop Folder.

 I have no idea what this means, hahahaha biggrin.gif
Well, ok, i do understand what you mean but i just can't get the reason how Stuffit can have a security leak, and how unstuffing can cause the Desktop to be "seen" by others (in same network).
The thing is (and i guess this is seen to simplistic by my little soul here wink.gif), but... in order to unstuff (-zip, -tar, -whatever) a file to your desktop, your (downladed) archive should be on that desktop already? Not?
Orrrrr... before downloading, you can choose where to download file to but than... since others Desktops are secure, you shouldn't be able to download to others?

Hmmm, i'm probably dead wrong in how i look at it... just got me thinking here (once that happens, i better let it happen) wink.gif

biggrin.gif
[img]http://dwdf.daisypath.com/a4ipp1.png\" border=\"0\" class=\"linked-sig-image\" /]

Offline kps

  • TS Addict
  • *****
  • Posts: 1693
    • View Profile
    • http://
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #2 on: June 06, 2003, 11:04:54 AM »
I would think this is only an issue if your downloads go to your Desktop folder (something Marcel touched upon) and get expanded at that location.

But as the owner of that Desktop folder, you must have the ability to change the permissions...either through the Get Info panel or through the CLI. From what you describe, it only changes the Group and Other permissions.

Confirm permissions:

ls -al
drwx------   4 user_name  staff   136 May 20 10:07 Desktop

If owner is not user
chown user_name /Users/user_name/Desktop

If directory not drwx------
chmod 700 /Users/user_name/Desktop

Offline pendragon

  • TS Addict
  • *****
  • Posts: 7178
    • View Profile
    • http://www.pendragonservices.com
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #3 on: June 06, 2003, 01:17:58 PM »
As a test, I created a new folder on my HD (not Applications) and ensured the permissions were set to No Access. I then changed Safari's preferences so that all DLs would go to that folder. I then Dl'd a .sit file to that folder. After Stuffit Expander got done doing its thang, the Permissions reverted to Read Only. It seems to me that the problem persists regardless if the .sit is on the desktop or in a separate folder. wacko.gif

No doubt, soon we shall learn that Aladdin is really a subsidiary of M$ tongue.gif

Harv
« Last Edit: June 06, 2003, 01:23:11 PM by pendragon »
Those who can make you believe absurdities can make you commit atrocities. ~ Voltaire

Offline kps

  • TS Addict
  • *****
  • Posts: 1693
    • View Profile
    • http://
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #4 on: June 06, 2003, 04:30:07 PM »
I really find it troubling when third party apps start messing with OS X permissions. I can't think of one reason why Expander would need to change 'group' and 'other' permissions. Prior versions didn't do it, no reason 7.0.3 should.

As I said in my previous post, the issue of security is only compromised if you expand to the desktop and you store sensitive files on the desktop AND those files are accessible by "all". If you do not store anything on your Desktop, than nothing has been compromised. I don't think it's that big a deal if someone sees the content of the 'download' folder.

Now, having said that, I do not think flagrant violations like these should be tolerated.

Offline pendragon

  • TS Addict
  • *****
  • Posts: 7178
    • View Profile
    • http://www.pendragonservices.com
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #5 on: June 06, 2003, 05:25:19 PM »
A couple of final thoughts?

I am the only user of my system. So while this condition is of no consequence to me, there are others out there that are affected by this and who have private data on their desktops, but are blithely going about their business in the mistaken belief that they are secure.

I recommended to Aladdin that they publish a public Alert and an email to their registered users.

Any bets as to what Aladdin actually does?


Harv
Those who can make you believe absurdities can make you commit atrocities. ~ Voltaire

Offline RobW

  • TS Addict
  • *****
  • Posts: 1865
    • View Profile
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #6 on: June 06, 2003, 08:26:14 PM »
QUOTE(pendragon @ Jun 6 2003, 6:25 PM)
A couple of final thoughts?

I am the only user of my system. So while this condition is of no consequence to me, there are others out there that are affected by this and who have private data on their desktops, but are blithely going about their business in the mistaken belief that they are secure.

I recommended to Aladdin that they publish a public Alert and an email to their registered users.

Any bets as to what Aladdin actually does?


Harv

 Well, they'll do two things. First, they'll run to their dictionary to look up "blithely". Then, if they're like everyone else, they'll BIOB!  laugh.gif  tongue.gif
-Rob
A couple of IMacs, an iPad, a bunch of iPhones...two of which don’t live here, but I still pay for. Oh yeah, wife, daughters, and yes—a grandson!

Offline Bill

  • TS Addict
  • *****
  • Posts: 4615
    • View Profile
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #7 on: June 06, 2003, 11:02:09 PM »
My desktop is set to Read & Write for the owner.
Group: No Access and Other: No Access

My "D/L" folder on my desktop is set Read & Write for Owner.
Group: Read only and Others: Read only

When I downloaded a (sit) with expander 6.5.1. [which goes to the "D/L folder"] it read the same as the "D/L folder".
Took it out of the "D/L" to the desktop and read the same.


Should I be concerned .... blame it on you know who .... change it.?.

I leave nothing on my desktop. Differently nothing thats even close to the security zone!
Those files I have stashed away where only the admin (me) can get to plus compressed and pass protected. You know, important info like DBs real birthdate.  <gr>
Two cans and a string powered by a big mouth

Offline pendragon

  • TS Addict
  • *****
  • Posts: 7178
    • View Profile
    • http://www.pendragonservices.com
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #8 on: June 07, 2003, 07:17:44 AM »
Bill, It's my understanding that this Aladdin condition (bug) only occurs with Expander v7.x, so you are, as always, in good shape. tongue.gif

Of course, blaming anything/everything of B remains the standard. Devilish2.gif

Harv
« Last Edit: June 07, 2003, 07:18:26 AM by pendragon »
Those who can make you believe absurdities can make you commit atrocities. ~ Voltaire

Offline Bill

  • TS Addict
  • *****
  • Posts: 4615
    • View Profile
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #9 on: June 07, 2003, 03:45:07 PM »
Kind of figured as much Harv.
I've nothing on the DT worth worrying about anyhoo. smile.gif


btw. I take it you've your pm turned off.
Two cans and a string powered by a big mouth

Offline Al

  • TS Addict
  • Posts: 3105
    • View Profile
    • http://
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #10 on: June 08, 2003, 03:56:14 AM »
Interesting security flaw.

I noticed that I do occasionally drop things on my desktop and expand them there, but with Expander 7.0.1.  When I went to check permissions for my desktop, it was still locked down tight and not accessible.

So, I am figuring this is actually a flaw with either 7.0.2 and on or just with 7.0.3 of Expander.

Owner: Read and Write
group and others: No Access

Also, ownership and permissions are locked.

Two Macs and both say the same thing.  I have a third Mac, but haven't checked it yet.
27" 2.8 GHz Intel I7 iMac, 8 GB RAM, 2 TB HD, 2x 2TB OWC Mercury Elite-AL Pro external HD, EyeTV 250 Plus, 23" Acer HD monitor, OS 10.6.7
13" 2.26 GHz Intel Core 2 Duo MacBook, 4 GB RAM, 500 GB 7200 RPM HD, OS 10.6.7
13" 2.26 GHz Intel Core 2 Duo MacBook, 4 GB RAM, 250 GB HD, OS 10.6.7
(2) 5th Gen. iPods (30GB & 80GB), iPhone 4 (x2) 16 GB iOS 4.3.3, iPhone 3GS 16 GB

Offline pendragon

  • TS Addict
  • *****
  • Posts: 7178
    • View Profile
    • http://www.pendragonservices.com
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #11 on: June 08, 2003, 06:49:04 AM »
Thanks for clearing that up Al. it's good to know that this problem is with 7.0.3 only not 7.x. At least those with 7.03 and who also have concerns, can reinstall an earlier version and sleep tight at nght sleep1.gif

H
Those who can make you believe absurdities can make you commit atrocities. ~ Voltaire

Offline Dreambird

  • TS Addict
  • *****
  • Posts: 5191
  • Meet The New Boss
    • View Profile
Security Hole/Bug in Stuffit Expander 7.0.3 (OS X)
« Reply #12 on: June 08, 2003, 05:35:13 PM »
QUOTE
You know, important info like DBs real birthdate.  <gr>


Huh? Why, April 21, 1977 of course!  harhar.gif
******
On permanent walk-about... ;)
MacBook Pro Retina, mid-2012, SSD 500GB, 16GB RAM, High Sierra 10.13.6, iPad Air 2, iOS 11.4.1