Rick Bargerhuff, the author of MisMatch - a Folder Action written to help secure people from the MP3 Concept vulnerability - has discovered another potentially significant flaw in Mac OS X's Finder which allows users to make any malicious application's name appear as a legit file name.
To demonstrate the problem, Bargerhuff created an example file that is an AppleScript application that appears to be a non-application. It contains non-malicious code which can be viewed via Script Editor.
- http://forums.ort.org.il/files/307/1970653/8208371.zip ['iTunesUpdater421.pkg'],
As you can see, the file appears to have a normal files name, but close inspection yields that the "." contained in the file names are not a standard "." used for extensions. These "." have a noticeable space to the left of the "." character.
Using the Terminal.app, observing the files show that the "." is in fact a special character and not a standard "."
- rwxr-xr-x 1 cougar staff 13780 Apr 8 18:53 iTunesUpdater421???pkg.app
- [canines:/Volumes/Storage/Internet_Downloads] cougar% GetFileInfo iTunesUpdater421342200244pkg.app
- file: "iTunesUpdater421pkg.app"
- type: "APPL"
- creator: "aplt"
- attributes: avbstClinmEd
- created: 04/08/2004 18:53:54
- modified: 04/08/2004 18:53:54
In normal use, the special character will appear to be a legitimate period, and many users will double click the file in question.
As pointed out in a Network Associates Security HQ article, any file that is disguised as legitimate has the potential to be malicious, so this new discovery does not introduce a new vulnerability, simply a new facet to the old issue: "However, dual personality of a file has little relevance to the malicious function. If a user is convinced to double click on an icon representing a file the program will run regardless of being a simple disguised application or dual-format file. Thus, the discovery of dual-format files does not really introduce any new penetration or propagation vector. It can only obfuscate a little the function of the disguised program, which will appear as a valid sound file and it can be played from iTunes."
Bargerhuff notes that potentially malicious files containing this special character will escape the eye of MisMatch, which has now been pulled.