Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Font Book and a font installation security issue Apps
I just ran across what I consider a security hole in Font Book. When you double-click a font in the OS X Finder (one that has not yet been installed), Font Book launches and shows a sample of the selected font. The sample window also includes a button which allows the user to install the font. The Font Book default for installing a new font is to install it system-wide in the top-level Library -> Fonts folder (as opposed to your user's Library -> Fonts folder). Furthermore, no admin password is required of a non-admin user to install a new font. This opens up the door for users to easily install corrupt fonts (or replace system fonts with a corrupt file) that could wreak havoc on the OS for all users.

To change the default behavior, simply go to the preferences in Font Book and select the option that says install new fonts "for me only." Unfortunately, the current user can easily change this option prior to installing a font. IMO, Apple should make this option changeable only by an admin user.

[robg adds: On three machines I looked at, two of which had never run Font Book before, the install option was already set to "for me only." So the hint in this hint may not be necessary on your machine. The more interesting question to me is how big of a security hole is this? What can be hidden in a font file? Other than making life difficult by installing a corrupted font, are worse things possible? And since the 'attacker' will already have physical access and a login account, it seems there are much worse things that he/she could do in this case. Thoughts?]
    •    
  • Currently 2.40 / 5
  You rated: 4 / 5 (5 votes cast)
 
[8,179 views]  

Font Book and a font installation security issue | 13 comments | Create New Account
Click here to return to the 'Font Book and a font installation security issue' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Font Book and a font installation security issue
Authored by: fds on Nov 03, '04 09:53:44AM

Only members of the admin group may install new fonts system-wide, due to the access rights of the /Library/Fonts folder. This doesn't really have anything to do with the Font Book application, which will dutifully ask for the password if it is necessary.

Font Book's default on all my systems were "for me only."



[ Reply to This | # ]
Font Book and a font installation security issue
Authored by: ollylegg on Nov 03, '04 12:07:26PM

It might cause a few problems if the system font where replaced??



[ Reply to This | # ]
Font Book and a font installation security issue
Authored by: graf on Nov 03, '04 12:08:40PM

The XBox was hacked using a font. How big a problem this is depends on how vulnerable OS X's font handling was to buffer overflows.



[ Reply to This | # ]
Font Book and a font installation security issue
Authored by: Hyo on Nov 03, '04 12:47:27PM

Well, robg, something very similar happened to me a few months ago. I installed several font files on my iBook (Running Mac OS X 10.3.3 at the time, now 10.3.5). Something VERY weird happened when I did that: Apple / OS X native applications (namely, Safari, Sherlock, iChat and the FontBook itself) just stopped working on my computer. They would seem to start up, but crashed for no apparent reason. After that, I did some research, and I found out that it was a corrupt font file. Needless to say, I couldn't make out which file it was, so I kinda made a backup of my files and re-installed Panther. Then I carefully checked the fonts as I installed them, to ensure that no corrupt file got in the way. And that solved my problem.
So there you have it. It was a corrupt font file after all.

Hope that helps anyone. ^^

---
ぜたいまけないよ!



[ Reply to This | # ]
Font Book and a font installation security issue
Authored by: ClassicUser on Nov 03, '04 04:47:14PM

This "hint" is incorrect: The Default permissions on the /Library/Fonts folder are set to only allow modifications by administrative users. Although non-admin users might try to install a given font system-wide, they will not be able to; any and all applications which attempt to write to such areas will prompt for admin authentication before being able to perform any such action.

Please don't scare people like this...



[ Reply to This | # ]
Font Book and a font installation security issue
Authored by: dmmorse on Nov 03, '04 05:05:13PM

Who's trying to scare people? I regularly use my computer using a non-administrative account. Needless to say I was VERY surprised to see FontBook install a new font in /library/fonts/ instead of ~/library/fonts without any prior administrative authentication.

Further, I quit FontBook and restarted it several times to see if the quirk was reproduceable. It was. And no, I do not have the password for an administrative account stored in keychain or anywhere else that could be automatically accessed by the system.



[ Reply to This | # ]
Font Book and a font installation security issue
Authored by: rhowell on Nov 03, '04 08:18:10PM
Instead of Quitting Font Book and restarting it multiple times, why don't you just Repair Permissions?

You are scaring people! The owner of /Library/Fonts is root, the group is admin, and anyone else can only read the contents of the folder. Check for yourself, after repairing permissions.

[ Reply to This | # ]
Font Book and a font installation security issue
Authored by: dmmorse on Nov 03, '04 09:07:35PM

Have you even tried examining the substance of the hint before jumping to criticism and conclusions? By your comment, it does not sound as if you have.

FYI, I just repaired permissions three days prior (with no repairs being needed) when installing the latest version of QuickTime.



[ Reply to This | # ]
Here is a good test
Authored by: mzs on Nov 04, '04 09:48:27AM
Login to the non-admin user on the machine
Start Terminal.app
At the Terminal prompt enter the following command:

id

After that, do this command at the prompt:

ls -ld / /Library /Library/Fonts

Then post the output of both of those commands and it will be imediately clear to me (and others too) whether this is problem with permissions or something else.

Let's stop scaring people if there is no need to :)

[ Reply to This | # ]

Here is a good test
Authored by: dmmorse on Nov 04, '04 12:36:07PM
Here's the information you asked for:

uid=501(username) gid=501(username) groups=501(username), 20(staff)

and

drwxrwxr-x  44 root  admin  1496 31 Oct 09:25 /Library
drwxrwxr-x  40 root  admin  1360  1 Nov 22:52 /Library/Fonts

Note: for my own protection, I replaced my actual username with "username". Nothing in the above indicates that a non-administrative account should be able to write to /library/fonts/. However, if the gurus out there tell me the problem is on my end, please let me know so I can 1) fix it and 2) ask Rob to remove the hint.

As a follow up to my original hint, I admit I did jump the gun as far as the default installation is concerned. I deleted the fontbook.plist file and started up FontBook again. The default installation was install "for me only", but any user can select the option "for all users" and install a font in /library/fonts/.

[ Reply to This | # ]

Thanks
Authored by: mzs on Nov 04, '04 01:49:41PM

That output indicates that nothing was amiss about the permissions. So that simple hypothesis of why a non-admin user was able to add system fonts seems debunked.



[ Reply to This | # ]
Font Book and a font installation security issue
Authored by: mahakali on Nov 04, '04 01:48:20AM

By default, FB will install new fonts inside your home folder (~/Library/Fonts) regardless your admin status. You can change installation location from FontBook's preferences panel.



[ Reply to This | # ]
Font Book and a font installation security issue
Authored by: Mendenhall on Nov 04, '04 04:40:07PM

I am replying at the top level to this comment, even though my reply is partially in response to various replies in other threads.

I have observed an odd phenomenon under 10.3 which may explain why you were able to install fonts in ad admin-only access folder without authenticating. I have observed an apparent bug in the authorization which results in the Finder launching applications _as privileged apps_ after you have used the Finder to carry out some privileged operation itself. It has happened so rarely, that I do not know what sequence of events leads to it.

A typical scenario is as follows:
I am logged in as a non-admin user. I have, however, been doing some admin actions with the finder, requiring me to authenticate as the admin user. I then run (for example) an installer, which _succesfully_ copies an application into /Applications (for example) or /System/Library _without the insatller asking me to authenticate_. When I look at the installed/copied data/program, it has not only been installed into a folder that I currently should not have permissions for, it is installed with the owner set to my admin user (not my logged in user)!

Apparently, sometimes the authenticating the finder as an admin user (when the currently logged in user isn't admin) is dangerously sticky. I was able to launch almost any application from the finder, once this mode got set, and use it to save in privileged area. Once I logged out and back in, the capability disappeared, and these programs no longer were able to do this.

The comment in one thread about checking your current id is one of the things I did from a terminal window. It was perfectly normal. However, (as I pointed out above), I had the temporary ability to launch GUI apps and write data to admin-owned folders, and the data was being written with ownership of my administrator, so clearly the Finder was launching apps with the sticky authentication. I did not think, at the time, to do 'ps axj' on the apps to see the uid they were using, but I strongly suspect I would have seen they were launched as the admin 501, rather than as my user (502).

This is really a warning against taking advantage of the fact that the Finder will let a non admin user enter an admin name and password to to admin things. Apparently, once you have done this there is some chance it will remain sticky for your current login session. Since I often remain logged in for many days or weeks (I just fast-switch to a locked screen when I quit), I could easily be carrying around permissions I no longer want for a long time.

If you want to administer, the safest thing is to really log in as admin, and log out when done. I suspect that the author of this main thread saw the same issue I am describing: at some time in the past, the logged in session had been authenticated for some administrator action, and it was stuck in that mode.




[ Reply to This | # ]