Open atomotic opened 8 years ago
quinncomendant
commented
8 years ago Does anybody have a link to a proof of concept for this as an attack vector?
And isn't Show icon preview enabled on a per-folder basis? How can it be turned off globally?
TraderStf
commented
8 years ago Here the command:
https://github.com/SummitRoute/osxlockdown/blob/master/commands.yaml
Without using terminal, a quick solution: Disable Preview and set as default, repeat for each type of display mode
Then use 'Find Any File" app, enter ".DS_Store", press option and click search to find also in special folders enter password delete all the results empty trash.
0xdabbad00
commented
8 years ago @quinncomendant This command currently does not work correctly. The threat I'm worried about is if you view a folder, more code is executing than I would like by the OS. Conceptually this is similar to Autoruns or the Stuxnet .LNK vuln for Windows, except in this case you would need to find a vuln in the image previews. That's my concern.
quinncomendant
commented
8 years ago @TraderStf, thanks for the how-to. That's one way to do it. ;P
@0xdabbad00, Yeah, that's how I understand the potential attack, but I've never seen a POC or other demonstration. Have you?
0xdabbad00
commented
8 years ago @quinncomendant No. I made osxlockdown to sooth my nightmares, not my actual realities. :)
https://github.com/SummitRoute/osxlockdown/blob/master/commands.json#L176
the file to check should be perhaps ~/Library/Preferences/com.apple.finder.plist ?