Rixstep
 About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Home » Industry Watch » The Technological

THE DAY OF THE TREBUCHETS

'Kindly check the attached LOVELETTER coming from me.'


Buy It

Try It

Chapter 1 - In Which the Victim is Found Hanging in His Study

When I got to work this morning, my MacBook Pro was hung. Unresponsive keyboard/mouse. It wouldn't go to sleep (or wake). I couldn't ping it or slogin from another machine. I was forced to hard reboot it by holding down the power button for several seconds.

Chapter 2 - Looking for Clues at the Scene of the Crime

After rebooting, I launched Console.app to check out the logs. Perhaps they contained useful evidence of the dastardly events leading up to the fatal moment. Indeed, a strange footprint is found. The last evidence that the victim was still alive was:

Apr 15 06:53:31 mobius /Applications/Mail.app/Contents/MacOS/Mail[449]: ATS AutoActivation: Query timed out. (elapsed 5.1 seconds. params: queryString = {com_apple_ats_name_postscript == "Trebuchet" && kMDItemContentTypeTree != com.adobe.postscript-lwfn-font}, valueListAttrs = {{type = immutable, count = 1, values = (\n 0 : {contents = "kMDItemContentType"}\n)}}, sortingAttrs = {{type = immutable, count = 1, values = (\n 0 : {contents = "kMDItemContentModificationDate"}\n)}}, scopeList = {{type = immutable, count = 1, values = (\n 0 : {contents = "kMDQueryScopeComputer"}\n)}}.)

After that cryptic message, the victim was not heard from again.

I was quick to investigate this 'ATS AutoActivation: Query timed out' suspect. Console.app, however, turn out to be a rather clumsy crime scene investigator. It absolutely refused to allow me to select the pertinent text of the log message; instead attempting to drag the rather verbose evidence all over the scene.

Chapter 3 - Searching the Offender Database for a Similar M.O.

A quick search of Google shows this seems to be a problem with Apple Type Services in its handling of missing fonts. It looks like the victim received a message in the Mail threatening him with an attack from an ancient siege machine (Trebuchet). Anticipating a siege, we decide to secure the scene.

Chapter 4 - Calling in Re-enforcements

While the scene was relatively pristine after the reboot, I felt it was an opportune time to install Security Update 2010-003, which had been pestering me for a chance to get in on the action.

Chapter 5 - The Press Sticks Their Nose In

When I finally got back to the precinct, there was a package on my desk. A dispatch from the 'Computerworld Gazette':

'Apple today patched a critical Mac OS X vulnerability used by a security researcher three weeks ago to win $10,000 for hacking Safari at the Pwn2Own contest.'
...
'According to Apple, the vulnerability Miller exploited was in ATS (Apple Type Services), a font renderer included with Mac OS X. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution...'

Damn! That Security Update kid was on to something all along. Why didn't I listen to him sooner? It looks like I've got a psychopathic serial killer on my hands.

Chapter 6 - Re-examining the Evidence

I raced back to the scene. A trebuchet is pretty devastating. You can't get much more of a malicious font than that. However, a trebuchet is also rather sizable weapon; it should be easy to spot a suspect trying to smuggle one onto the premises.

Nothing was obvious, so I started going through the dumpster out back. There in the trash, among the discarded grocery store circulars and credit card offers, I found it! An envelope, postmarked near the time of death, from 'Network Solutions' containing an advertisement for three-year reduced rates on trebuchets.

Here it was, a Trebuchet, wrapped in HTML and disguised as a can of Spam!

Epilogue - A Conclusion, a Warning, a Question

The true impact of this discovery was overwhelming. Any criminal could send out millions of malicious emails a day, loaded with an ATS bomb. It's like the Unabomber, except the bomb doesn't wait for you to open it; it blows up as soon as it hits your mailbox.

My question of Apple:
Why is incoming email HTML rendered before Junk Mail filtering? In fact, why is any dynamic email message allowed to execute on arrival?

Submitted by Brett J.

About | ACP | Buy | Industry Watch | Learning Curve | News | Products | Search | Substack
Copyright © Rixstep. All rights reserved.