Filed under: Security
Safari Vulnerability
Didn't
we learn this lesson already? Disable the "Open 'safe' files after downloading" and this won't affect you. In any case, according to Ars Technica a German security firm discovered a Safari vulnerability by which a shell script could be run after clicking on a link. Set "Panic button" to Mildly cautious; Ars Technica advises: "Currently, the exploit is not out in the wild. Until Apple issues an update to Mac OS X and/or Safari, however, Safari users should change their user preferences to remove the possibility of malicious scripts causing damage. Or they could switch browsers. I would expect a patch to come Real Soon Now, as this should be easy to fix."
I'd guess we'll see a security update later today or tomorrow.
Thanks to everyone who sent this in!
![TUAW [Cafepress]](http://www.blogsmithmedia.com/www.tuaw.com/media/tuaw-cafepress-promo.png)
Reader Comments (Page 1 of 1)
Brad said 1:41PM on 2-21-2006
Duh.
Reply
Ingo said 1:54PM on 2-21-2006
Really bad is this one:
http://www.heise.de/newsticker/meldung/69894
This is a example where a shell skript appears just like a jpeg in Apple Mail and if you klick on it the terminal will execute the skript!
Reply
Dan Siercks said 2:05PM on 2-21-2006
It is worse then just affecting Safari safe downloads actually, and I'm surprised that a "Community" website took this long to get this up.
http://isc.sans.org/diary.php?storyid=1138
Read the update.
Reply
hauk said 2:22PM on 2-21-2006
This is not particular to Safari. This is a very very very nasty security hole at the OS level and based on how the OS handle files.
Reply
portorikan said 2:31PM on 2-21-2006
Interesting. I was doing some of the security update things mentioned a few days ago on this site last night and came across that and decided to go ahead and removed that check mark.
I'm gonna go ahead a forward the info to my sister as well.
Reply
billg said 3:40PM on 2-21-2006
Why don't they call FTP a secutiy threat, too? Any archived file you download can contain a script that does something you don't want it to do.
Every time we pull down an Apple update, we're trusting that Jobs hasn't gone bonkers and hidden Evil Mac Zapping Code in the files.
If this is a big enough deal, then maybe the bst approach would be to build sandboxes into operating systems to provide space for archives to be opened without risk.
Reply
consumer_q said 6:44PM on 2-21-2006
This is news?
I assumed everybody already knew about this "feature".
Reply
Eon said 10:03PM on 2-21-2006
This is off-topic, and I don't mean to be a grammar nazi, but people are affected, and experience effects. People are not effected.
Reply
Baglan said 10:51PM on 2-21-2006
Coming from a Windows world, I have a deep-seated paranoia about automatic execution of something without my direct consent - so I turned this feature off as soon as I discovered it :)
Reply
Xenedar said 11:17PM on 2-21-2006
This isn't a problem with Safari. Secunia has an example which causes the Calculator to open, but the same thing happens if you run it manually. Safari's doing "the right" thing as far as what Mac OS X allows files with resource forks to do.
http://secunia.com/advisories/18963
Leap.A/Oompa is based on the same "issue" - hiding executable data inside the resource fork of binaries that otherwise do not make use of their resource fork.
I wouldn't be surprised to see a Mac OS X Security Update, rather than a Safari Security Update.
Reply
chris dithi said 4:25AM on 2-22-2006
AFFECT, NOT EFFECT. Learn the difference, you *are* writers aren't you?
Reply
Mike Czepiel said 1:07PM on 2-22-2006
You aren't the only ones that are guilty of mis-reporting this unfortunately.
As mentioned by a previous comment, this is not a Safari vulnerability. (There is a bit of an issue there in Safari misidentifying executables without a shebang line as safe) but the underlying issue was discussed well at unsanity today (http://www.unsanity.org/archives/000449.php)
There is indeed a problem with allowing executables from masquerading as an innocent file such a a jpg. Somebody needs to come up with some way of preventing that, or making it obvious that executables are in fact executable.
I see no problem with the auto opening feature of Safari and truly appreciate it. You're downloading for a reason most likely: to open the file. Whether Safari (or Mail for that matter) opens the file or I manually open the file, there should be some protection at that point.
So there are a few problems here but the major culprit is LaunchService, Safari is only an accomplice unfortunately.
Xenedar is right on in his comment.
Reply