Safari Vulnerability

Filed under: Security

Safari Vulnerability

by C.K. Sample, III (RSS feed) on Feb 21st 2006 at 1:30PM

Didn't we learn this lesson already? Disable the "Open 'safe' files after downloading" and this won't affect you.

In any case, according to Ars Technica a German security firm discovered a Safari vulnerability by which a shell script could be run after clicking on a link. Set "Panic button" to Mildly cautious; Ars Technica advises: "Currently, the exploit is not out in the wild. Until Apple issues an update to Mac OS X and/or Safari, however, Safari users should change their user preferences to remove the possibility of malicious scripts causing damage. Or they could switch browsers. I would expect a patch to come Real Soon Now, as this should be easy to fix."

I'd guess we'll see a security update later today or tomorrow.

Thanks to everyone who sent this in!

Tags: open safe files, OpenSafeFiles, possible security issue with os x, safari vulnerability

iPhone / Android Developer

Bump Technologies, Inc. - Mountain View, CA (2 weeks ago)

See More Relevant Jobs ›

Reader Comments (Page 1 of 1)

Brad said 1:41PM on 2-21-2006

Duh.

↓↑report

Ingo said 1:54PM on 2-21-2006

Really bad is this one:

http://www.heise.de/newsticker/meldung/69894

This is a example where a shell skript appears just like a jpeg in Apple Mail and if you klick on it the terminal will execute the skript!

↓↑report

Dan Siercks said 2:05PM on 2-21-2006

It is worse then just affecting Safari safe downloads actually, and I'm surprised that a "Community" website took this long to get this up.

http://isc.sans.org/diary.php?storyid=1138

Read the update.

↓↑report

hauk said 2:22PM on 2-21-2006

This is not particular to Safari. This is a very very very nasty security hole at the OS level and based on how the OS handle files.

↓↑report

portorikan said 2:31PM on 2-21-2006

Interesting. I was doing some of the security update things mentioned a few days ago on this site last night and came across that and decided to go ahead and removed that check mark.

I'm gonna go ahead a forward the info to my sister as well.

↓↑report

billg said 3:40PM on 2-21-2006

Why don't they call FTP a secutiy threat, too? Any archived file you download can contain a script that does something you don't want it to do.

Every time we pull down an Apple update, we're trusting that Jobs hasn't gone bonkers and hidden Evil Mac Zapping Code in the files.

If this is a big enough deal, then maybe the bst approach would be to build sandboxes into operating systems to provide space for archives to be opened without risk.

↓↑report

consumer_q said 6:44PM on 2-21-2006

This is news?
I assumed everybody already knew about this "feature".

↓↑report

Eon said 10:03PM on 2-21-2006

This is off-topic, and I don't mean to be a grammar nazi, but people are affected, and experience effects. People are not effected.

↓↑report

Baglan said 10:51PM on 2-21-2006

Coming from a Windows world, I have a deep-seated paranoia about automatic execution of something without my direct consent - so I turned this feature off as soon as I discovered it :)

↓↑report

Xenedar said 11:17PM on 2-21-2006

This isn't a problem with Safari. Secunia has an example which causes the Calculator to open, but the same thing happens if you run it manually. Safari's doing "the right" thing as far as what Mac OS X allows files with resource forks to do.

http://secunia.com/advisories/18963

Leap.A/Oompa is based on the same "issue" - hiding executable data inside the resource fork of binaries that otherwise do not make use of their resource fork.

I wouldn't be surprised to see a Mac OS X Security Update, rather than a Safari Security Update.

↓↑report

chris dithi said 4:25AM on 2-22-2006

AFFECT, NOT EFFECT. Learn the difference, you *are* writers aren't you?

↓↑report

Mike Czepiel said 1:07PM on 2-22-2006

You aren't the only ones that are guilty of mis-reporting this unfortunately.

As mentioned by a previous comment, this is not a Safari vulnerability. (There is a bit of an issue there in Safari misidentifying executables without a shebang line as safe) but the underlying issue was discussed well at unsanity today (http://www.unsanity.org/archives/000449.php)

There is indeed a problem with allowing executables from masquerading as an innocent file such a a jpg. Somebody needs to come up with some way of preventing that, or making it obvious that executables are in fact executable.

I see no problem with the auto opening feature of Safari and truly appreciate it. You're downloading for a reason most likely: to open the file. Whether Safari (or Mail for that matter) opens the file or I manually open the file, there should be some protection at that point.

So there are a few problems here but the major culprit is LaunchService, Safari is only an accomplice unfortunately.

Xenedar is right on in his comment.

↓↑report

Tip of the Day

Want to drag a file to another folder and copy it instead of moving it? Press the Option key when you drag that file and it'll be duplicated rather than moved entirely.

Learn More

TUAW flickr Pool

www.flickr.com

Latest Jobs from TUAW Jobs

Post a Job

Featured Galleries

More Apple Analysis

AAPL on BloggingStocks The Apple category feed from BloggingStocks.com
AAPL Quote, News & Summary The AAPL financials page from AOL Money and Finance
iPhone analysis from BloggingStocks iPhone tag feed from BloggingStocks
Macintosh news and reviews on Download Squad The Macintosh category feed from Download Squad