Safari Vulnerability

You aren't the only ones that are guilty of mis-reporting this unfortunately.

As mentioned by a previous comment, this is not a Safari vulnerability. (There is a bit of an issue there in Safari misidentifying executables without a shebang line as safe) but the underlying issue was discussed well at unsanity today (http://www.unsanity.org/archives/000449.php)

There is indeed a problem with allowing executables from masquerading as an innocent file such a a jpg. Somebody needs to come up with some way of preventing that, or making it obvious that executables are in fact executable.

I see no problem with the auto opening feature of Safari and truly appreciate it. You're downloading for a reason most likely: to open the file. Whether Safari (or Mail for that matter) opens the file or I manually open the file, there should be some protection at that point.

So there are a few problems here but the major culprit is LaunchService, Safari is only an accomplice unfortunately.

Xenedar is right on in his comment.

AFFECT, NOT EFFECT. Learn the difference, you *are* writers aren't you?

This isn't a problem with Safari. Secunia has an example which causes the Calculator to open, but the same thing happens if you run it manually. Safari's doing "the right" thing as far as what Mac OS X allows files with resource forks to do.

http://secunia.com/advisories/18963

Leap.A/Oompa is based on the same "issue" - hiding executable data inside the resource fork of binaries that otherwise do not make use of their resource fork.

I wouldn't be surprised to see a Mac OS X Security Update, rather than a Safari Security Update.

Coming from a Windows world, I have a deep-seated paranoia about automatic execution of something without my direct consent - so I turned this feature off as soon as I discovered it :)

This is off-topic, and I don't mean to be a grammar nazi, but people are affected, and experience effects. People are not effected.

This is news?
I assumed everybody already knew about this "feature".

Why don't they call FTP a secutiy threat, too? Any archived file you download can contain a script that does something you don't want it to do.

Every time we pull down an Apple update, we're trusting that Jobs hasn't gone bonkers and hidden Evil Mac Zapping Code in the files.

If this is a big enough deal, then maybe the bst approach would be to build sandboxes into operating systems to provide space for archives to be opened without risk.

Interesting. I was doing some of the security update things mentioned a few days ago on this site last night and came across that and decided to go ahead and removed that check mark.

I'm gonna go ahead a forward the info to my sister as well.

This is not particular to Safari. This is a very very very nasty security hole at the OS level and based on how the OS handle files.

It is worse then just affecting Safari safe downloads actually, and I'm surprised that a "Community" website took this long to get this up.

http://isc.sans.org/diary.php?storyid=1138

Read the update.