Safari Vulnerability Detected

Mastershakes

OSNN Veteran Addict
Joined
6 Jul 2004
Messages
1,721
Link

Eric Bangeman said:
Here's how it works: if a Safari user has the "Open 'safe' files after downloading" option checked (which enables movies, images, music, text, PDF, and a few other automatic documents to be automatically opened upon completion of a download), a specially designed shell script can be executed. Normally, shell scripts will not be executed after Safari downloads them without user confirmation. However, if the script lacks a "shebang line" (e.g., #!/bin/csh) and the Finder is set to open scripts using Terminal, the Finder will pass the scripts to the Terminal application, where they will be executed.

If a script is given an extension such as "jpg" or "mov" and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application -- regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X.

Part of the problem is due to the manner in which Mac OS X determines filetypes. Unlike OS 9 and earlier, which relied solely on file metadata (a four-digit creator code) to determine a file's type, Mac OS X uses both metadata and the extension to figure out how a file is handled. So although the script contains metadata in the form of a Terminal type/creator code, the .jpg or .mov extension causes Safari to treat it like a safe file.

Not a big deal, as hardly anybody uses macs.

Is this really the beginning of a wave of Mac OS X malware? Probably not. Given Apple's relatively small market share, it's not as attractive a target for malware writers as Windows is. That could change, if the installed base of computers running Mac OS X continues to grow as it has over the past year or so.

Perhaps in 10 years or so we shall see if they start picking on it. I highly doubt they will gain more market share than they have already due to corporations in most part sticking with MS.
 
I can't believe that article was posted today -- the "vulnerability" has been known since shortly after OS X 10.4 was released, almost a year ago. I've never seen a report that this has been taken advantage of, either.

I hope that the market share doesn't get high enough to convince hackers that it's worth their time. I like my secure OS and want to keep it to stay that way.
 
Man, they are way behind then. Can you toss me a link from a year ago?

On the market share thing I'd have to agree. Some of my graphic design clients are very picky,
so I outfit them with Macs and OSX and they shut up. ;)

EDIT - Does this mean they have waited a full year and still havn't patched it? TSK TSK? ? ?
 
Last edited:
Mastershakes said:
EDIT - Does this mean they have waited a full year and still havn't patched it? TSK TSK? ? ?

It's not the kind of vulnerability that needs a patch -- that's why I call it a "vulnerability." In response, Apple turned the option on, by default, to prompt the user to open (mount) the download instead of it happening automatically. This was actually in the form of disabling the "open safe files" option. Additionally, most anything that writes to the system level requires an administrator password, so that layer of security exists as well. There really isn't much of a risk.

I'll dig for the initial reports of this.
 
I guess if Apple really wanted to it would remove the "open safe files" option from Safari altogether.
 
Here's a thread from May 2005 that relates to this exact issue. In this case it concerns widgets, but the "vulnerability" is the same.
 
It is ease of use to have stuff mounted automatically. We shall see how long it lasts before the option is A. removed, or B. worked around such that things like this can't happen.
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back