Re: Apple Safari Browser Automatically Executes Shell Scripts
- From: Timberwoof <timberwoof@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 21 Feb 2006 00:08:38 -0800
In article <200220062234514040%secure@xxxxxxxxxxxxxxxxxxx>,
MacSecurityNews <secure@xxxxxxxxxxxxxxxxxxx> wrote:
A new Safari-specific vulnerability (which appears to affect Mail.app
as well) has been documented by the German site 'heise.de':
"Shortly after reports of the first virus for Mac OS X, a new
security flaw has surfaced. The culprit is the option "Open 'safe'
files after downloading" in Apple's Safari web browser. This feature is
activated by default. Its function is to automatically display images
and movies after they are transmitted to the user's computer, using the
application assigned to that particular document format. Safari will
also unpack ZIP archives and display the documents within if they are
considered "safe". If active content such as an application or shell
script is found within the archive, a prompt requests user
confirmation. So far, so good.
Problems ensue if a shell script is stored into a ZIP archive
without the so-called shebang line. If this line is omitted, Safari no
longer recognizes the content as potentially dangerous and executes
shell commands without a confirmation prompt. This behavior has been
discovered by Michael Lehn, who has documented it on a web site."
The full article is available at
http://www.heise.de/english/newsticker/news/69862 . Those of you that
are concerned are advised to use an alternate browser, such as Camino
or Firefox.
The full article says "The best immediate recourse against such an attack is to
deactivate the option "Open 'safe' files after downloading" in the "General"
section of Safari's preferences."[1]
Yeah. Do that. Check the online demonstration linked in the article. However, it
still won't save you when you actually open the seemingly safe jpeg by
doubleclicking it. If you drag it to Preview, however, it says it's a corrupt
file.[2]
Additional details: http://www.macsecuritynews.com
[1] The next sentence reads "Alternative web browsers such as Camino or Firefox
do not support the automatic execution of files." So watch this. I open Firefox,
go to that URL, try the online demonstration. Then I doubleclick the downloaded
jpeg file and voila... it doesn't open but complains that the jpeg is
corrupt.[2]
[2] I do so wish some Windroid would call me a sycophantic Maccie who makes
excuses for Mac OS X at every opportunity. It would be very entertaining.
[3] You fucker. You changed the name of the followup newsgroup to something
nonexistent!
--
Timberwoof <me at timberwoof dot com> http://www.timberwoof.com
.
- Prev by Date: Re: Which Windiot pegs the stupid meter?
- Next by Date: Re: OS X On Generic PC Info All Over Internet
- Previous by thread: OS X On Generic PC Info All Over Internet
- Next by thread: Re: Apple Safari Browser Automatically Executes Shell Scripts
- Index(es):
Loading
