toggle

AAPL Stock: 106.98 ( -0.36 )

Printed from http://www.macnn.com

New \'critical\' Safari flaw discovered

updated 09:15 am EST, Tue February 21, 2006

New Safari security flaw

Following reports of the first two Mac OS X worms, a newly reported security vulnerability in Apple's Safari web browser could allow remote system access. Dubbed as "extremely critical" by security website Secunia, the newly reported flaw in Safari takes advantage of an automatically selected option to "open safe files' after downloading--which is turned by default to display images and movies that are compressed. However, Apple's 'safe' filter can be tricked, allowing a specifically crafted shell script to be executed without prompting a user for confirmation, something usually done for applications and executables. MacSecurityNews says that shell scripts stored in a ZIP archive without the so-called shebang line can bypass the Safari 'safe' filter: it no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. Secunia has posted a proof of concept that launches the 'Calculator' application upon download of an archive. The website has confirmed the flaw on a full-patched system with Safari 2.0.3 (417.8) and Mac OS X 10.4.5 and recommends that users disable the "Open safe files after downloading" option in Safari.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. hayesk

    Joined: Dec 1969

    0

    Real one...

    While users ought not to be clicking on unknown zip file links, it's impractical to think they're going to check all links on all web sites they visit. And this definitely isn't a "safe" file.

    That command to launch the calculator could easily have been a command to erase your home folder.

    Safari really only ought to only open compressed archives automatically, and even that is questionable. This should be fixed, as soon as possible.

  1. dscottbuch

    Joined: Dec 1969

    0

    another trojan, i gues

    OK, i downloadedthe file, nothing. I unarchived the file, nothing. Then I double-clicked the file and, yes, the calculator launched. This is, yet again, another trojan as far as I can tell. The only problem is that its not recognized as an application and the user warned that they're starting a new application. Should be patched but don't see the 'extremely critical' tag. No possibility of self propagataion etc. Also, doesn't seem to be a problem with Safari but OS warning mechanism.

  1. DudeMac

    Joined: Dec 1969

    0

    Not Really New!

    Apple and other security experts years ago gave warning as well as recommended shutting off the feature if an end user wanted to be more careful on the web via downloading unknown software, etc... Mine has been shut off for about 2 years or more!

  1. emark

    Joined: Dec 1969

    0

    ugly - depth beyond Safar

    Ok, so I downloaded it without the "automatically open safe files" thing checked.

    but when you decompress it with stuffit manually, nothing happens, it is when you open the file after the decompression that opening the secunia.mov launches the terminal and calculator...

    Scarry...the real problem is how do we know that any file doesn't have extra c*** built into it??

    Is it really time for antiviral scanning? Does anyone have an antiviral scanner out there and is it able to pick up on this?

    That is where the real problem lies, not so much in the easily disabled feature of Safari, because no matter how you downloaded the file, it's after you open it that you get *&&*%%!!!!

    If not antivirus software, what could protect you if you wanted a file from a source you weren't sure you could trust?

  1. Feathers

    Joined: Dec 1969

    0

    Illegal?

    Surely security companies that produce potential malware, even as notional "proof of concept" are breaking the law. The "we're doing it to protect you" defence is hardly viable under law!

  1. jarod

    Joined: Dec 1969

    0

    Speed Download

    That's why I use and recommend a third party download manager like Speed Download. Never have to worry about these things and it blows any browser's download manager to shame.

  1. Faceplant

    Joined: Dec 1969

    0

    On the positive side...

    ...If some virus DID zap my whole HD with all the files, just imagine how much snappier the system would run!

  1. fahlman

    Joined: Dec 1969

    0

    Open "safe files...

    dscottbuch - check your Safari preferences. Does Open "safe" files after downloading in the General tab have a check in it's box? If not this exploit will not work. This option is on by default so most people, unless they've manually unchecked this option, would be affected by this.

  1. ebow

    Joined: Dec 1969

    0

    re: Illegal?

    Feathers--

    If the proof of concept file does exactly what they say it will do, and what it does has no destructive or adverse-in-any-way effects... then no, I'd hardly expect there to be any question of legality.

    To me, this sounds like a flaw that Apple really ought to remedy--they need to be more sophisticated in verifying that an allegedly "safe" file really is safe.

  1. emark

    Joined: Dec 1969

    0

    Missing the point

    The "work around" w/ Safari addressed AUTOMATICITY only.

    if you were interested in the file enough to download it and manually decompressed it and opened it (doesn't matter which browser you do this with) the shell script still executes.

    Further, installed NORTON AV 10 and had it scan my downloads folder and it reported nothing with both the .zip file and the decompressed "secunia.mov" file there!!!

    Take Away: only download from trusted sources!!! and at that if they don't know there's a problem you may well not know.

    I had uninstalled the Norton AV as my perception was it led to more systemic problems and cpu usage than worth it...I suppose the news of the last few weeks makes it worth having again...but there will be a lag between discovery and immunization/detection...

    Wondered when this day would come... it is here.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Tablo DVR

With over-the-top content options growing past Hulu and Netflix, consumers may be finding it harder to justify paying a monthly fee fo ...

Sound Blaster Roar Bluetooth speaker

There could very well be a new king of the hill for Bluetooth speakers, with Sound Blaster's recent entry into the marketplace. Bring ...

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this ...

toggle

Most Commented