I love how people are trying their hardest ot find EVERY POSSIBLE security issue, real or not. OH MY GOD YOU COULD GET A VIRUS ON OSX. News flash. Anything that the user has to enable for it to work is NOT a frickin virus. There ARE no viruses for osx. Just 2 pathetic attempts at trying to make osx look "just as unsafe as windows". I have a weird feeling microsoft may have some hand in this, as only they stand to gain from these headlines. Why is it that "news" stories go on and on for days weeks months, and after people totally are confused, someone finally says "oh well actually this happened, so it's not really an issue". People are just looking for excuses to not buy macs. I think they are in the "bargaining" phase of switching. "if i use a mac i'm just as vulnerable to bad stuff, so why should i switch". HAHA! :)

The whole thing with osx is that you ARE safe as long as you use common sense, but with windows you aren't safe no matter what you do. Any 14 year old could write a virus for windows. A "virus" on osx is simply software that has intentionally included bugs to carry out the malicious actions. It's like "hmm photosofme.jpg from hotsexynudebabe@hotmail.com.. OH YES!! I want to see naked women! *downloads* |safari: the item you are downloading contains an application, continue?|" You really think someone would be stupid enough to click yes? That is where the flaw is. Human decision making. Not osx.

IMO it's extremely irresponsible of both the "security" companies and the press to publish information about security holes so openly.

Often they claim that users are less secure if they don't know. That's total rot. Users are less secure if malicious individuals know about security holes, and the fact is that the people who write malware get a lot of information on how to break into machines *directly from so-called "security" companies* or the forums or mailing lists they operate.

Problems like this *should* be kept quiet until such time as a patch has been released.

Fast iBook just doesn't get it, does he/she? Are you clairvoyant, can you see into the future, do you know which processes are running all the time and which one of them is showing a dialogue or asking for a password?

You can't do these things, and thus you can't guarantee the safety of files - ever.

Next time try to make sense.

So doesn't this mean that you can't even view QT .mov's without worrying if there is a malicious script hidden in them now?

Someone best take that sponsored link out of my first comment or i'm going to start writing massive quantities of email to whomever i need till it gets done. My words are not to be used as advertisement.

Thanks.

I don't think there is a situation where osx allows things to happen without user intervention. Passwords, selecting yes/cancel etc. Good reason to have system permissions repaired and up to date eh?

the "work around" w/ Safari addressed AUTOMATICITY only.

if you were interested in the file enough to download it and manually decompressed it and opened it (doesn't matter which browser you do this with) the shell script still executes.



Note that this is incorrect. You're assuming there was a link on the screen that said "Download this file". What if you were on MacNN, and there was a link that says "As we reported beore....", and you click the link, the file automatically downloads, the file unzips, and the resulting file launches. The ONLY thing manual here is just clicking a link, which isn't out of the realm of normal use on a computer.

The whole thing with osx is that you ARE safe as long as you use common sense, but with windows you aren't safe no matter what you do. ...*downloads* |safari: the item you are downloading contains an application, continue?|" You really think someone would be stupid enough to click yes? That is where the flaw is. Human decision making. Not osx.

Must be great to have that new version of Safari, fast ibook, but when I ran this thing yesterday (which ran a script, BTW, not an app), I got NO message about an application. It just ran terminal and did a ls (and could've done worse!).

Oh, and I haven't had a virus on my windows PC in like 10 years. So apparently you can be safe if you do certain things correctly.

I don't think there is a situation where osx allows things to happen without user intervention. Passwords, selecting yes/cancel etc. Good reason to have system permissions repaired and up to date eh?

Wrong. You only need passwords and such if something were to install in the main Applications folder. But if it just installs into the current user's folder, no passwords are required.

I have written a fix to this vulnerability using a very simple Automator script to intercept calls to Terminal and seek your permisson to run Terminal before executing. To do this you must:

1) Using Finder, go to /Applications/Utilities and rename Terminal.app to _Terminal.app 2) Copy my replacement Terminal.app into /Applications/Utilities

To uninstall, just delete my new Terminal.app and rename _Terminal.app back to Terminal.app.

This fix works on my machine and seems completely harmless. However, use it at you own risk - I am not responsible for any unintended side effects.

The paranoid amongst you should also verify my script inside Automator before installing - after all, I could just be playing a nasty social engineering joke on you...

Download the replacement Terminal application from my .mac idisk by going to Finder, then Go, iDisk, Other User's Public Folder and typing "pehowland" for the user name. See the ReadMe file on the disk.

here we go again....anyone else sensing a pattern here? apple begins to increase market share, reports of "critical" flaws increase. Hmmmm.

Obviously we need to keep our heads up, but keep asking hard questions too... What's really driving these announcements, for instance? Do these security "experts" have a vested interest? What is really going on with practices like "proof of concept" ? Are these companies saviours, or bloodsuckers and sowers of discord?

You have to wonder about a lot of this stuff. There's boatloads of money at stake, and it's pretty damn easy for any security firm to post an alert about a new "critical flaw", and then watch the global press go nuts. If it doesn't amount to anything, well, that's simply cuz everyone patched properly. Better yet, a bunch of suckers bought another piece of anti-virus software. And you'd have to be pretty naive not to believe that Apple's competitors would actually get involved in this kind of thing. This is the global economy, not a sunday school picnic.

Cynical, perhaps. But no matter how you slice it, I'm thinking we're all slowly letting ourselves become ducks in a row. What REALLY gets to me, tho, is how these Mac virus stories are getting morphed by the media into "Macs are not safe" stories, or "Macs are just as vulnerable as Windows machines" stories. BZZZT. Wrong. I say, if you value the Mac platform, start asking hard questions, and demanding answers.

Hey guys, for once I agree with testudo. This IS a flaw. Think of all the times you've clicked on a link without thinking about the outcome. Like, a million times, right?

So the only thing separating someone who'll get hammered by malicious code utilizing this security hole from those who won't is whether or not that option in Safari's preferences is checked. And we all know that that is checked by default.

This is a critical flaw that needs to be amended.

For new users, this feature at stake is Apple's way of making Mrs. Jones life on the internet easy - and I guess there is a need. But the way to do it, I assume, would be to make to 'Auto-open Safe Files' feature work the right way, is to make it only open .DMG files that have been signed by a trusted source - in this case a Service at Apple.

If Apple made such a service, where you could submit your file, have it signed (against an account?) and then it would be 'safe', I think this would actually rock.

If some files slipped through with trojans or virus in it, it would even be easy to track down, as the file is signed and traceable.

For new users, this feature at stake is Apple's way of making Mrs. Jones life on the internet easy - and I guess there is a need. But the way to do it, I assume, would be to make to 'Auto-open Safe Files' feature work the right way, is to make it only open .DMG files that have been signed by a trusted source - in this case a Service at Apple.

Sorry, but kind of pointless. All this does is make all downloads go to a folder, where Mr or Mrs Mac User just has to search for them, find the file, and double-click to open it, rather than the automatic way of just opening it. This will become so routine that there will be no "sanity check" or anything that will keep someone from opening a false app.

What really, really, really would need to be done is for Apple to give the user more control. Don't assume ANY file is OK, regardless. Force the user to say "Yes, word documents are safe from the internet" or "No, don't open DMG files automatically". (You know, the way Firefox does it now). Right now, there's apparently some list of what's considered 'safe', but who knows what that list contains. And who knows how to change it.

It wouldn't hurt to have certain files omitted from the list (like .apps, terminal scripts, etc) and can't be automatically added. But, beyond that, having the feature warn the user that the file is an app or shell script, and they should be careful in running it.

Hey guys, for once I agree with testudo. Hey! What do you mean "for once"!

But no matter how you slice it, I'm thinking we're all slowly letting ourselves become ducks in a row. What REALLY gets to me, tho, is how these Mac virus stories are getting morphed by the media into "Macs are not safe" stories, or "Macs are just as vulnerable as Windows machines" stories. BZZZT. Wrong. I say, if you value the Mac platform, start asking hard questions, and demanding answers.

I guess I just don't read the crappy sites you read, since I've not read this in conjunction with the lines "just as vulnerable as windows".

And talking about 'ducks in a row'. I laugh at all the "No viruses on the macs! We're secure as possible. No worries here! Those guys are making things up!" crowd. You people are just setting yourself up, no two ways about it.

And before getting TOO cocky about how laughish all this is, I'd like to point out that this basic same flaw was around a year or two ago (remember the "click the link, and have a DMG download, mount, and program on disk launch" 'bug' that Apple supposedly fixed months after it was reported. Well, seems that it wasn't so much fixed as badly fixed. (And this is the bug that led to the stupidity of the OS telling you "Hey, you're trying to open the word document in word. Are you sure you want to do this" messages.)