toggle

AAPL Stock: 423 ( 0 )

http://www.macnn.com/articles/06/02/21/new.safari.security.flaw/

New 'critical' Safari flaw discovered

updated 09:15 am EST, Tue February 21, 2006

 

New Safari security flaw


Following reports of the first two Mac OS X worms, a newly reported security vulnerability in Apple's Safari web browser could allow remote system access. Dubbed as "extremely critical" by security website Secunia, the newly reported flaw in Safari takes advantage of an automatically selected option to "open safe files' after downloading--which is turned by default to display images and movies that are compressed. However, Apple's 'safe' filter can be tricked, allowing a specifically crafted shell script to be executed without prompting a user for confirmation, something usually done for applications and executables. MacSecurityNews says that shell scripts stored in a ZIP archive without the so-called shebang line can bypass the Safari 'safe' filter: it no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. Secunia has posted a proof of concept that launches the 'Calculator' application upon download of an archive. The website has confirmed the flaw on a full-patched system with Safari 2.0.3 (417.8) and Mac OS X 10.4.5 and recommends that users disable the "Open safe files after downloading" option in Safari.


by MacNN Staff

Post tools:

TAGS :

 troubleshooting

Related Articles

Recent Articles

toggle

Comments

  1. hayesk

    Professional Poster

    Joined: Sep 1999

    0
    02/21, 10:03am | report spam | Reply |

    Real one...

    While users ought not to be clicking on unknown zip file links, it's impractical to think they're going to check all links on all web sites they visit. And this definitely isn't a "safe" file.

    That command to launch the calculator could easily have been a command to erase your home folder.

    Safari really only ought to only open compressed archives automatically, and even that is questionable. This should be fixed, as soon as possible.

  1. dscottbuch

    Fresh-Faced Recruit

    Joined: Sep 2000

    0
    02/21, 10:08am | report spam | Reply |

    another trojan, i gues

    OK, i downloadedthe file, nothing. I unarchived the file, nothing. Then I double-clicked the file and, yes, the calculator launched. This is, yet again, another trojan as far as I can tell. The only problem is that its not recognized as an application and the user warned that they're starting a new application. Should be patched but don't see the 'extremely critical' tag. No possibility of self propagataion etc. Also, doesn't seem to be a problem with Safari but OS warning mechanism.

  1. DudeMac

    Fresh-Faced Recruit

    Joined: Sep 2002

    0
    02/21, 10:14am | report spam | Reply |

    Not Really New!

    Apple and other security experts years ago gave warning as well as recommended shutting off the feature if an end user wanted to be more careful on the web via downloading unknown software, etc... Mine has been shut off for about 2 years or more!

  1. emark

    Forum Regular

    Joined: Feb 2001

    0
    02/21, 10:17am | report spam | Reply |

    ugly - depth beyond Safar

    Ok, so I downloaded it without the "automatically open safe files" thing checked.

    but when you decompress it with stuffit manually, nothing happens, it is when you open the file after the decompression that opening the secunia.mov launches the terminal and calculator...

    Scarry...the real problem is how do we know that any file doesn't have extra c*** built into it??

    Is it really time for antiviral scanning? Does anyone have an antiviral scanner out there and is it able to pick up on this?

    That is where the real problem lies, not so much in the easily disabled feature of Safari, because no matter how you downloaded the file, it's after you open it that you get *&&*%%!!!!

    If not antivirus software, what could protect you if you wanted a file from a source you weren't sure you could trust?

  1. Feathers

    Grizzled Veteran

    Joined: Oct 1999

    0
    02/21, 10:19am | report spam | Reply |

    Illegal?

    Surely security companies that produce potential malware, even as notional "proof of concept" are breaking the law. The "we're doing it to protect you" defence is hardly viable under law!

  1. jarod

    Fresh-Faced Recruit

    Joined: Apr 2005

    0
    02/21, 10:33am | report spam | Reply |

    Speed Download

    That's why I use and recommend a third party download manager like Speed Download. Never have to worry about these things and it blows any browser's download manager to shame.

  1. Faceplant

    Fresh-Faced Recruit

    Joined: Jan 2003

    0
    02/21, 10:39am | report spam | Reply |

    On the positive side...

    ...If some virus DID zap my whole HD with all the files, just imagine how much snappier the system would run!

  1. fahlman

    Fresh-Faced Recruit

    Joined: Jun 2003

    0
    02/21, 10:53am | report spam | Reply |

    Open "safe files...

    dscottbuch - check your Safari preferences. Does Open "safe" files after downloading in the General tab have a check in it's box? If not this exploit will not work. This option is on by default so most people, unless they've manually unchecked this option, would be affected by this.

  1. ebow

    Fresh-Faced Recruit

    Joined: Oct 2001

    0
    02/21, 11:10am | report spam | Reply |

    re: Illegal?

    Feathers--

    If the proof of concept file does exactly what they say it will do, and what it does has no destructive or adverse-in-any-way effects... then no, I'd hardly expect there to be any question of legality.

    To me, this sounds like a flaw that Apple really ought to remedy--they need to be more sophisticated in verifying that an allegedly "safe" file really is safe.

  1. emark

    Forum Regular

    Joined: Feb 2001

    0
    02/21, 11:16am | report spam | Reply |

    Missing the point

    The "work around" w/ Safari addressed AUTOMATICITY only.

    if you were interested in the file enough to download it and manually decompressed it and opened it (doesn't matter which browser you do this with) the shell script still executes.

    Further, installed NORTON AV 10 and had it scan my downloads folder and it reported nothing with both the .zip file and the decompressed "secunia.mov" file there!!!

    Take Away: only download from trusted sources!!! and at that if they don't know there's a problem you may well not know.

    I had uninstalled the Norton AV as my perception was it led to more systemic problems and cpu usage than worth it...I suppose the news of the last few weeks makes it worth having again...but there will be a lag between discovery and immunization/detection...

    Wondered when this day would come... it is here.

Show More Comments

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Logitech FabricSkin Keyboard Folio for iPad

Since the fourth-generation iPad didn't evolve much over its predecessor, the market for iPad accessories has remained somewhat static ...

Huawei Ascend Mate

The Huawei Ascend Mate is a phone that fits the screen-size gap between the 4 to 5-inch smartphone and the seven-inch or more tablet, ...

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

toggle

Most Commented

 

Popular News