Text Size

New 'critical' Safari flaw discovered

updated 09:15 am EST, Tue February 21, 2006

New Safari security flaw

Following reports of the first two Mac OS X worms, a newly reported security vulnerability in Apple's Safari web browser could allow remote system access. Dubbed as "extremely critical" by security website Secunia, the newly reported flaw in Safari takes advantage of an automatically selected option to "open safe files' after downloading--which is turned by default to display images and movies that are compressed. However, Apple's 'safe' filter can be tricked, allowing a specifically crafted shell script to be executed without prompting a user for confirmation, something usually done for applications and executables. MacSecurityNews says that shell scripts stored in a ZIP archive without the so-called shebang line can bypass the Safari 'safe' filter: it no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. Secunia has posted a proof of concept that launches the 'Calculator' application upon download of an archive. The website has confirmed the flaw on a full-patched system with Safari 2.0.3 (417.8) and Mac OS X 10.4.5 and recommends that users disable the "Open safe files after downloading" option in Safari.

 
Previous Comments

Real one...

02/21, 10:03am reply

While users ought not to be clicking on unknown zip file links, it's impractical to think they're going to check all links on all web sites they visit. And this definitely isn't a "safe" file.

That command to launch the calculator could easily have been a command to erase your home folder.

Safari really only ought to only open compressed archives automatically, and even that is questionable. This should be fixed, as soon as possible.

hayesk

Professional Poster

Joined: Sep 1999

0

another trojan, i gues

02/21, 10:08am reply

OK, i downloadedthe file, nothing. I unarchived the file, nothing. Then I double-clicked the file and, yes, the calculator launched. This is, yet again, another trojan as far as I can tell. The only problem is that its not recognized as an application and the user warned that they're starting a new application. Should be patched but don't see the 'extremely critical' tag. No possibility of self propagataion etc. Also, doesn't seem to be a problem with Safari but OS warning mechanism.

dscottbuch

Fresh-Faced Recruit

Joined: Sep 2000

0

Not Really New!

02/21, 10:14am reply

Apple and other security experts years ago gave warning as well as recommended shutting off the feature if an end user wanted to be more careful on the web via downloading unknown software, etc... Mine has been shut off for about 2 years or more!

DudeMac

Fresh-Faced Recruit

Joined: Sep 2002

0

ugly - depth beyond Safar

02/21, 10:17am reply

Ok, so I downloaded it without the "automatically open safe files" thing checked.

but when you decompress it with stuffit manually, nothing happens, it is when you open the file after the decompression that opening the secunia.mov launches the terminal and calculator...

Scarry...the real problem is how do we know that any file doesn't have extra c*** built into it??

Is it really time for antiviral scanning? Does anyone have an antiviral scanner out there and is it able to pick up on this?

That is where the real problem lies, not so much in the easily disabled feature of Safari, because no matter how you downloaded the file, it's after you open it that you get *&&*%%!!!!

If not antivirus software, what could protect you if you wanted a file from a source you weren't sure you could trust?

emark

Forum Regular

Joined: Feb 2001

0

Illegal?

02/21, 10:19am reply

Surely security companies that produce potential malware, even as notional "proof of concept" are breaking the law. The "we're doing it to protect you" defence is hardly viable under law!

Feathers

Forum Regular

Joined: Oct 1999

0

Speed Download

02/21, 10:33am reply

That's why I use and recommend a third party download manager like Speed Download. Never have to worry about these things and it blows any browser's download manager to shame.

jarod

Fresh-Faced Recruit

Joined: Apr 2005

0

On the positive side...

02/21, 10:39am reply

...If some virus DID zap my whole HD with all the files, just imagine how much snappier the system would run!

Faceplant

Fresh-Faced Recruit

Joined: Jan 2003

0

Open "safe files...

02/21, 10:53am reply

dscottbuch - check your Safari preferences. Does Open "safe" files after downloading in the General tab have a check in it's box? If not this exploit will not work. This option is on by default so most people, unless they've manually unchecked this option, would be affected by this.

fahlman

Fresh-Faced Recruit

Joined: Jun 2003

0

re: Illegal?

02/21, 11:10am reply

Feathers--

If the proof of concept file does exactly what they say it will do, and what it does has no destructive or adverse-in-any-way effects... then no, I'd hardly expect there to be any question of legality.

To me, this sounds like a flaw that Apple really ought to remedy--they need to be more sophisticated in verifying that an allegedly "safe" file really is safe.

ebow

Fresh-Faced Recruit

Joined: Oct 2001

0

Missing the point

02/21, 11:16am reply

The "work around" w/ Safari addressed AUTOMATICITY only.

if you were interested in the file enough to download it and manually decompressed it and opened it (doesn't matter which browser you do this with) the shell script still executes.

Further, installed NORTON AV 10 and had it scan my downloads folder and it reported nothing with both the .zip file and the decompressed "secunia.mov" file there!!!

Take Away: only download from trusted sources!!! and at that if they don't know there's a problem you may well not know.

I had uninstalled the Norton AV as my perception was it led to more systemic problems and cpu usage than worth it...I suppose the news of the last few weeks makes it worth having again...but there will be a lag between discovery and immunization/detection...

Wondered when this day would come... it is here.

emark

Forum Regular

Joined: Feb 2001

0

Popular News