Posted on 02/21/2006 7:36:56 AM PST by Senator Bedfellow
A new security vulnerability in Safari has been identified by security experts at Secunia.
The company - which rates the flaw as “extremely critical” - says that the vulnerability was discovered by a source outside the company, Michael Lehn.
It can be exploited by malicious people to compromise a user's system, it warns.
The vulnerability is caused due by an error in the processing of file association meta data (stored in the "__MACOSX" folder) in ZIP archives.
“This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive,” Secunia warns.
It can also be exploited automatically by Safari when visiting a malicious website.
The company has released a test users can run to check if their systems have been affected.
The vulnerability has been confirmed on an up-to-date system running Safari 2.0.3 (417.8) and Mac OS X 10.4.5.
Users can mitigate the threat by disabling the "Open safe files after downloading" option in Safari.
But, but... Macs don't have any viruses or bad things happening to them. Must be a typo.
Ping.
Even the magic elf workshop has an off day now and then, I guess ;)
this cant be right... Lex Luther must have implanted embedded kryptonite into the all mighty OSX... Superman must have overlooked this deliberate plot hatched by Bill Gates.
Well, I'm typng this on a Mac now and I've never, ever had a problem and everything...&&&&&&**((((((!!!!!!!!!!AHHHHHHHHHHH
LOL.... this is old news ( well, the secunia variant isnt) - its basically an option in the web browser that you can turn on to allow it to auto open files after you download. So, make sure it isnt turned on ( which it isnt by default) and the " virus" doesnt work.- This has been something that was addressed LAST year.... by telling people " Hey. Jackass. DONT turn on the "open safe files" if you browse the web a lot."--- this is basically someone else writing a little proof of concept file ( which by the way, I just downloaded and ran and didnt work on my machine- something about permissions) ---
still running 20+ macs and ne'rry a single virus ........ And having well over 2000 clients with macs without a SINGLE virus, trojan......spyware...adware..... sniffles....
Waiting for the inevitable " Its coming .. you just wait....!" from someone playing devils advocate for the windows side.......
BTW- just an odd thought- when did it become alright to advocate the devil?
;-)
Im not from the windows team... i dislike both OSX and windows.
"its basically an option in the web browser that you can turn on to allow it to auto open files after you download. So, make sure it isnt turned on ..."
Kind of like the vulnerability Outlook had a long while ago ...
"Hey. Jackass. DONT turn on the "open safe files" if you browse the web a lot."---
LOL -- Hey Jackass - Just because we say "open SAFE files" dosen't mean we actually know that they ARE safe to open!
No, that's really not true - until Apple patches the OS to change how ZIP files are handled, this is readily exploitable as a trojan. It would be wise to be wary of ZIP files from unknown or untrusted sources until then.
BTW- just an odd thought- when did it become alright to advocate the devil?
Not only is it "alright" ... It's a MUST .. re the cannonization of saints. It's sort of like, I'm not gonna' take as fact, my young son's word is true .. that the kid down the street, or across town, is OK for him to hang out with. It's my duty to check it out. "Trust, but verify."
Advocatus Diaboli
("Advocate of the Devil" or "Devil's Advocate").
A popular title given to one of the most important officers of the Sacred Congregation of Rites, established in 1587, by Sixtus V, to deal juridically with processes of beatification and canonization. His official title is Promoter of the Faith (Promotor Fidei). His duty requires him to prepare in writing all possible arguments, even at times seemingly slight, against the raising of any one to the honours of the altar. The interest and honour of the Church are concerned in preventing any one from receiving those honours whose death is not juridically proved to have been "precious in the sight of God" (see BEATIFICATION and CANONIZATION). Prospero Lamertini, afterwards Pope Benedict XIV (1740-58), was the Promoter of the Faith for twenty years, and had every opportunity to study the workings of the Church in this most important function; he was, therefore, peculiarly qualified to compose his monumental work "On the Beatification and Canonization of Saints," which contains the complete vindication of the rights of the Church in this matter, and sets forth historically its extreme care of the use of this right. No important act in the process of beatification or canonization is valid unless performed in the presence of the Promoter of the Faith formally recognized. His duty is to protest against the omission of the forms laid down, and to insist upon the consideration of any objection. The first formal mention of such an officer is found in the canonization of St. Lawrence Justinian under Leo X (1513-21). Urban VIII, in 1631, made his presence necessary, at least by deputy, for the validity of any act connected with the process of beatification or canonization.
http://www.newadvent.org/cathen/01168b.htm
Saints Alive! My MAC is clean!!
Also works in Mail.app
(Score:5, Informative)
by daveschroeder (516195)
on 10:27 AM February 21st, 2006 (#14767730)
(http://das.doit.wisc.edu/)
You can send this same shell script masquerading as a JPG file and shown as such by Mail.app, and it gets executed as soon as it is clicked/viewed in Mail.app (obviously not affected by Safari's "safe files" setting).
You can test this by downloading this harmless exmaple:
http://www.heise.de/security/dienste/browsercheck/ demos/safari/Heise.jpg.zip [heise.de]
...and sending the resulting JPG to yourself in Mail.app.
This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.
I'd expect a security update that addresses this *very* soon. This is a bad one.
[ Reply to This ]
Reminds me of how the gun-grabbers flock to a school shooting -- hoping to dance on the graves of the innocent...
Okay. Have it your way. Don't pay any attention to this, and just keep on doing what you're doing.
Actually, this particular bug would force Safari to open ZIP files, even if that option is turned off. I was affected by it (it never executed any programs—that I could see), but Apple seems to have fixed the problem in 10.4.5.
Just goes to re-iterate every software developer's core doctrine—there is NO bugproof software.
(Denny Crane: "I Don't Want To Socialize With A Pinko Liberal Democrat Commie. Say What You Like About Republicans. We Stick To Our Convictions. Even When We Know We're Dead Wrong.")
The Slapdash post is more troubling than the original report.
Secunia is not a reliable source.
Better to get security info from other Mac sources.
It's only troubling if you're an apple user. >:-}
I'm not yet too proficient an OSX hacker, yet; but on earlier systems; I would check the resource forks of suspect files. These things are easy to spot...
I just find it amusing that PC users are drawn to Mac threads -- to the extent that their posts frequently outnumber those of the Mac folks. Sort of like the morbid folks who watch NASCAR -- hoping for a wreck....
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.