Most Popular Articles
- Send SMS for Free via AIM on iPhone (13 Jul 2008)
- How to Protect Yourself from the New Mac OS X Trojans (25 Jun 2008)
- Firefox 3 Bounds Forward (22 Jun 2008)
- First Impressions of the iPhone 3G and iPhone 2.0 (14 Jul 2008)
Recent TidBITS Talk Discussions
- Firefox feature sought (23 messages)
- iPhone 3G car accessories (1 message)
- iPhone 3G: On the Line in Seattle (3 messages)
- Hands Off iPhone Talking in my Car (8 messages)
Shopping for a new digital camera? In "Take Control of Buying a Digital Camera," pro photographer Larry Chen helps you pick out the right camera and accessories for your needs and budget. This book is loaded with tips on using your camera, pointers to the best review sites, and more!
Related Articles
- Configure Mail to Prevent iCal Spam (10 Apr 08)
- OSX.RSPlug.A Trojan Horse Targets Mac OS X (31 Oct 07)
- Of Files, Forks, and FUD (27 Feb 06)
- Apple Releases 10.4.1 Hot on the Heels of Tiger (23 May 05)
Published in TidBITS 818. Subscribe today to receive TidBITS in email every Monday.
- Apple Special Event Coverage
- iTunes Music Store Tops 1 Billion Songs Sold
- Guy Kawasaki Is Back!
- Of Files, Forks, and FUD
- iPhoto 6: Good, but Not Ground-Breaking
- Take Control News/27-Feb-06
- Hot Topics in TidBITS Talk/27-Feb-06
| Significant Safari Exploit Discovered
by Geoff Duncan 
A potentially critical security flaw has been uncovered in Apple's Safari Web browser, which may enable attackers to execute arbitrary Unix shell scripts on a user's machine simply by following a link on a Web site. Apple has yet to comment or release a patch, but in the meantime, we'd urge Safari users to disable the "Open 'safe' files after downloading" option in General pane of Safari's preferences. (In fact, we've recommended disabling this option since May 2005, when a weakness involving Dashboard widgets was discovered).
<http://db.tidbits.com/article/08119>
The root of the exploit involves the way Mac OS X determines which program should launch files of a particular type. Under Mac OS 9, applications were associated with files using four-letter creator codes stored in a file's resource fork; under Mac OS X, applications are associated with file via a more arcane system involving metadata and a file's extension. By renaming a Unix shell script to a "safe" extension (like .pdf, .jpg, etc.), setting the script file's executable bit, and compressing the script with the Zip archiving utility, Safari will happily download the script, decompress it, assume the script is "safe," then blithely pass it off to the Mac OS X Terminal application for execution. An attacker could easily use such a script to delete a user's home directory, damage the computer's configuration, or obtain personal data. (For more information, see Matt Neuburg's "Of Files, Forks, and FUD" elsewhere in this issue.)
Safari is the only Web browser known to be affected, although it is possible other programs could be vulnerable to similar attacks. The Camino and Firefox Web browsers are not vulnerable to this particular exploit.
Danish security firm Secunia has listed the flaw as "extremely critical," and has posted a harmless sample exploit of the flaw so users can test if their systems are vulnerable. Heise Online has another demonstration of the exploit.
<http://secunia.com/advisories/18963>
<http://secunia.com/mac_os_x_command_execution_ vulnerability_test/>
<http://www.heise.de/security/dienste/ browsercheck/demos/safari/Heise.jpg.zip>
Users may also be able to protect themselves from the exploit by removing the Terminal application from its default location in Applications > Utilities. (However, doing so may confuse future system updaters, so users would probably have to remember to put it back before installing new software.)
By default, Safari's "Open 'safe' files after downloading" option is disabled on new Mac OS X 10.4.5 installations, so many users may be safe from this exploit by default. However, merely running Mac OS X 10.4.5 is no guarantee of safety: we've confirmed systems updated to Mac OS 10.4.5 from earlier versions may well leave Safari's "Open 'safe' files after downloading" option enabled. So, to be safe, check that the option is disabled on your system regardless of the version of Mac OS X you're using.
Microsoft's MacBU: Supporting Mac users with Office 2008.Is your Office up-to-date? Make sure you're running the latest
versions of Word, Excel, PowerPoint, and Entourage by choosing
Check for Updates from the Help menu of any Office application!