13 Comments

Summary:

4null4.de is giving us an English overview of a Safari Security Hole being reported by IT Portal Heise Online. The security hole hinges on a preference being checked. I’ve yet to figure out whether or not this option is checked in a default installation of Safari. […]

Open Safe Files After Downloading4null4.de is giving us an English overview of a Safari Security Hole being reported by IT Portal Heise Online.

The security hole hinges on a preference being checked. I’ve yet to figure out whether or not this option is checked in a default installation of Safari. Mine was checked.

Either way, it could be bad, very bad. Until a security fix comes along, go to the Safari Menu, Preferences …, under “General”, uncheck the checkbox that says “Open “safe” files after downloading”.

I tried their proof of concept, and sure enough, a Terminal window opened, with a message indicating i’m vulnerable.

update 2/20: English version of the original article, from the source.

update 2/21: Secunia, Macworld, Slashdot are initiating coverage.

By Chris Holland

You're subscribed! If you like, you can update your settings

Related stories

  1. Wasn’t that the thing about auto installing Widgets about a year ago? Mine is unchecked.

    Share
  2. It has something to do with files that look safe to Safari like jpgs that can be dangerous scripts like the recent mac trojan.

    Share
  3. Old news. This was covered right after Tiger came out. Had to do with the “proof of concept” that Intego developed, which was just their way of trying to scare people into buying their product.

    A lot of the stories written related to this were FUD, and the result of people generally doing stupid things. (Why would a screenshot be in a tarball? And why wouldn’t you be worried about the resulting file, if Safari pops up a warning every time you download a file that has executable code inside?)

    Come on, people. Think smarter, not harder. This is just FUD.

    Share
  4. Jason: because instead of making this a link for you to nicely click and download, i can make that proof of concept URI, the source of a hidden iframe, and cause an arbitrary piece of shell code to execute instantly upon your loading my otherwise seemingly harmless blog.

    It is actually new news, and is different from the Dashboard widget.

    If the concept of what Safari considers a “safe file” can be corrupted, then we do indeed have a problem. It shouldn’t be too hard to fix. But it’s well worth being aware of.

    Share
  5. from the article:

    Safari will also unpack ZIP archives and display the documents within if they are considered “safe”. If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good.

    and then here’s where the flaw lives:

    Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt.

    Share
  6. “Why would a screenshot be in a tarball? And why wouldn’t you be worried about the resulting file, if Safari pops up a warning every time you download a file that has executable code inside?”

    Why wouldn’t a bunch of jpegs be in a zip file to be downloaded at once?

    How many users know that you shouldn’t double-click a jpeg without using Get Info to double-check that it isn’t a Terminal file, even though they configured OS X to show file extensions, and the extension is there alright, and the system’s JPEG icon is there too? (I don’t mean the regular icon — my JPEGs open with Xee, and the heise online proof-of-concept script displays with the Xee icon on my desktop.) I know I didn’t. Have I actually been spoiled by Windows’ security? That would be something.

    From what I read, this is different from the latestpics.tgz trojan (the file inside the tgz didn’t have an extension) and from the Intego proof of concept (which used a different mechanism to “infect” the computer). This is about Terminal files being able to masquerade as any other filetype, and the Finder actively helping them at that.

    Share
  7. c.b.: yeah, and on top of that, i could also *make* your browser download the nefarious payload behind the scenes upon visiting some seemingly innocuous web site, by making it the SRC attribute of an iframe.

    and that could be *bad*.

    Share
  8. Yeah, but the thing is — the Safari flaw has a simple workaround, uncheck the “Open safe files” box. (That box shouldn’t exist in the first place, and maybe Apple will finally just remove the option in a coming update.)

    But, to me, the fact that a shell script can look in absolutely every way like any kind of document, and the only way to differentiate it is to display the Get Info window, is a much more serious flaw. And seeing everyone treat this as a security hole in Safari, when the problem is in fact much broader, makes me fear that Apple may overlook that and just go for a quick fix.

    Share
  9. c.b.: ah yeah, good point <:|

    Share
  10. you’re not done with disabling that option in Safari. The issue hast extended to the next level, as it is confirmed now that you can achieve the same thing with a prepared email and AppleMail as well. Even if you download a prepared zipfile by accident and open the zip, the issue catches you.
    This is REALLY a big issue not to be ignored!

    Share

Comments have been disabled for this post