« OSX.Leap.A was ” a near miss for Mac users”
Malware moves up, goes commercial »

Safari vulnerability worth taking note of

Read on Ars Technica:
Safari vulnerability worth taking note of

2/21/2006 6:51:49 AM, by Eric Bangeman

“Yesterday, we reported on a Trojan horse for mac os X that is just like the entry for Earth in the Hitchhiker’s Guide to the Galaxy in that it is mostly harmless. A new vulnerability targeted at Apple’s home-grown web browser, Safari, is another matter entirely. A German security firm appears to have been the first to discover the Safari flaw, which allows for shell scripts to be executed after clicking a link.

Here’s how it works: if a Safari user has the “Open ‘safe’ files after downloading” option checked (which enables movies, images, music, text, PDF, and a few other automatic documents to be automatically opened upon completion of a download), a specially designed shell script can be executed. Normally, shell scripts will not be executed after Safari downloads them without user confirmation. However, if the script lacks a “shebang line” (e.g., #!/bin/csh) and the Finder is set to open scripts using Terminal, the Finder will pass the scripts to the Terminal application, where they will be executed.

If a script is given an extension such as “jpg” or “mov” and stored within a ZIP archive, mac os X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application—regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X.

Part of the problem is due to the manner in which mac os X determines filetypes. Unlike OS 9 and earlier, which relied solely on file metadata (a four-digit creator code) to determine a file’s type, mac os X uses both metadata and the extension to figure out how a file is handled. So although the script contains metadata in the form of a Terminal type/creator code, the .jpg or .mov extension causes Safari to treat it like a safe file…”

This entry was posted on Thursday, February 23rd, 2006 at 2:13 am and is filed under OS X Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

You must be logged in to post a comment.