“In what is being described as a ‘highly critical’ vulnerability, security firm Secunia on Monday issued an advisory to all Mac OS X users that surf the Web with Microsoft’s Internet Explorer or Apple’s Safari Web browsers,” Jim Dalrymple reports for Digit Magazine. “The result of the vulnerability, which has been confirmed using Safari 1.2.1 (v125.1) and Internet Explorer 5.2, is that it is ‘possible to place arbitrary files in a known location, including script files, on a user’s system if the Safari browser has been configured to (‘Open ‘safe’ files after download’) (default behavior) by asking a user to download a ‘.dmg’ (disk image) file.'”
Secunia recommends opening Safari preferences and uncheck “Open ‘safe’ files after download.”
Full article here.
that was easy..
“Secunia”
Secu-who?
Who the hell has that checked in the first place?
It’s ticked by default AB, so out of 10 million OSX users, probably about 8.5 million people.
Actually the specifics is that it uses a “help:” URL to run a script to open an arbitrary file. In actual fact “help:” can run ANY applescript if the path is known. If used with a “disk:” URL a remote disk image can be mounted and then anything on that image can be run.
You can stop help viewer process the “help:” URL which will prevent the exploit by using an applicaton such as MisFox ( http://www.macupdate.com/info.php/id/12848 ) to change the protocol helper to something like preview, but this will break some features of the help viewer. However a lack of help is certainly better then rm -rf ~
Dave H – Well then I guess it’s a matter of being unaware – or just not caring. That’s pretty sad.
So, when is it the user’s responsibility to know what they are downloading? It’s not like a .dmg file can actually download itself, even if Safari opens it after. So far, all these OS X “security issues” are based on the user actively choosing to DL unkown/untrusted files, and giving their admin password to install unknown/untrusted software. Somewhere along the way, the user is responsible for their actions, and everybody should be aware that malicious software is trying to get in, and it is up to you to know better. You wouldn’t drive through Harlem at midnight and pick up a hitchhiker, would you?
As far as Windows goes, that’s like driving a convertible through Harlem at midnight. Locked doors just don’t help.
Atomic- I know Mac users are generally more informed but for the most part people don’t mess with these things. That’s why Mac is a better choice in the first place- ’cause you don’t have to fiddle with things like these- much. It may be sad, but it’s true. I don’t like to mess with these things even though I do so I’m safer.
The Crunge – You’re wrong this time. It coud just look like a link. People follow links all the time without knowing what’s on the end of the. It could say ‘click for more information’.
And A-Bomb – You sound astonishingly arrogant to me today. I honestly don’t know if I have that checked or not (I’ll be looking when I get home). The point is that you shouldn’t need to care about this stuff. It should be configured correctly out of the box. It’d be better if Apple not only unchecked the box by default, but actually removed it too. If it’s so potentially dangerous, it shouldn’t exist at all.
Hywel – I’m always astonishingly arrogant. I guess I just don’t sound like it every day.
I think Abomb is about average today.
Better SAFE then sorry…
THIS IS NOT ENOUGH!!! TURNING THIS OPTION OFF DOES NOT HELP AT ALL!!! YOU NEED TO CHANGE THE HELP:// PROTOCOL’S HELPER!!!
I usually hate to write with capitals but too many people are downplaying this one. If the diskimage is loaded through the disk:// protocol it will ignore the setting in Safari and the dangerous script still gets to be executed. To make sure you don’t get bitten change the helper for the help:// protocol!
The Crunge: You don’t even have to click on a link… The link using “disk:” could be located in a meta refresh tag that could appear to just be flashing to the web surfer…
And then, all one has to do is another one using help: and you’re done…
No click from the user, even with the “Open safe files” set to off…
That IS a vulnerability!
Does the download location get passed back to a web server?
Wouldn’t changing your default download location to a randomly named folder on the desktop be just as effective?
I just unchecked this in the General section of Preferences, and can confirm this is a new computer wherein I had not checked this in the first place, so I can definitely confirm this is checked automatically when Safari is loaded by Apple before the computer is sold.
Changing the download location doesn’t change anything since the exploit uses a disk image which will always be located at /Volumes/thediskimage
Well jfbiii using the “disk:” links it would automatically mount into /Volumes/. So if you made the disk image you will know the path to any scripts on the image and be able to execute them via “help:”.
I love all the discussions about potential – but yet unexploited – vulnerabilities in OS X. Theory is fun, folks, but when will one of you Chicken Littles actually exploit this?? Create a link. Show us that it’s actually a problem.
It just cracks me up that despite the “highly critical” nature of this “vulnerability,” not one actual problem has been reported. Not one. Ever.
Gotcha. Thanks.
So the vulnerability doesn’t reside in mounting a disk image per se (because scripts can’t be auto run on mount?), but in clicking a link after the image has been mounted that has the browser passing a command to the system to run a (now) local script without requiring any further prompting.
I’m just trying to translate these vulnerability reports into something I understand.
Sounds like a non issue to me. Just dont download any dodge .dmg files. Fairly obvious one would have thought – de activating the open safe files dialog in Safari just means you would have to open the file manually, so same problem would apply. Just dont DL or open dodge files – fairly simple and easy advice to follow.
I hate to delete your hard work… but there is a working proof-of-concept. (Note that it doesn’t use the disk:// stuff, so 1st turn on automatic opening of safe files.)
http://www.free-go.net/insecure/safari/0x04_test.html
I guess you won’t find it hard to paste in that AppleScript with the rm -rf ~ command to create the dangerous situation you’re looking for!
So your saying the page has to place a disk image on my system, then if I click a certain link, it will run the script through the mounted image?
Ha Ha!
My plan worked!
@john: Could you tell that a click on the URL above would download a dmg file and execute the script on it?! You could not!!! Just not downloading dmg’s ain’t possible!
Not browsing is the only other safe option besides changing the helper for help://.
” width=”19″ height=”19″ alt=”wink” style=”border:0;” />
jfbiii: You got everything right except the fact that like I said earlier, you don’t even have to click a link (it could be in a refresh tag in a page).
ABomb: I agree with you that this hasn’t been exploited but here is a proof of concept. This is much worse than those Intego shitties… This also affects other browsers (it isn’t a Safari problem, it’s a system problem) as it uses help: which can execute ANY applescript which can do ANYTHING as the logged in user WITHOUT the user ok’ing it… as in deleting the WHOLE home (current user) folder… I agree, the Mac will still be running, but without it’s users documents…
I personnally am not scared of this, I just think it’s important for people to be aware of what exactly is the vulnerability… and how to not be affected.
The only way is to modify the help: protocol so it calls another application than Help Viewer.