“In what is being described as a ‘highly critical’ vulnerability, security firm Secunia on Monday issued an advisory to all Mac OS X users that surf the Web with Microsoft’s Internet Explorer or Apple’s Safari Web browsers,” Jim Dalrymple reports for Digit Magazine. “The result of the vulnerability, which has been confirmed using Safari 1.2.1 (v125.1) and Internet Explorer 5.2, is that it is ‘possible to place arbitrary files in a known location, including script files, on a user’s system if the Safari browser has been configured to (‘Open ‘safe’ files after download’) (default behavior) by asking a user to download a ‘.dmg’ (disk image) file.'”
Secunia recommends opening Safari preferences and uncheck “Open ‘safe’ files after download.”
Full article here.
@Buffy: Nope. All you have to do is visit a webpage, no more clicking after that!
Sorry, forgot to post the link to the insecure.ws proof of concept.
http://www.insecure.ws/article.php?story=2004051612423136
This is a real “vulnerability”…
SOS has posted a link just a link that will run a terminal command, if you look at the source code for the target page, the meta data will refresh the script and the terminal command will run without a user input. The terminal command is not dangerous in the example however it could be the remove home directory command that we have all been discussing for weeks. You could just be doing some basic web surfing and land on a site that would without your input at all delete your home directory.
I am not chicken little.
The sky is falling…
This is the link to the example of the exploit from SOS on a different reader feedback discussion:
http://www.macdailynews.com/comments.php?id=P2716_0_1_0
More research…
Apple was notified in Feb. !
Adv: safari_0x04
Release Date: 10/05/04
Affected Products: Safari =< 1.2
Fixed in: Not fixed.
Impact: Remote code execution.
Severity: High.
Vendor: Notified (23/02/04)
Author: fundisom.com
Also turning of the Open Safe Files after down load does nothing see above link.
Where is the response from Apple… they have done nothing since Feb. and now a kid (the most common hacker) could build a web site that would destroy all who arrive…
I would strongly urge all users to limit their surfing until Apple releases a patch to this very dangerous problem.
Sorry guys, but this looks like the real deal. MacCentral has some excellent threads going about some pretty easy temporary fixes and some harmless links if you need proof that it’s for real. The exploit doesn’t require you to download anything to work, and simply unchecking the box in Safari prefs won’t help. It could be embedded in a web page. The good news is that it looks like it should be pretty easy for Apple to fix. I’d expect to see something very soon.
We all knew this would happen sooner or later (whether we admit it or not). No OS is perfect, and no OS will ever be 100% secure. OS X is still by far the most secure though.
its a lot worse than you think. even turning off the “open safe files after downloading” doesn’t fix it. i have a proof of concept AND a relatively easy “fix” for it. check it out at http://pangburn.cc
TURNING OFF “OPEN SAFE FILES” IN SAFARI IS NO PROTECTION
Remove Mac OS X Help Viewer (System/Library/CoreServices) and place on cd, off your computer.
For crying out loud the original site purposely created confusion by saying Turning off “Safe Files” is some but bad protection, then says some crap about changing InternetConfig Help.
The exploit uses the Help Viewer that is accessed by Safari and other web browsers. Remove the Help Viewer, save it for later.
As a long-time veteran of Windows (user and application developer at many levels), all I can say is…
Wake me when you find a real problem.
…and for those of you running around like scared puppies, perhaps you’d best just turn off your computer altogether and hide in a corner.
If I’ve understood this correctly, this can be cured by removing/changing the internet protocol for Help. This can easily be done in many ways. I’ve found MisFox (missing internet settings for os x) a simple but capable (free) app an easy way to do this.
Well Bomb, being the long time veteran of windows that you are, you should be well aware that the problems usually come after a vulnerability is discovered and reported on, not vice versa.
So while it seems unlikely these are large and exploitable problems, one really can’t be too sure or too safe. It’s the attitude of “it’s no big deal” that MS took towards security and has led to the travesty that is windows. It’s a poor line of thinking, and one that leads to inferiority.
rageous:
Ho-hum. YAWN.
As has been said on this site before, if you’re stupid enough to click on something when you don’t know what it is, where it’s going, or what it might do to your computer, then you’ll get exactly what you have coming to you. Hell, the vast majority of the Windows viruses have depended on idiot users clicking on email attachments.
Screw ’em. I have no sympathy. Night, night.
Well AB, let’s just hope no one puts this to use and embeds the necessary code into a website that contains anything you might be interested in, like “screenshots of upcoming OS X Tiger”. You don’t have to download anything for this to hurt you.
I wholeheartedly agree that the two previous Intego scares were nothing to worry about, but this one is different. This could very easily be put to use. I’m sure Apple will fix it quickly, but taking the attitude that you’re above getting hurt by it because you’re too smart and experienced is ridiculous. Accepting that the problem is there and addressing it quickly is the only thing that’s going to keep OS X from becoming the irreparable piece of swiss cheese known as Windows.
This is no laughing matter, it’s the same vulnerability they found in Windows Help system a week or so ago.
We’re talking “drive-by” malware. Don’t believe it? Think again.
Click on this proof of concept and see if you can stop your heart from pounding too fast:
http://bronosky.com/pub/AppleScript.htm
If you want to check first that it is a proof of concept, before you have a heart attack watching Terminal.app go 100 miles/minute, you’ll find the link and subsequent postings in reaction at this MacCentral thread:
http://forums.maccentral.com/wwwthreads/showflat.php?Cat=&Board=news040517safariphp&Number=669601&page;=&view=expanded&sb=5&o=∂=&returnto=http://maccentral.macworld.com/news/2004/05/17/safari/index.php
***** DISABLE HELP VIEWER NOW !!! **** I disabled the app by renaming the file ***
ZZZzzzzzzzzzzzzzzz……..
OK it is 16:00 in NYC,
Has anybody heard from Apple yet; they have know about the issue since Feb.
I really would like to know what is the best solution, their are many people claiming to have the best route to protect your mac however, I am not sure if just renaming Help Viewer will solve the problem.
I will predict by tomorrow morning someone will have a site up and running…
[url=http://www.delete-home-directory.com]http://www.delete-home-directory.com[/url]
This stinks, a mac used to be a fun way to surf the net now one click…
and your dead…
Apple please forget about music for a few minutes and fix this.
Oh by the way…
Apple has pulled the plug on their discussion boards…
Perhaps to many links to proof of concept web pages…
It is too easy, anyone can build a page to: onload>delete>anything and everythng
Sputnik… settle down. With MisFox I changed my help protocol to select Textedit. Tested it with one of the “proof of concept” links. Everything is golden sunshine now. Took five minutes. I’m going to go frolic in a field of bunnies and daisies now, as armageddon has been once again postponed. Can’t say it’s that easy for a WinHose computer, where an update patch can trash your whole network AND molest your grandma before you can say “Ctrl-Alt-Whatdahell?!”
Aaaaanyway, another fun thing to do – which I’ve been doing since 10.3 was released – is to create various users to flip to via fast user switching. For example, I have a “Surfer” user that I use to surf the Internet. He has virtually no permission to do anything on my machine, and if his Home directory were wiped out, I really wouldn’t care.
MisFox fixed this in no-time. i have my own proof of concept and there are no problems here.
for more info…
http://pangburn.cc
I’m running Mac Os 9.2.2 with internet explorer 5.1.7
I clicked on the link for the proof of concept page and
the help viewer came up.
Nothing was downloaded to the computer.
OS X is not installed on this machine.
Thanks
Vic
I’m running Mac Os 9.2.2 with internet explorer 5.1.7
I clicked on the link for the proof of concept page and
the help viewer came up.
Nothing was downloaded to the computer.
OS X is not installed on this machine.
Thanks
Vic
Atomic Bomb is a faggot, Jobs’ little bitch.
ZZZZZzzzzzzzzzzz……….
Apple was notified of this expoit seveal months ago on Slashdot. I remember firing off a something about it and thought it was fixed with the software update.
Now every Mac and PC user with a sick sense of humor is saying things like
“Check out this babe, she’s a hottie!! or other similar tricks and watching Mac owners crap their pants.
But it serves Apple right, they should ahve patched this ages ago.
Who’s asleep at the wheel? Or afraid to upset Sir Jobs?
Apple should hire a team of people to keep track of the Mac based net so they don’t get caught with their pants down.