The option to “Open ‘safe’ files after downloading” in Apple’s Safari web browser has an issue. “This feature is activated by default. Its function is to automatically display images and movies after they are transmitted to the user’s computer, using the application assigned to that particular document format. Safari will also unpack ZIP archives and display the documents within if they are considered ‘safe.’ If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good,” Heise Online reports. “Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. This behavior has been discovered by Michael Lehn, who has documented it on a web site.”
“Under normal circumstances, shell scripts begin with a ‘shebang line’ such as ‘#!/bin/bash’ to indicate which interpreter should handle its execution. However, Mac OS X will load scripts without a shebang line into the Terminal where it will be executed by a shell. If the user has assigned the Finder to open scripts using the Terminal, this will happen automatically,” Heise Online reports. “If a script is given an extension such as ‘jpg’ or ‘mov’ and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application — regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X.”
“The best immediate recourse against such an attack is to deactivate the option ‘Open ‘safe’ files after downloading’ in the ‘General’ section of Safari’s preferences,” Heise Online reports. “An additional protective measure is to move the Terminal application from /Applications/Utilities into a different folder. The metadata file within the ZIP archives always contains absolute paths to the applications to be used for opening its contents. To avoid problems with system updates which update the Terminal, the application should be moved back to its original location before updating the OS. In addition, users should not use their administrator account.”
Full article — including a safe online demonstration provided by heise Security that you can use to determine whether your system is affected — here.
MacDailyNews Note: You definitely do not want shell scripts executed without a confirmation prompt just because you visited a web link. How did this extremely stupid mistake slip through, Apple? Hello? Until Apple addresses this issue, deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac OS X users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Again: Safari users: Deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Secunia Advisory: Mac OS X ZIP Archive Shell Script Execution: Extremely critical. More info here.
Advertisements:
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related articles:
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
Hang on though. If you’ve deliberately downloaded it, you’re going to get around to manually opening the file anyway thus unleashing any nasties that may be in the file or have I turned over two pages at once?
k. de-activated. heh.
Ugh. Now this is bad.
Safari users: Deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences.
Sir, yes Sir!!!
This is why Apple is not considered a safe operation system in the “real IT world”. This is a very serious issue… the execution of a shell script from visiting a web page. Your entire home directory could be deleted with one visit to a site!
Apple OS is not safe.
And their are not any enterprise class tool sets available for system administrators to use to mitigate these known flaws.
The only safe solution is to remove all Apple computers from the internet.
©
Hang on though. If you’ve deliberately downloaded it, you’re going to get around to manually opening the file anyway thus unleashing any nasties that may be in the file or have I turned over two pages at once?
Hence, the added advice of moving the Terminal app from its default location.
After moving Terminal then double-clicking the safe demo in the article, the file opens with the default app assigned to the extension. In this case, it attempts to open the file with Preview which gives you the following message: “Couldn’t open the file. It may be corrupt or a file format that Preview doesn’t recognize.”
This is an old tip. I seem to remember reading about this months ago.
Isn’t this whole thing beginning to get overplayed?
hey spunk-tit, go back to giving head to billy-boy.
>>> Dave H – This is an old tip. I seem to remember reading about this months ago.
Yes, Dave … you’re right. I remember reading this tip when widgets installed themselves upon downloading. The same correction was offered then.
Deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences.
On day #1 when I first got my hands on Safari and browsed the preferences, that button was the first thing I unchecked. I just don’t like the idea of anything opening without my index finger involved.
And, Sputnik, if the world were to heed your advice, Windows would have been banished from the planet years ago.
I’ve had that feature disabled for a very long time, but for a different reason.
Sometimes when a file is downloaded, I might not want to open it with the same application that the original creator used.
By disabling that option, I get to decide what opens it and as an incidental benefit, I also get more chance of spotting something untoward about that file before opening it.
sputnik: unoriginal, predictable and brainwashed. A very good example of Winbox man in its most advanced manifestation.
(And he even thinks he needs copyright protection!?)
The option was unchecked on my new 20″ iMac and I don’t recall unchecking it. Perhaps Apple has changed the default?
It all goes back to DON’T DOWNLOAD FROM UNKNOWN SOURCES!!!
Geez people, STOP THIS INSANITY!!! If you download garbage, don’t be surprised if you get some infections.
It is the producers of security software that are creating and spreading these rumors. The vast majority of virus creators want it to spread and want to see the chaos and destruction; this is their thrill and motivation for doing it. To create one for Mac OS X does not give them this thrill because Mac’s do not automatically spread files around, and is impossible to auto-run one without the intervention of the computer’s admin. NO PROGRAM WILL JUMP INTO YOUR MAC!!!!
All of this hype and fear mongering is based upon creating overblown attention to EXISTING normal computer usage practices. Don’t download and run crap from unknown sources. There is no fear. There is no boogieman hiding in the dark, and YES YOUR MAC IS PERFECTLY SAFE just the way it is, even with Safari being able to open safe files. Safari will ASK YOU to download an application before decompressing it. Even then, it will NOT auto-run it.
Your local Apple Store has over 40 Macs running 24/7 on the internet in each of 150 stores, in addition to the thousands being used by their other employees. NOT ONE needs virus protection software. These are HUGE targets for virus writers. As soon as Apple themselves decide to use security, then I will, too. But, until then, I feel perfectly safe!!
Do you really think that the anti-virus software companies have your best interest in mind? NO! All they are thinking about are $$$. If and when Apple says to add it, then I will.
Get a grip on reality and RELAX PEOPLE!!!
well craappp. So how do I open media stuff in my web browser now? I wanted to listen to ‘Songs From The Far Right’ as offered by the Huff Post. But now it won’t play with the do-jigger turned off. I might hafta become a Commie. jeeeze.
“Hence, the added advice of moving the Terminal app from its default location.”
or put a space in front of it.
“Hang on though. If you’ve deliberately downloaded it, you’re going to get around to manually opening the file anyway thus unleashing any nasties that may be in the file or have I turned over two pages at once?”
Dirty Pierre le Punk, if you unzip the archive manually, then you have a chance to see what the unarchived file is, and decide if you feel it is safe opening to begin with. You should wonder why a jpeg or movie is zipped to begin with.
If you want to open media that was zipped, drag and drop it onto the viewer app rather than double-clicking. That way it won’t be able to open in Terminal if it is a shell script in disguise. Hopefully Apple will fix this soon though.
That’s why I turned this off months ago.
“On day #1 when I first got my hands on Safari and browsed the preferences, that button was the first thing I unchecked. I just don’t like the idea of anything opening without my index finger involved.”
Gee, that’s what I do on ALL puters that I use.
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
Sputnik, do you have autorun on, right? If not, why?
TrolleyLOL!
On second thought….
I LIKE the idea of Mac Trojans all over the place!!
The only way to get one is by visiting and downloading from skanky sites filled with pirated software and other questionable coding. The people it hurts are the ones propagating this crap amongst each other.
I am immune to Mac Trojans because I support the original developers and I am not trying to get something for nothing by downloading from some high school kid’s Mac.
If people want to be bottom-feeders and digest the crap left by their peers, that is just fine with me. Like all things, your computer is what it eats. Mine is healthy, what is yours?!
This wave of panic is only for those crap-passers, as it should be!
Ah spurtnik, there was a time when you were a droll troll. Now you are merely an old one.
Did that months ago on first setup. Stupid to open things automatically. Any good admin could use Remote Desktop to do this in an enterprise environment. Or, more simply, he could
defaults write com.apple.Safari AutoOpenSafeDownloads -boolean No
for a list of machines on which he was admin, and all would be done. ARD allows that, and so does a simple script with ssh to run the command.
It’s too bad there are so few integrated, useful tools like that for Windows. Really a pity.
Unlike the Widget problem where the widget would automatically download, install and activate, this has to be manually downloaded, which means it’s another trojan.
I think we’re going to be seeing more of this stuff.
Only open files you trust, like work-related stuff rather an social network stuff and you’ll be fine.
If I see that old lady pulled off her feet by the dog one more time I’m going to hurl.
MW: miles. As in, Safari form cache remembers using “miles” before. Does this mean I’m a Mac fanboy?
Calling all Developers!
This is what we need (by “we” I mean people who never use the terminal unless there is some emergency that FORCES us to). We need a utility that will not allow the terminal to run UNLESS it is launced by the user. This means that NO OTHER APPLICATION (including the Finder) can launch the Terminal and run scripts. If I want to run a script in the terminal, I would have to run it myself and use the open command or “copy and paste”.
In 5 years I have yet to REALLY need the terminal for anything. IMHO I think this should be a terminal or OS X preferences option to prevent this behavior.