The option to “Open ‘safe’ files after downloading” in Apple’s Safari web browser has an issue. “This feature is activated by default. Its function is to automatically display images and movies after they are transmitted to the user’s computer, using the application assigned to that particular document format. Safari will also unpack ZIP archives and display the documents within if they are considered ‘safe.’ If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good,” Heise Online reports. “Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. This behavior has been discovered by Michael Lehn, who has documented it on a web site.”
“Under normal circumstances, shell scripts begin with a ‘shebang line’ such as ‘#!/bin/bash’ to indicate which interpreter should handle its execution. However, Mac OS X will load scripts without a shebang line into the Terminal where it will be executed by a shell. If the user has assigned the Finder to open scripts using the Terminal, this will happen automatically,” Heise Online reports. “If a script is given an extension such as ‘jpg’ or ‘mov’ and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application — regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X.”
“The best immediate recourse against such an attack is to deactivate the option ‘Open ‘safe’ files after downloading’ in the ‘General’ section of Safari’s preferences,” Heise Online reports. “An additional protective measure is to move the Terminal application from /Applications/Utilities into a different folder. The metadata file within the ZIP archives always contains absolute paths to the applications to be used for opening its contents. To avoid problems with system updates which update the Terminal, the application should be moved back to its original location before updating the OS. In addition, users should not use their administrator account.”
Full article — including a safe online demonstration provided by heise Security that you can use to determine whether your system is affected — here.
MacDailyNews Note: You definitely do not want shell scripts executed without a confirmation prompt just because you visited a web link. How did this extremely stupid mistake slip through, Apple? Hello? Until Apple addresses this issue, deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac OS X users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Again: Safari users: Deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Secunia Advisory: Mac OS X ZIP Archive Shell Script Execution: Extremely critical. More info here.
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006