The option to “Open ‘safe’ files after downloading” in Apple’s Safari web browser has an issue. “This feature is activated by default. Its function is to automatically display images and movies after they are transmitted to the user’s computer, using the application assigned to that particular document format. Safari will also unpack ZIP archives and display the documents within if they are considered ‘safe.’ If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good,” Heise Online reports. “Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. This behavior has been discovered by Michael Lehn, who has documented it on a web site.”
“Under normal circumstances, shell scripts begin with a ‘shebang line’ such as ‘#!/bin/bash’ to indicate which interpreter should handle its execution. However, Mac OS X will load scripts without a shebang line into the Terminal where it will be executed by a shell. If the user has assigned the Finder to open scripts using the Terminal, this will happen automatically,” Heise Online reports. “If a script is given an extension such as ‘jpg’ or ‘mov’ and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application — regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X.”
“The best immediate recourse against such an attack is to deactivate the option ‘Open ‘safe’ files after downloading’ in the ‘General’ section of Safari’s preferences,” Heise Online reports. “An additional protective measure is to move the Terminal application from /Applications/Utilities into a different folder. The metadata file within the ZIP archives always contains absolute paths to the applications to be used for opening its contents. To avoid problems with system updates which update the Terminal, the application should be moved back to its original location before updating the OS. In addition, users should not use their administrator account.”
Full article — including a safe online demonstration provided by heise Security that you can use to determine whether your system is affected — here.
MacDailyNews Note: You definitely do not want shell scripts executed without a confirmation prompt just because you visited a web link. How did this extremely stupid mistake slip through, Apple? Hello? Until Apple addresses this issue, deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac OS X users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Again: Safari users: Deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Secunia Advisory: Mac OS X ZIP Archive Shell Script Execution: Extremely critical. More info here.
Advertisements:
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related articles:
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
This is why Apple should use metadata to tag filetype rather than .extension. The file says kind:Terminal.app, but the icon and extension is .mov
There’s all kinds of flags that show this isn’t what it appears to be.
PowerUser: Word! As in, Tell it to the people, brother. (not the word processor)
“This is why Apple is not considered a safe operation system in the “real IT world”.”
You obviously are a total moron because as much troll-food and FUD you spread here you’ve never mentioned this ONCE. Now, just now you say something about it.
You are either a fraud or a total quack at what you do, which would put you about on par with the rest of the PC dweebs I’ve met who worship Redmond.
And it’s operatING system you dolt.
would I get the same protection if I just moved terminal to a different folder but I still let safari open safe files after downloading? I like the idea of safari doing things for me, but I still would like some security.
Thanks.
Mike Buonarroti,
Actually, you’re the type that is probably more likely to get a trojan or other malicious code. Worse than an ignorant fool is the overconfident and arrogant, ignorant fool.
this is old news really…
Apple and other security experts years ago gave warning as well as recommended shutting off the feature if an end user wanted to be more careful on the web via downloading unknown software, etc… Mine has been shut off for about 2 years or more!
I hope all the bright sparks amost us are already putting their thoughts on the OSX feedback page, where they should be going.
Terminal needs something to protect it’s power. Maybe it should only open with the admin password.
hear hear, if I do that and download the *malware* file and use Stuffit Expander on it, I get a warning that the jpg or mov is fishy and use extra care. Now examining the file it has “Open With” set to Terminal.
If instead of using Stuffit expander I do the unzip in the terminal directly, I get a jpg or mov (there are two *proof* files available around) but this time the “Open With” is not set to Terminal but to Preview and QuickTime as it should, that is /usr/bin/zip /unzip is not fooled and if you double-click on those files you get – as you should – a Preview or QuickTime error.
Uhmmmm
I’m going to go ahead an go to work now. I assume by the time I get home “you guys” will have this issue all worked out.
I agree with the few that have said this all goes back to: know what and from where you download. I’ll wait for Apple’s comment on this one.
MDN, I hope you are not becoming one of the writers of the 100 news articles for the 1 people which have been infected. Watch that drool MDN and we’ll soon find out.
Mike Buonarroti,
I like your view of the Mac Trojans.
This is VERY old. I have had this feature disabled since Safari was released.
I have a problem with the execution of this paragraph.
“However, Mac OS X will load scripts without a shebang line into the Terminal where it will be executed by a shell. If the user has assigned the Finder to open scripts using the Terminal, this will happen automatically,” Heise Online reports.”
The above quote is nutty. It is like the writer is saying, “Your OS X can be wiped-out if you give specific orders by way of Unix commands typed in the Terminal.” Well, what if you don’t? And there is the fault with the article.
To clear this up I would write:
“If the user has assigned the Finder to open scripts using the Terminal found in Utilities, the Mac OS X can load scripts without a shebang which will be executed by a shell.”
No shit. Doh! But who is going to use the Terminal found in Finder under Application in Utilities? Check out the two radio buttons. One is /usr/bin/login command. This is the root. Don’t you need a password? I am not aware, the way the article suggests, that OS X will execute automatically unless, through the Terminal, you’ve typed in specific Unix commands to do such. I could be wrong about this. But I can’t buy the article. It seems quirky.
Mine has been deactivated for more than a year now after I took some time to check all of Safari’s preferences options. It was such an obvious security measure that I didn’t need anyone to tell me.
Now, if you do run your sessions as a non-admin user, nothing of this gets to you, so please, people, start running Mac OS X as it is intended do be run: as a non-admin user.
You only need one admin account, and that should not be your default account!
You only need to log as admin when you do software updates from Apple or when you install something from a third party vendor, one, of course, that you should know beforehand…
Even when doing such updating of your Mac OS X system, you do not need to log in as an admin user, all you need to do is provide the admin user name and password at the prompt that pops up requesting it.
And remember: root is deactivated by default.
So, if you run your Mac OS X system as a normal user, nothing of that crap of Leap-A, Inqtana, Safari’s default behaviour, will affect you.
Mac Os X: the most secure operating system in the world. Period.
With all the stories circulating right now, it seems the easiest social engineering would be to drop in to MDN, et al and help all those non-terminal users. For example…
The safest way to rectify this problem is:
1. Open terminal
2. “/delete all files”
After reading the forums last week, you’d see people typing “Thanks for the info Dr. XYZ, I’ll do that now.” Two posts later they return with, “I tried it in terminal and it didn’t work, do I type in or replace that with something else?”
ppc: but does Apple inform us to do it this way?
Not all Mac users are so advanced as to make the logical thought process on this one.
Most of my family and friends are using Macs in their business, I am certain they all have one account- Admin.
“This is VERY old. I have had this feature disabled since Safari was released.”
Same here, there have been warnings out there to deactivate the open safe files setting in Safari for a LONG time. This is NOT new advice at all…
“This is what we need (by “we” I mean people who never use the terminal unless there is some emergency that FORCES us to). We need a utility that will not allow the terminal to run UNLESS it is launced by the user. This means that NO OTHER APPLICATION (including the Finder) can launch the Terminal and run scripts. If I want to run a script in the terminal, I would have to run it myself and use the open command or “copy and paste”.
In 5 years I have yet to REALLY need the terminal for anything. IMHO I think this should be a terminal or OS X preferences option to prevent this behavior.”
SImply don’t run as an Admin account and exercise Parental Controls on your account. Set it so you can’t run the Terminal.
In fact, you can set Parental Controls so ONLY certain apps can be run in an account. This would prevent Applescript Apps from running.
You can treat yourself like a child…
How long is it going to take for the Mac fanboys to understand that their platform is doomed with security problems? There are so many problems that are being posted that I doubt anyone will be able to keep up within the next two weeks. Now is the time to switch over to Windows — a fast, secure, and feature rich operating system that does not suffer from the brainless “we are safe so don’t worry” syndrome. As someone who switched from Mac to Windows I can tell you that it is nice having applications that run at full speed and security software that is written for the enterprise. Apple is a lost cause, pretending that there are no security problems while trying to hide the speed problems and sales issues of their computer systems.
The failure of Apple to deal with security concerns is going to be the death knell of them. Without a way of securing your data, a computer is worthless and Apple has proved itself to be useless. I wonder if Apple will sell enough ipods to keep up with the lawsuits that are going to come down the line from users hosed by OSX and all the broken parts that make up that pseudo-operating system?
Why do you idiots even address Sputnik’s comments? Are you too stupid to see that the only reason he posts is to get your collective panties in a bunch. Ignore him and he will go away. He knows what he is saying is ridiculous, so he is not the idiot here. The ones debating the merits of his comments are the real morons.
Sputnik –
I’m with ya, Buddy. Remove all Macs from the Internet, now. Oh, and Windows machines, too. And, don’t forget Linux. From now on, the Internet shall be the exclusive preserve of the Commodore Amiga. Forget about buying one of those, though, as IT departments around the world are already busy snapping up the last used ones on eBay for $5,000 apiece. Oh, and since there are no “safe” cars, we shall henceforth all ride bicycles. No, those can tip over. Tricycles.
I smell progress in the air. Or something.
SOLUTION HERE:
OK, I rose to daddydoodaa’s challenge and have written a very simple Automator script to intercept calls to Terminal and seek your permisson to run Terminal before executing. To do this you must:
1) Using Finder, go to /Applications/Utilities and rename Terminal.app to _Terminal.app
2) Copy my replacement Terminal.app into /Applications/Utilities
To uninstall, just delete my new Terminal.app and rename _Terminal.app back to Terminal.app.
This fix works on my machine and seems completely harmless. However, use it at you own risk – I am not responsible for any unintended side effects.
The paranoid amongst you should also verify my script inside Automator before installing – after all, I could just be playing a nasty social engineering joke on you…
Download the replacement Terminal application from my .mac idisk by going to Finder, then Go, iDisk, Other User’s Public Folder and typing “pehowland” for the user name.
Paul
Stupid Apple haven’t learned a thing
Of course I’ve learned long ago to disable “auto opening of safe files” when we had the URL Handler exploits of pre 10.3.5
http://www.macosxhints.com/article.php?story=20040517155635846
t's not a Safari problem, but Safari makes it worse by allowing a link to automatically download and mount a disk image without the user's direct approval of the process. This allows an attacker to place their script in a known location for easy running via the Help URL script exposure. If you don't use Safari, you should at least change the Help URL helper application to something else until Apple releases a patch.Update: Based on the comments and demo, I see that this vulnerability is not dependent on a locally installed script, as it can be used to execute a shell command as well. Thanks for the knowledge!
http://www.macosxhints.com/article.php?story=20040517155635846
You can further protect your system by turning off URL handlers etc your not using by downloading RCDefaultApp from rubicode.
What this does is interrupts the “chain of events” that a potential piece of malware may rely upon due to Apple’s gross negligence in realizing the importance of not automating everything to death.
http://www.rubicode.com/Software/RCDefaultApp/
Mike Buonarroti
I don’t know what it is but I don’t like the idea of you
Can you try to change your attitude towards the world? or if that fails, could you please cease to exist?
Thank you
ah, and so it starts…was waiting for this day.
“It all goes back to DON’T DOWNLOAD FROM UNKNOWN SOURCES!!!
Geez people, STOP THIS INSANITY!!! If you download garbage, don’t be surprised if you get some infections.”
Gee, that sounds like the advice given to Windows users. Which would make Windows as safe as a Mac, if you don’t download from unknown sources.
Mike Buonarroti
It all goes back to DON’T DOWNLOAD FROM UNKNOWN SOURCES!!!
Geez people, STOP THIS INSANITY!!! If you download garbage, don’t be surprised if you get some infections.
It’s the simple fact that just by visiting a website a download can occur.
Then Safari opens things automatically like a good blind idiot.
Safari needs a download warning, I told them
But no all they do is check for a application.
http://www.rubicode.com
My last post has a link that a download occurs, but the link looks like it goes to a web site.
Well it does go to a web site, but the site starts a download.
” width=”19″ height=”19″ alt=”smile” style=”border:0;” />
What Apple needs to do is make a pop-up window to warn users that a download is occuring before it starts.