The option to “Open ‘safe’ files after downloading” in Apple’s Safari web browser has an issue. “This feature is activated by default. Its function is to automatically display images and movies after they are transmitted to the user’s computer, using the application assigned to that particular document format. Safari will also unpack ZIP archives and display the documents within if they are considered ‘safe.’ If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good,” Heise Online reports. “Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. This behavior has been discovered by Michael Lehn, who has documented it on a web site.”
“Under normal circumstances, shell scripts begin with a ‘shebang line’ such as ‘#!/bin/bash’ to indicate which interpreter should handle its execution. However, Mac OS X will load scripts without a shebang line into the Terminal where it will be executed by a shell. If the user has assigned the Finder to open scripts using the Terminal, this will happen automatically,” Heise Online reports. “If a script is given an extension such as ‘jpg’ or ‘mov’ and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application — regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X.”
“The best immediate recourse against such an attack is to deactivate the option ‘Open ‘safe’ files after downloading’ in the ‘General’ section of Safari’s preferences,” Heise Online reports. “An additional protective measure is to move the Terminal application from /Applications/Utilities into a different folder. The metadata file within the ZIP archives always contains absolute paths to the applications to be used for opening its contents. To avoid problems with system updates which update the Terminal, the application should be moved back to its original location before updating the OS. In addition, users should not use their administrator account.”
Full article — including a safe online demonstration provided by heise Security that you can use to determine whether your system is affected — here.
MacDailyNews Note: You definitely do not want shell scripts executed without a confirmation prompt just because you visited a web link. How did this extremely stupid mistake slip through, Apple? Hello? Until Apple addresses this issue, deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac OS X users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Again: Safari users: Deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Secunia Advisory: Mac OS X ZIP Archive Shell Script Execution: Extremely critical. More info here.
Advertisements:
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related articles:
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
Knowing Apple I expect this vulnerability to be patched in 2 days!!!!!!!
Fight Club, Edward Norton: “And this button-down, Oxford-cloth psycho might just snap, and then stalk from office to office with an Armalite AR-10 carbine gas-powered semi-automatic weapon, pumping round after round into colleagues and co-workers. This might be someone you’ve known for years. Someone very, very close to you.”
“Or maybe you shouldn’t download every little piece of trash you happen to see on the web.”
Use original code from trusted sites and you’ll be fine is all we’re trying to say!
“Knowing Apple I expect this vulnerability to be patched in 2 days!!!!!!!“
-Um, probably not. The mere fact that this problem has been around a long time indicates otherwise.
As complex as an OS is, it has been said often that no OS is perfectly safe. The fact that Apple is selling more units and are entering new markets means new scrutiny of the code. More scrutiny by more people means that the holes will be closed.
Most of the time these things happen out of the public eye and below the radar of most users, which is as it should be. Reported vulnerabilities are usually reported quietly to the vendor, allowing them time to correct the problem. Only when a company drags it’s feet on making a patch available do such things ever see the light of day.
Contrary to popular belief, every version of OS X has shipped with security holes that could have been exploited. The many security updates Apple has released prove that point. The many 3rd party components of the OS such as Apache and Java have had cross platform security issues and will continue to.
Anyone who thinks that they are invulnerable just because they are running a Macintosh is living in a Fool’s Paradise. I discount most of the FUD from those trying to market software and services, but there is always a grain of truth in any propaganda.
From the DIctionary:
fool’s paradise noun [in sing. ] a state of happiness based on a person’s not knowing about or denying the existence of potential trouble : they were living in a fool’s paradise, refusing to accept that they were in debt.
“Use original code from trusted sites and you’ll be fine is all we’re trying to say!
Unfortunately, it’s not as simple as you imply. What, for instance, constitutes a “trusted” site? All it takes is for one major website to be compromised, and suddenly this becomes a major problem. Could you imagine if the Apple webpage was temporarily hacked into, or some Apple insider decided to go crazy and post something malicious on the website?
There are many ways to be cautious about internet use and still pick up something nasty. I think MacDude illustrated the point pretty nicely.
Who cares, next subject please
Here is a White Paper on Securing Mac OS 10.4 systems.
http://www.corsaire.com/white-papers/050819-securing-mac-os-x-tiger.pdf
Rob, unfortunately no and Apple should change this for Leopard.
If you do a fresh install of Mac OS X, after completing installation and booting for the first time, the installer asks for the creation of at least one user account and that one is, by default, an admin account.
I don’t remember now if the installer gives you a clue about that or no (it has been a long time since I did a fresh install, as I’ve upgraded from 10.2 onwards until 10.4.).
But now that you know, you should create your user accounts as non-admin accounts.
The pain is that you will have to transfer your data from your admin account to your new non-admin one.
“This is why Apple is not considered a safe operation system in the “real IT world”. This is a very serious issue… the execution of a shell script from visiting a web page. Your entire home directory could be deleted with one visit to a site!”
As opposed to the Windows world where the WMF vulnerability makes simply viewing a webpage or email a potential executable virus.
Please, Apple isn’t considered unsafe in the IT world. The IT world simply doesn’t use Apple because all their legacy enterprise software runs on Windows, and also, using Macs would put them out of a job–that job being to fix the neverending nightmare of Windows errors and flaws.
Guys, why not stop the pointless discussion and just try my solution posted about 5 posts up. It fixes the vulnerability completely with no loss in functionality.
Hee, hee, hee ….even if this doesn´t effect any apple users notice how you all are panicky about just the thought of it?
“There is no problem!There is a problem!”
Wait until something big hits the Mac, you will all be peeing your pants and whining, “but I thought Macs didn´t get this crap virus type stuff….boo-hoo”.
Try explaining all this to your grandmother who you convinced to get the mac in the first place…
Take the test to see if your system is vulnerable:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/
Then fix it as follows:
1) Using Finder, go to /Applications/Utilities and rename Terminal.app to _Terminal.app
2) Copy my replacement Terminal.app into /Applications/Utilities
To uninstall, just delete my new Terminal.app and rename _Terminal.app back to Terminal.app.
Download the replacement Terminal application from my .mac idisk by going to Finder, then Go, iDisk, Other User’s Public Folder and typing “pehowland” for the user name.
This will ensure any call to the Terminal always seeks your permission first.
Use at your own risk
Hey, Sputnik’s back!! Now I know all is well with the world!!
” width=”19″ height=”19″ alt=”LOL” style=”border:0;” />
Seriously, folks, ever since Opener, when we were all reminded that files can be disguised, we all should have been making sure to set Safari not to auto-open anything! Some new owners may not know that, so it’s always been good to inform those who have followed our advice to go Mac.
Share and share alike, guys.
Paul, your solution is nonsense. The solution to this is a click in the Safari preferences box Open “safe” files after downloading…
Mike B “It all goes back to DON’T DOWNLOAD FROM UNKNOWN SOURCES!!!
Geez people, STOP THIS INSANITY!!! If you download garbage, don’t be surprised if you get some infections.”
This is getting completely ridiculous. We were all happily browsing the web free from worry this time last week. It’s the bloody flesh-eating bug all over again. The media have something to hype up and write about for a few days, then they move on and life gets back to normal.
Just chill out. You’re still a damn sight more secure than you would be if you were browsing with Internet Explorer.
Honestly, some of you are behaving like a bunch of old women. Do like Michael Jackson does. Take a valium.
BTW Mike B, not having a personal go at you there. I’m used to not worrying where I go on the Web. I’m going to continue as before.
PPC wrote:
“The pain is that you will have to transfer your data from your admin account to your new non-admin one.”
There’s no transferring of data required. It’s a very simple process to switch to a non-admin account if you are currently running under admin. Just go into System Preferences > Accounts, create a new account and give it admin privileges, and then remove the admin privileges on your original account and go on using it as before.
>>Paul, your solution is nonsense. The solution to this is a click in the Safari preferences box Open “safe” files after downloading
I’m sorry – your response is nonsense. All that changing that Safari setting does is to prevent the download automatically opening. This is only half the story. You still have downloaded a jpeg, or other media file, that is infected. If you then manually click on the file (which you surely will do, as why else did you download it in the first place?) then it will still run the malicious script. Your machine is just as vulnerable. You could manually check the file contents using the file info, but this is a pain in the butt. Do you really want to do that every time you download a file? That’s worse than Windows! My replacement Terminal script simply intercepts any call to Terminal and automatically seeks your permission before running it. No need to modify Safari, so you can still enjoy the convenience of having safe files automatically open, safe in the knowledge that you will always be asked before Terminal tries to start.
BTW, your attitude is rude and immature.
I like it when it opens safe files for me. I also like using terminal and accessing it from the utilities folder. I’m not going to change a thing. I am not the least bit worried about getting a virus. geeze… all ya’lls need to stop freakin’ out.
Been there, doing that. I’ll remind all our customers just the same.
This thing could be likened to a browser spoof, where the address is not what it says it is. I’m not a programmer, but why couldn’t the OS be made to preview the contents of a file without opening it to the full OS an installed apps? Seems like this could be made to work from a logic standpoint and programming is just math logic. Any C, C+, C++, Java, UNIX developers/programmers out there?
Wouldn’t simply move Terminal from /Application/Utilities to any other location, eg, /Application ?
The thingie relies on having Terminal in the standard location. If not there nothing happens and you can use the Terminal anyway yourself when needed.
http://www.sans.org/top20/#u2
My work depends upon being able to open certain file types automatically. I am behind an extremely secure firewall. A
So is this more for people that don’t have any security measures in place already?