The option to “Open ‘safe’ files after downloading” in Apple’s Safari web browser has an issue. “This feature is activated by default. Its function is to automatically display images and movies after they are transmitted to the user’s computer, using the application assigned to that particular document format. Safari will also unpack ZIP archives and display the documents within if they are considered ‘safe.’ If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good,” Heise Online reports. “Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. This behavior has been discovered by Michael Lehn, who has documented it on a web site.”
“Under normal circumstances, shell scripts begin with a ‘shebang line’ such as ‘#!/bin/bash’ to indicate which interpreter should handle its execution. However, Mac OS X will load scripts without a shebang line into the Terminal where it will be executed by a shell. If the user has assigned the Finder to open scripts using the Terminal, this will happen automatically,” Heise Online reports. “If a script is given an extension such as ‘jpg’ or ‘mov’ and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application — regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X.”
“The best immediate recourse against such an attack is to deactivate the option ‘Open ‘safe’ files after downloading’ in the ‘General’ section of Safari’s preferences,” Heise Online reports. “An additional protective measure is to move the Terminal application from /Applications/Utilities into a different folder. The metadata file within the ZIP archives always contains absolute paths to the applications to be used for opening its contents. To avoid problems with system updates which update the Terminal, the application should be moved back to its original location before updating the OS. In addition, users should not use their administrator account.”
Full article — including a safe online demonstration provided by heise Security that you can use to determine whether your system is affected — here.
MacDailyNews Note: You definitely do not want shell scripts executed without a confirmation prompt just because you visited a web link. How did this extremely stupid mistake slip through, Apple? Hello? Until Apple addresses this issue, deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac OS X users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Again: Safari users: Deactivate the option “Open ‘safe’ files after downloading” in the “General” section of Safari’s preferences. Mac users in general (including those who do not use Safari) should take the additional protective measure of moving the Terminal application from /Applications/Utilities into a different folder for the time being.
Secunia Advisory: Mac OS X ZIP Archive Shell Script Execution: Extremely critical. More info here.
Advertisements:
• MacBook Pro. The first Mac notebook built upon Intel Core Duo with iLife ’06, Front Row and built-in iSight. Starting at $1999. Free shipping.
• iMac. Twice as amazing — Intel Core Duo, iLife ’06, Front Row media experience, Apple Remote, built-in iSight. Starting at $1299. Free shipping.
• iMac and MacBook Pro owners: Apple USB Modem. Easily connect to the Internet using dial-up service. Only $49.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
Related articles:
Report: Apple developing fix for automatic execution of shell scripts – February 21, 2006
geez, with all the comments on this board, I almost though I was in a Winblows forum…
Hey MDN, you think now is a good time to stop spouting the “97,467 Microsoft Windows viruses vs. zero for Apple Mac’s OS X” BS you’ve been convincing us for the past few years?
this site is hilarious…
iPodder – that’s essentially what my script does, but then uses Automator to replace the default Terminal application with a dialogue box that asks your permission to call the moved application.
Incidentally – this is not just a Safari exploit. This is an exploit of MacOS and will also affect any file (jpeg, gif, mp3, etc, etc) you might obtain via the web, email, iChat, ftp, bittorrent or any other mechanism. That why changing the Safari option fixes very little.
Paul,
I find hard to believe that calling a proposed solution nonsense would be rude, but, of course, your mileage may vary…
As for the “solution”, yes I still think it is aburd to do that to an important app as Terminal when all you have to do is:
1. Run your account as non-admin.
2. Disable Open “safe” files after downloading.
3. Yes, check the files one double-clicks.
Besides, everyone should KNOW what one is downloading in the first place…
Peace
So how can this thing be called “Extremely critical” if most of the mac users out there will probably never browse to / download from a site that has malicious code on it?
They really ought to reserve words like that for the Windoze malware/viruses/worms/etc. that spread all over the place like they are pretending to be Speed Racer. This one could be marked as “important tip” or “good advice.”
A web site creator can make use of the meta refresh tag to automatically download a file to a user’s machine, whether they’re using Safari or Firefox. Combine that with this vulnerability, and you’ve got a potential spyware/trojan threat. Hope Apple fixes this pronto!!
Another good solution is to just not use Safari. Camino is much, much better than Safari, and has a much better look and feel. Firefox is OK too, but to me it looks and feels too much like a Windows program running on OS X. And what’s up with that disappearing Refresh button, Firefox team?
Following these steps will disable the ability to auto-execute terminal scripts from the finder. When you launch terminal, it will ask you to login with a username and password. This will happen every time you open a terminal window or attempt to launch a terminal script.
1. open terminal
2. open terminal preferences
3. select the 2nd radio button for “when creating a new terminal window”
4. This button will say “execute this command (specify complete path)
5. in the textbox type “/usr/bin/login”
Selecting the first radio button won’t work even though it looks the same. The first button performs an auto-logon skipping authentication. You must select the second radio button and manually type in the path. This will protect you from any malicious terminal scripts.
> As for the “solution”, yes I still think it is aburd to do that to an important
> app as Terminal when all you have to do is:
> 1. Run your account as non-admin.
> 2. Disable Open “safe” files after downloading.
> 3. Yes, check the files one double-clicks.
Running the account as non-admin will not prevent a malicious file from, for example, deleting all your personal files – photos, iTunes collection, etc.
Disabling open “safe” files gives the user a chance to manually check a file, but not solve the vulnerability. Remember, with your solution you’ll need to check a file every time you double-click it – not just for Safari downloads, but email, ftp, iChat, bit torrent, etc, etc. Manually checking every file seems more “absurd” than using a script to do it automatically (which is essentially what I provide), but I guess that’s a personal decision.
I was hoping that the discovery of three separate vunerabilities within the span of a week for the Macintosh would instill some measure of humility in MacDailyNews posters. Boy, was I wrong.
> Following these steps will disable the ability to auto-execute terminal
> scripts from the finder. When you launch terminal, it will ask you to login
> with a username and password. This will happen every time you open a
> terminal window or attempt to launch a terminal script.
>
> 1. open terminal
> 2. open terminal preferences
> 3. select the 2nd radio button for “when creating a new terminal window”
> 4. This button will say “execute this command (specify complete path)
> 5. in the textbox type “/usr/bin/login”
>
> Selecting the first radio button won’t work even though it looks the same.
> The first button performs an auto-logon skipping authentication. You
> must select the second radio button and manually type in the path. This
> will protect you from any malicious terminal script.
That’s a nice solution. Two comments:
1) You’ll need to do this for every account on the system. The preferences are local.
2) It’s better to use “/usr/bin/login <username>” where <username> is your user name. That way, you only get asked for your password.
Thanks Paul.
I just checked out your automator script. I like your solution, but it has one minor drawback, when you upgrade OSX, you’ll have to remember to rename _Terminal.app. I wish chmod had a user specific feature. I would love to have application specific execution permissions. (instead of just read/write).
Another solution (the one i’m actually using) is to remove all non-admin privileges from terminal.app. This would make terminal totally invisible to most users. If i want to execute a shell script i must login as an admin user (horray fast user switching). When i try to run it as a non-admin user, nothing happens, terminal won’t launch. This solution is probably not acceptable to most people. I’ll give the instructions anyway:
1. login using an admin account
2. get info on terminal
3. change the owner to <admin-username>
4. where it say others select “no access”
You can’t get much safer than this =). Then again, I almost never execute shell scripts and when i want to use command line i use iTerm instead of Terminal.app.
First thing. You can easily configure a webpage to download a file without any user interaction. It is beyond trivial. You can even hide it by using an iframe and have the frame meta-refresh. So everyone who says, “Don’t download files” is wrong. It can happen on any malicious website automatically.
Second thing. To those who say, “Don’t go to unknown websites.” The problem there is that it is relatively easy for a cracker to change a site he doesn’t own. It happens all the time. If someone targets a Mac site and puts in some malicious code, it could affect a lot of users before the website owner has a chance to fix the problem.
Apple needs to fix this soon but everyone needs to go an turn off Open “safe” files after downloading. It is a simple thing to do and will protect you from getting hit.
Thanks for the advise and counsel Mr. MacDailyNews!
“That’s a nice solution. Two comments:
1) You’ll need to do this for every account on the system. The preferences are local.
2) It’s better to use “/usr/bin/login <username>” where <username> is your user name. That way, you only get asked for your password.”
That is a nice solution, and your further info helps a lot. Thanks.
<i>”Another solution (the one i’m actually using) is to remove all non-admin privileges from terminal.app. This would make terminal totally invisible to most users. If i want to execute a shell script i must login as an admin user (horray fast user switching). When i try to run it as a non-admin user, nothing happens, terminal won’t launch. This solution is probably not acceptable to most people. I’ll give the instructions anyway:
1. login using an admin account
2. get info on terminal
3. change the owner to <admin-username>
4. where it say others select “no access” “</i>
Very acceptable to me =). Thanks.
One thing I want to bring up – OS X is VERY powerful and it’s Unix underpinnings are the engine of that power. However, forcing <u>the average user</u> to use the terminal in ANY way seems anti-thetical to the original Macintosh OS ideology. The exclusion of a CLI was one of the very foundations of the Mac OS – the GUI. I’m not saying that it is necessarily bad to have one, but, my point still remains – <u>The average user should not have to deal with such things.</u>
Apple needs to continue to improve on issues like these and remember where they came from. I personally like having a CLI at my disposal, if I <u>choose</u> to use it, but it should not be a necessity.
And furthemore – MDN should be slamming Apple up one side and down the other on the last point I just made.
Why? – Because if Apple does not pay attention to these Unix/terminal issues, then the old slogan of “Macintosh – The computer for the rest of us” will have become a farce.
I’m not saying they have to “dumb-down” the OS, but they sure as hell better integrate the Unix underpinnings with the user experience.