On March 1, Apple released Security Update 2006-001 which “added a function called ‘download validation’ to the Safari Web browser, Apple Mail client and iChat instant messaging tool. The function warns people that a download could be malicious when they click on the link. Before that change, clicking on a link could have resulted in the automatic execution of code on a Mac,” Joris Evers reports for CNET News. “But Apple failed to address a key part of the problem, the fix should be at a lower, operating system level, experts said. It is now still possible for hackers to construct a file that appears to be a safe file type, such as an image or movie, but is actually an application, they said.”
“With its security update for Safari, Mail and iChat, Apple believes it cut off access for such Trojans. ‘The tools most people use (now) have built-in validation for things before they even get to the desktop,’ [Apple VP Phil Schiller] said. ‘The point of where people get the file is often through the browser and mail and instant messaging.’ Apple’s security fix is an important first step, said Michael Lehn, doctoral candidate and research assistant at the University of Ulm in Germany. ‘I think Apple did the right thing,’ said Lehn, who first disclosed the Mac OS X vulnerability. ‘The fact that a script gets executed automatically had to be fixed immediately. They just have to go further.'”
“The unresolved vulnerability is due to a problem with the Mac OS Finder, the component of the operating system used to view and organize files, Lehn said. The operating system assigns an identifying image, or icon, for a file based on the file extension. However, it decides which application will handle the file based on information that is stored separately from the file, called metadata,” Evers reports. “Apple is thankful for the feedback, Schiller said. The company recognizes that adding more validation, perhaps at a deeper level in the operating system, could help protect users of applications other than Safari, Mail and iChat.”
Full article here.
MacDailyNews Note: As usual, do not download, install and/or double-click files from untrusted sources. Use the Finder’s “Get Info” command to check any file about which you are unsure before you double-click it.
Related MacDailyNews article:
Apple releases Security Update 2006-001 for Mac OS X; includes fixes for Safari, Mail, iChat issues – March 01, 2006
Apple releases Mac OS X Tiger Update 10.4.1, fixes Dashboard widget auto-installation issue – May 16, 2005