On Monday, February 20, an "extremely critical" security
vulnerability in Mac OS X was reported, one which you and your users
should address immediately.
That vulnerability is confirmed in this Secunia advisory and in a
CERT note linked from it:
http://secunia.com/advisories/18963/
In brief, if a user running Apple's Safari web browser can be
induced - through specially crafted web page content, such as a page
refresh, or through social engineering - to download a ZIP archive
file, a script contained within that file can be automatically run in
the default shell, with the privileges of the current user, via the
Mac OS X Terminal application. Simply downloading the file in Safari
is sufficient for this to occur; no other manual user actions are
required.
What to do now
--------------
Until this vulnerability is addressed by Apple, you can protect
yourself by making a change to Safari's preferences: in the
Preferences window, in the "General" tab, turn OFF the 'Open "safe"
files after downloading' option, as shown in this screenshot:
http://www.us-cert.gov/reading_room/securing_browser/#sgeneral
That setting is enabled (i.e. turned on) by default, so it is
likely that many Mac OS X users may be at risk for this vulnerability
if they use Safari to browse the web. (That setting happened to be
enabled in my copy of Safari, for example.)
In addition, many campus Mac OS X users are likely to be working in
a user account with Admin privileges - which is the default for the
first account set up under Mac OS X - so any malware would run with
those privileges.
More about the vulnerability
----------------------------
This underlying vulnerability appears to be broader than just a
Safari issue, but this Safari exploitation scenario is by far the
greatest concern.
An excellent description of this issue for a general audience is:
http://www.macuser.com/security/when_safe_isnt_safe.php
And details are provided at:
http://www.heise.de/english/newsticker/news/69862
(regarding the immediate Safari vulnerability)
http://daringfireball.net/2006/02/safari_shell_script_exploit
and
http://www.unsanity.org/archives/000449.php
(regarding the underlying issues)
In general, this vulnerability appears to offer yet another
mechanism for someone to disguise the nature of a file under Mac OS X
- to make a script or other executable file look like a JPEG image,
QuickTime movie, or other innocuous file when viewed on the Desktop -
but then to have that file automatically execute malicious code when
opened. As Jon Gruber concludes in his Daring Fireball article,
above:
>It boils down to this: you can't safely double-click files from
>untrusted sources, and you never could. This is no different today
>on Mac OS X 10.4 than it was a decade ago on Mac OS 8 and 9.
Aron Roberts
Workstation Software Support Group
P.S. This issue appears to be based, in part, on the Launch Services
mechanism in Mac OS X. That mechanism was involved in another
serious vulnerability two years ago, in Spring 2004, as described in
this MAGNet posting from that time:
http://ls.berkeley.edu/mail/magnet/2004/0191.html
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
Received on Thu Feb 23 15:38:52 2006
This archive was generated by hypermail 2.1.8 : Thu Feb 23 2006 - 15:38:52 PST