Friday, February 24, 2006

Major Vulnerability in Safari

Michael Lehn, a PhD student in Denmark, has discovered a security hole in Safari that every Mac user should be cautioned about. As of writing, Apple Computer Inc. has yet released a patch. It did release 10.4.5, the latest upgrade of its Mac OSX, slightly before the vulnerability was made public. But after installing on my machine the vulnerability still persists.

Are you safe?

To allow Mac users find out whether their machines are safe, Secunia, a security company, has provided a test on its website http://secunia.com/advisories/18963.

Before running the test, you will need to set your Safari to open 'Safe' files automatically. You can locate the settings at Safari->Preference.

Follow the instructions on the website on where to click in order to download a file which is seen as 'safe' by Safari. The goal is to test whether the file will be opened automatically, which it shouldn't. Upon opening the file it runs a benign script that attempts to launch the Calculator app. When the calculator pops up, you are NOT safe.

A look inside the hole

'Safe' files in Safari include movies, pictures, audio, PDF, archives etc. One might argue that opening these files automatically is a convenient feature, but it is always a bad feature in terms of security.

The test provided by Secunia demonstrates that a hacker can decorate malicious shell scripts to look like 'safe' files. Keep in mind that the UNIX shell scripting is a very powerful tool, capable of performing a lot of admin-level exercise on the computer, so you really don't want some jokers to run scripts as will on your machine.

Prevention is better than cure

Apple is working on 10.4.6 now. I believe they will patch this hole with the release. That said, opening downloaded files automatically is always a bad idea. To stop this kind of threat once and for all, you should turn off the option.

Final note

Always accept files only from sources you can trust, and do not open suspicious files simply out of curiosity! This way you will save yourself from many troubles!


Yet another Mac tips is on the web!

2 comments:

Soroush Khanlou said...

If you use Saft (http://haoli.dnsalias.com/Saft/) $12, it fixes this bug.

Anonymous said...

how can you run the test?