OS/X, Safari, ouch!

| Comments (1) |
Apple proves that anyone can make a dumb, easy to exploit mistake:
We received notice from Juergen Schmidt, editor-in-chief at heise.de, that a serious vulnerability has been found in Apple Safari on OS X. "In its default configuration shell commands are execute[d] simply by visting a web site - no user interaction required." This could be really bad. Attackers can run shell scripts on your computer remotely just by visiting a malicious website.


The problem is due to a feature that is activated by default: Open Safe Files after downloading. A zip file is considered safe and so they will be opened automatically. Subsequently, a shell script with no #! at the beginning of the script will be executed automatically. No user interaction!

Full description here. Via SANS.

I'm not ragging on Apple here. This is just the kind of error you get when you have a big software package written by actual humans.


You should rag on Apple, because none of the steps involved in causing this attack to happen should have been implemented in the first place. They're all well-known to be risky, and have all been used in exploits in the past.

This is what happens when you have a large company that thinks just being less insecure than Microsoft is good enough.

"Open Safe Files After Downloading" is inherently risky. No files should be considered safe. The user should always make an explicit request to open any file not handled by the browser itself. Approving an action requested by a potential attacker is not making an explicit request.

Automatic execution or interpretation by a general purpose scripting language of any files in an archive, removable media, disk image, or any other potentially untrusted container is inherently risky. Executing code, using applications found in the volume as handlers, or otherwise using them, should be deferred until the user has explicitly requested the code be run, installed, or used.

This should be such a fundamental principle of secure software design that it shouldn't have even occurred to Apple not to follow it.

Just being less insecure than Microsoft is not enough. One might as well laud smallpox as being less deadly than Ebola.

Leave a comment