OS/X, Safari, ouch!

| Comments (3) |
Apple proves that anyone can make a dumb, easy to exploit mistake:
We received notice from Juergen Schmidt, editor-in-chief at heise.de, that a serious vulnerability has been found in Apple Safari on OS X. "In its default configuration shell commands are execute[d] simply by visting a web site - no user interaction required." This could be really bad. Attackers can run shell scripts on your computer remotely just by visiting a malicious website.


The problem is due to a feature that is activated by default: Open Safe Files after downloading. A zip file is considered safe and so they will be opened automatically. Subsequently, a shell script with no #! at the beginning of the script will be executed automatically. No user interaction!

Full description here. Via SANS.

I'm not ragging on Apple here. This is just the kind of error you get when you have a big software package written by actual humans. Still, it's a good reminder that just because it's not written by Microsoft doesn't mean it's safe.


Ack, you posted the same thing twice.

I won't post my comment twice, but I still say this wasn't just a stupid mistake, it's a deliberately stupid one: they should have fixed it the FIRST time this problem showed up... what, two years ago?

So, yes, DO BLAME APPLE, and TELL THEM they screwed the pooch.

They are not the first to do this, back in 1993 there was a secondary distribution of Mosaic that had csh in the TERMCAP file.

Computer systems are complex, all security goofs look idiotic when they are explained and understood. The Apple and Unix guys are no smarter than the people who put Windows together, they are just a heck of a lot smugger.

If you repeat something often enough there are people who will think it must be true. Thats how an O/S that never even made a B2 Orange book rating has gained a reputation for 'security'. If all the security goofs made by Apache and Sendmail were attributed to Unix the way that IIS &ct. errors are attributed to Windows the picture looks rather different.

Security is the result of good architectural principles and effective QA processes. So far nobody has managed to work out how to do that without making mistakes. The only difference is that the Redmond club are no longer smug.

"back in 1993 there was a secondary distribution of Mosaic that had csh in the TERMCAP file."

I'm sorry, I can't parse that. I don't even know what you're trying to say. What do you mean by "csh in the TERMCAP file"?

Look, LaunchServices has the ability to run ANY PROGRAM ON THE SYSTEM. Using LaunchServices to run applications to handle untrusted content is like using "system()" and passing it whatever a user typed in at the login proompt. It's like having "." first in path in CGI scripts. It's just ASKING someone to perform an attack like this.

This isn't "one secondary distribution of a Webcore browser", this is EVERY VERSION OF SAFARI EVER RELEASED. And it's not something they didn't know about, it's something that was demonstrated in April 2004.

This isn't as bad as Microsoft deliberately making the execution of untrusted code a feature in 1997, refusing to back out of the design even after they were nearly broken up over it, and STILL pushing it as a "good idea" in 2006, but lord knows it's bad enough.

Leave a comment