As the German IT portal Heise Online conveys, a new security hole in the Safari webbrowser for Apple’s Mac OS X has been discovered. This security hole is rather severe, as it invokes the execution of shell scripts under certain circumstances.
Once again the Safari option “open ’safe’ files automatically after download” bears the blame. If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore - it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file - zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP - it’ll take it as totally normal to execute the “jpg file” with the shell.
To circumvent this issue immediately, you can exercise two countermeasures - the first one is to disable that unsafe option in Safari, the second one is to move the terminal to another place, as the connection between shellscript and terminal has a hardcoded file path to the terminal. Additionally, you should never ever work with administrator privileges - as one should be used to with windoze, this rule of thumb has the same virtues on a Mac as well 
Currently there are, according to heise, no websites known that try to exploit this issue, but it’ll be just a question of time until there will be some in the net. So don’t take this security hole too easy - it can result in a deletion of important files sooner than you’d expect it.
Update #1 02/21/2006: Heise Online has posted an english translation of the original article I am referring to with this post here - I suppose their own translation is much better than the automatic one from Google Translator
Update #2 02/21/2006: Heise Online confirmed the issue being even more important, as they found out that you can even trick Firefox users into this trap. I have covered the topic in a separate post. Even slashdot and the Inquirer have covered it now, so it must be assumed to be a real big issue.
Learn German Words meint
Hmmm seems to be a bit of controversy here. Has anyone had this happen to them through the safari browser personally?
flykoo meint
That’s why I moved to Mozilla Firefox. Security is very important while working with some profitable projects.
Swede meint
Here is my rant…
This whole “do not run as Administrator” issue is a pain in the butt IMHO. On a family shared Mac computer it is nice to only have your family members with their photos on the login screen instead of an additional “admin user” listed also.
When you first install the OS you are prompted to fill out your personal registration info and then that user is automatically the “admin”. While installing all of our programs I then am prompted every other minute for an “Administrator password” even though I am already logged in as the Admin! Yes, I tried to switch and also use a “standard” user account instead but got quickly tired of having to login as Administrator every 5 minutes to do or install anything! I won’t even start on all of the “Permissions related problems” when just wanting to share a simple file with a family member on the same computer!
We also switched from Windows and bought a Mac to get rid of having to buy AntiVirus, Firewall, and Spyware programs and paying every month or year to upgrade them. Now it looks as though we have no choice again unless we just unplug the damn thing from the network for TRUE INTERNET SECURITY!
Sorry for the rant. ( We still think our shiny new iMac Intel is awesome!)
CountZero meint
hi, leopold…
as heise has confirmed today (and as I have commented on in my latest post today) the issue even then can catch up to you - it’s sufficient to erroneously download and open a zip file which has been prepared the same way, and you’re stuck with the same problem.
I suppose the time has come that Mac users have to arrange with the same situation as windoze users are used to for about 20 years now - security flaws are everywhere and may harm your system if you don’t use your own brains but rely solely on the “intelligence” of your computer
Pingbacks & Trackbacks