As the German IT portal Heise Online conveys, a new security hole in the Safari webbrowser for Apple’s Mac OS X has been discovered. This security hole is rather severe, as it invokes the execution of shell scripts under certain circumstances.
Once again the Safari option “open ‘safe’ files automatically after download” bears the blame. If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore – it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file – zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP – it’ll take it as totally normal to execute the “jpg file” with the shell.
To circumvent this issue immediately, you can exercise two countermeasures – the first one is to disable that unsafe option in Safari, the second one is to move the terminal to another place, as the connection between shellscript and terminal has a hardcoded file path to the terminal. Additionally, you should never ever work with administrator privileges – as one should be used to with windoze, this rule of thumb has the same virtues on a Mac as well 
Currently there are, according to heise, no websites known that try to exploit this issue, but it’ll be just a question of time until there will be some in the net. So don’t take this security hole too easy – it can result in a deletion of important files sooner than you’d expect it.
Update #1 02/21/2006: Heise Online has posted an english translation of the original article I am referring to with this post here – I suppose their own translation is much better than the automatic one from Google Translator
Update #2 02/21/2006: Heise Online confirmed the issue being even more important, as they found out that you can even trick Firefox users into this trap. I have covered the topic in a separate post. Even slashdot and the Inquirer have covered it now, so it must be assumed to be a real big issue.
18 Kommentare
15 Pings
GrayAppl sagt:
21.02.2006 von 00:41 (UTC 0 )
It would still need admin. password to run though wouldn’t it?
Norwegian sagt:
21.02.2006 von 00:48 (UTC 0 )
No, it wouldnt. It can delete your whole home folder since the user who executes the script has rw access there. It could not delete everything from / unless you are uid 0
Dud sagt:
21.02.2006 von 01:38 (UTC 0 )
How does disabling the “safe” option help? If you manually open the file later, won’t the damage still be done?
Kevin Ballard sagt:
21.02.2006 von 01:56 (UTC 0 )
I don’t quite understand. You’re implying that Safari would auto-execute the shell script somehow, yet Safari does not auto-execute files. Even if it’s a .jpg, it would still have to have the executable bit set to actually run, and that’s a dead giveaway that it’s not a jpeg. Also, what do you mean by “an administrative file that’ll conect that file with the shell”?
AFAICT all you’re saying is that it’s possible to rename extensions so a shell script looks like an image and tricks the user into opening it. That’s hardly a hole. Now if you’re in fact saying that Safari will auto-open the shell script, then please describe it better or give us an actual sample download.
Kevin Ballard sagt:
21.02.2006 von 02:00 (UTC 0 )
Ok, I just found an example on another site. And I was right – there’s no auto-executing here. The example was a .mov file that was in fact a terminal document. And you know what? Getting info on the file *told* me it was a Terminal.app Document. Just like all the other “masquerade a malicious file as a safe one” tricks. The only problem here is Safari isn’t warning about the terminal document. And you know what? I don’t care. I’m not an idiot – all the Safari warnings do for me is bug me. I know exactly what I’m downloading, and if a file gets downloaded that I’m not expecting there’s no way in hell that I’d actually open the damn thing. Try using your brains.
bonaldi sagt:
21.02.2006 von 02:05 (UTC 0 )
The don’t-run-with-administrator-privileges is a red herring: the situation is completely different to windows. No matter what type of user you are, a script can delete anything in the home folder, which is the only one you care about. And even if you are an administrator, the script can’t delete anything more without a Sudo password.
Apple may not be perfect on security, but they’re no Microsoft.
noone sagt:
21.02.2006 von 02:16 (UTC 0 )
This is no diffrent than what has happened with windows. Most here are probably to young to remember when the most popular meathord for virus delivery was floppy disk. I how ever do remember and i also remember the first simple viruses useign fetures of browsers to execute in windows 3.0 or 3.1 forget wich now. They were very similar to this exploit. Then came maleware and worms in email and then all hell broke loose. This is just the start of macs getting hit. Lets look at it this way right now any malicious user could take the recent worm that cropped up for macs and use this code to infect even more users. Or they could use it to get spyware on to your ac or a trojan or any thing they want.
Ok so mitigating the risk is as simple as a setting change or doing something that seems silly like moving the terminal some place else.
Heres the thing alot of attack scripts the wana be hackers aka script kiddies use can be beaten in much the same way. Install windows any where other than a default location and many of those scripts wont know what to do.
For most malware that uses active x you can adjust active x settings to stop them in their tracks. You dont even need to out right disable active x to stop the spyyware from installing..
So i ask you how is this apple exploit any diffrent than a large portion of those aimed at windows?
Simone sagt:
21.02.2006 von 02:27 (UTC 0 )
Um, guys? Did you even test out the proof-of-concept? Yes, Safari auto-executes the shell script even though it’s disguised as a jpeg file. You might try it out before saying that this isn’t an exploit. Click on the “heise online” script, and then on that page click the “Demo” link that is near the end of the text. Make sure you have the “Open safe files” option turned ON. You will see that the shell script will be automatically executed (even though it’s not malicious).
Of course, this exploit can be mitigated by turning OFF the “Open safe files” setting, but it’s still an exploit.
– Simone
gahlord sagt:
21.02.2006 von 02:46 (UTC 0 )
Yeah man. Don’t copy that floppy.
skytomorrownow sagt:
21.02.2006 von 04:40 (UTC 0 )
i tried the demo. works like a charm. flip comments like: well don’t open anything, don’t really help here. i click on PDF links ALL the time. it would be very easy to hide a malicious shell script among legit PDFs and do some nasty things. hope they fix this. is it possible for the browser to validate the file format somehow before opening? should i use another browser.
Kevin Ballard sagt:
21.02.2006 von 08:31 (UTC 0 )
“Did you even test out the proof-of-concept? Yes, Safari auto-executes the shell script even though it’s disguised as a jpeg file.”
No it doesn’t. I tried it out, all it did was unzip the file and stick it on my desktop. No execution of anything. And yes, I have the Open “safe” files pref enabled.
Ben Hanson sagt:
21.02.2006 von 08:44 (UTC 0 )
Tested the demo, it downloads a .zip file, decompresses and then executes a shell script. Certainly not worm food, but a bug none the less. Following is the script that is executed:
/bin/ls -al
echo
echo
echo “heise Security: Sie sind verwundbar.”
echo
echo
Checking the file:
-rwxr-xr-x 1 76 Feb 20 05:41 Heise.jpg
we can see that the execute bit is set. So Safari should really be flagging this. If the execute bit isn’t set, I doubt this would work. If it is, Safari should show the warning about downloading an executable(which many would ignore), or it should no longer be considered safe. I for one would take notice if I were downloading what I thought was just data, and I got a warning that the file was an application.
I’ve unchecked the “open safe files after opening”
CountZero sagt:
21.02.2006 von 13:40 (UTC 0 )
I am not a Mac user on my own, but we have one in our office @work, where I was able to confirm the issue with the demo from heise online without any problem. It is true (and I am aware of it), that you don’t work as Administrator on a mac under usual circumstances (other than at a windoze machine where you’d have to get around many problems to really not work as Administrator), but this issue is a severe problem, as it is, if understood as a proof-of-concept, a slap in the face for everybody who was totally sure her/his Mac can’t be affected by an issue similar to those in the windoze-world.
You only need to find another backdoor to retrieve root access through a shell script and to combine it with this Safari issue, and voilà, you have successfully generated a really serious threat to most of the Macs around in the net.
Leopold Porkstacker sagt:
21.02.2006 von 19:01 (UTC 0 )
I stopped using Safari over a year ago, when I “discovered” Firefox. Oh, and Firefox is more standards-compliant than Safari, so it almost seems pointless to even be using Safari. Problem solved.
-he who stacks pork
CountZero sagt:
21.02.2006 von 19:06 (UTC 0 )
hi, leopold…
as heise has confirmed today (and as I have commented on in my latest post today) the issue even then can catch up to you – it’s sufficient to erroneously download and open a zip file which has been prepared the same way, and you’re stuck with the same problem.
I suppose the time has come that Mac users have to arrange with the same situation as windoze users are used to for about 20 years now – security flaws are everywhere and may harm your system if you don’t use your own brains but rely solely on the “intelligence” of your computer
Swede sagt:
22.02.2006 von 10:57 (UTC 0 )
Here is my rant…
This whole “do not run as Administrator” issue is a pain in the butt IMHO. On a family shared Mac computer it is nice to only have your family members with their photos on the login screen instead of an additional “admin user” listed also.
When you first install the OS you are prompted to fill out your personal registration info and then that user is automatically the “admin”. While installing all of our programs I then am prompted every other minute for an “Administrator password” even though I am already logged in as the Admin! Yes, I tried to switch and also use a “standard” user account instead but got quickly tired of having to login as Administrator every 5 minutes to do or install anything! I won’t even start on all of the “Permissions related problems” when just wanting to share a simple file with a family member on the same computer!
We also switched from Windows and bought a Mac to get rid of having to buy AntiVirus, Firewall, and Spyware programs and paying every month or year to upgrade them. Now it looks as though we have no choice again unless we just unplug the damn thing from the network for TRUE INTERNET SECURITY!
Sorry for the rant. ( We still think our shiny new iMac Intel is awesome!)
flykoo sagt:
28.10.2006 von 22:56 (UTC 0 )
That’s why I moved to Mozilla Firefox. Security is very important while working with some profitable projects.
Learn German Words sagt:
25.11.2006 von 20:37 (UTC 0 )
Hmmm seems to be a bit of controversy here. Has anyone had this happen to them through the safari browser personally?
Lode’s Blog » Blog Archive » Belangrijk veiligheidslek in Safari sagt:
21.02.2006 von 00:50 (UTC 0 )
[...] Bron [...]
Flanker’s Diggs » Severe Security Hole in Apple’s Safari Browser Discovered sagt:
21.02.2006 von 01:28 (UTC 0 )
[...] read more | digg story [...]
Security Hole in Safari at The Apple Blog sagt:
21.02.2006 von 02:58 (UTC 0 )
[...] 4null4.de is giving us an English overview of a Safari Security Hole being reported by IT Portal Heise Online. [...]
Severe Security Hole in Apple Mac Safari Web Browser » sagt:
21.02.2006 von 03:28 (UTC 0 )
[...] Source: 4null4.de [...]
Emirates Mac » Blog Archive » ‘Severe security hole in Apple Safari Browser’ sagt:
21.02.2006 von 04:55 (UTC 0 )
[...] There seems to be another vulnerability in Safari: As the German IT portal heise online [in German] conveys, a new security hole in the Safari webbrowser for Apple’s Mac OS X has been discovered. This security hole is rather severe, as it invokes the execution of shell scripts under certain circumstances. [...]
MILITANTPLATYPUS » Blog Archive » Major Safari security hole discovered sagt:
21.02.2006 von 07:04 (UTC 0 )
[...] To circumvent this issue immediately, you can exercise two countermeasures – the first one is to disable that unsafe option in Safari, the second one is to move the terminal to another place, as the connection between shellscript and terminal has a hardcoded file path to the terminal. Additionally, you should never ever work with administrator privileges – as one should be used to with windoze, this rule of thumb has the same virtues on a Mac as well [...]
Another Mac OS X security hole | Advocrazy sagt:
21.02.2006 von 09:33 (UTC 0 )
[...] Another Mac OS X security hole was publicized and this time, it affects Safari. Safari’s ability to open ’safe’ files is a feature that Apple should have disabled by default or even removed from Safari v.2.0. [...]
Mac OS X security issue extends! | 4null4.de - Blog around the world sagt:
21.02.2006 von 17:51 (UTC 0 )
[...] Yesterday evening it was just a little news entry at heise online that I was referring to when I wrote about the latest shell script execution security hole in Apple’s Safari browser. [...]
a bright red snowflake sagt:
21.02.2006 von 18:19 (UTC 0 )
[...] Serious security hole found in Safari. [...]
Typical Mac User Podcast » Severe Hole Found in Apple Safari sagt:
21.02.2006 von 20:36 (UTC 0 )
[...] Full Article [...]
Information Technology » Severe security hole in Apple’s Safari browser discovered sagt:
21.02.2006 von 21:13 (UTC 0 )
[...] A severe security issue has been discovered in the Apple Safari browser that can result in the execution of evil shell scripts without notice of the computer user. This article describes the issue and the countermeasures to prevent harm from your system. read more | digg story Get small business ideas and earn extra income for your online business! Bookmark on del.icio.us [...]
Raive Studios Blog » Security Hole In Safari Browser sagt:
22.02.2006 von 01:50 (UTC 0 )
[...] Read More [...]
Hammackj » Blog Archive » Severe security hole in Apple’s Safari browser discovered sagt:
26.02.2006 von 00:58 (UTC 0 )
[...] Severe security hole in Apple’s Safari browser discovered A severe security issue has been discovered in the Apple Safari browser that can result in the execution of evil shell scripts without notice of the computer user. This article describes the issue and the countermeasures to prevent harm from your system.read more | digg story [...]
Severe security hole in Apple’s Safari browser discovered - The Digg Effect - Search for Diggs or get Dugg sagt:
11.06.2006 von 08:39 (UTC 0 )
[...] A severe security issue has been discovered in the Apple Safari browser that can result in the execution of evil shell scripts without notice of the computer user. This article describes the issue and the countermeasures to prevent harm from your system.read more | digg story [...]
Security » Severe security hole in Apple’s Safari browser discovered sagt:
01.09.2006 von 09:43 (UTC 0 )
[...] A severe security issue has been discovered in the Apple Safari browser that can result in the execution of evil shell scripts without notice of the computer user. This article describes the issue and the countermeasures to prevent harm from your system.read more | digg story [...]