Severe security hole in Apple Safari Browser

20.02.2006

As the German IT portal Heise Online conveys, a new security hole in the Safari webbrowser for Apple’s Mac OS X has been discovered. This security hole is rather severe, as it invokes the execution of shell scripts under certain circumstances.

Once again the Safari option “open ’safe’ files automatically after download” bears the blame. If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore - it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file - zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP - it’ll take it as totally normal to execute the “jpg file” with the shell.

To circumvent this issue immediately, you can exercise two countermeasures - the first one is to disable that unsafe option in Safari, the second one is to move the terminal to another place, as the connection between shellscript and terminal has a hardcoded file path to the terminal. Additionally, you should never ever work with administrator privileges - as one should be used to with windoze, this rule of thumb has the same virtues on a Mac as well ;)

Currently there are, according to heise, no websites known that try to exploit this issue, but it’ll be just a question of time until there will be some in the net. So don’t take this security hole too easy - it can result in a deletion of important files sooner than you’d expect it.

Update #1 02/21/2006: Heise Online has posted an english translation of the original article I am referring to with this post here - I suppose their own translation is much better than the automatic one from Google Translator ;)

Update #2 02/21/2006: Heise Online confirmed the issue being even more important, as they found out that you can even trick Firefox users into this trap. I have covered the topic in a separate post. Even slashdot and the Inquirer have covered it now, so it must be assumed to be a real big issue.

Verwandte Artikel:



Hinweis: Wegen des hohen Aufkommens an Kommentarspam und als Kommentar getarnten Werbelinks werden alle Kommentare auf diesem Blog zuerst in die Moderation geschickt. Ich schalte neue Kommentare von echten Besuchern so schnell wie möglich frei. Beleidigende oder gegen geltendes Recht verstoßende Kommentare werden gelöscht.

Bisher 33 Kommentare zum Artikel

Seiten: « 4 3 2 [1]

  1. Norwegian meint

    3 21.02.2006, 00:48 Uhr

    No, it wouldnt. It can delete your whole home folder since the user who executes the script has rw access there. It could not delete everything from / unless you are uid 0

  2. GrayAppl meint

    2 21.02.2006, 00:41 Uhr

    It would still need admin. password to run though wouldn’t it?

  3. Pingbacks & Trackbacks

    • Lode’s Blog » Blog Archive » Belangrijk veiligheidslek in Safari

Seiten: « 4 3 2 [1]



« Mac OS X security issue extends!
A small but nice 404-Collection »