As the German IT portal Heise Online conveys, a new security hole in the Safari webbrowser for Apple’s Mac OS X has been discovered. This security hole is rather severe, as it invokes the execution of shell scripts under certain circumstances.
Once again the Safari option “open ’safe’ files automatically after download” bears the blame. If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore - it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file - zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP - it’ll take it as totally normal to execute the “jpg file” with the shell.
To circumvent this issue immediately, you can exercise two countermeasures - the first one is to disable that unsafe option in Safari, the second one is to move the terminal to another place, as the connection between shellscript and terminal has a hardcoded file path to the terminal. Additionally, you should never ever work with administrator privileges - as one should be used to with windoze, this rule of thumb has the same virtues on a Mac as well 
Currently there are, according to heise, no websites known that try to exploit this issue, but it’ll be just a question of time until there will be some in the net. So don’t take this security hole too easy - it can result in a deletion of important files sooner than you’d expect it.
Update #1 02/21/2006: Heise Online has posted an english translation of the original article I am referring to with this post here - I suppose their own translation is much better than the automatic one from Google Translator
Update #2 02/21/2006: Heise Online confirmed the issue being even more important, as they found out that you can even trick Firefox users into this trap. I have covered the topic in a separate post. Even slashdot and the Inquirer have covered it now, so it must be assumed to be a real big issue.
gahlord meint
Yeah man. Don’t copy that floppy.
Simone meint
Um, guys? Did you even test out the proof-of-concept? Yes, Safari auto-executes the shell script even though it’s disguised as a jpeg file. You might try it out before saying that this isn’t an exploit. Click on the “heise online” script, and then on that page click the “Demo” link that is near the end of the text. Make sure you have the “Open safe files” option turned ON. You will see that the shell script will be automatically executed (even though it’s not malicious).
Of course, this exploit can be mitigated by turning OFF the “Open safe files” setting, but it’s still an exploit.
– Simone
noone meint
This is no diffrent than what has happened with windows. Most here are probably to young to remember when the most popular meathord for virus delivery was floppy disk. I how ever do remember and i also remember the first simple viruses useign fetures of browsers to execute in windows 3.0 or 3.1 forget wich now. They were very similar to this exploit. Then came maleware and worms in email and then all hell broke loose. This is just the start of macs getting hit. Lets look at it this way right now any malicious user could take the recent worm that cropped up for macs and use this code to infect even more users. Or they could use it to get spyware on to your ac or a trojan or any thing they want.
Ok so mitigating the risk is as simple as a setting change or doing something that seems silly like moving the terminal some place else.
Heres the thing alot of attack scripts the wana be hackers aka script kiddies use can be beaten in much the same way. Install windows any where other than a default location and many of those scripts wont know what to do.
For most malware that uses active x you can adjust active x settings to stop them in their tracks. You dont even need to out right disable active x to stop the spyyware from installing..
So i ask you how is this apple exploit any diffrent than a large portion of those aimed at windows?
bonaldi meint
The don’t-run-with-administrator-privileges is a red herring: the situation is completely different to windows. No matter what type of user you are, a script can delete anything in the home folder, which is the only one you care about. And even if you are an administrator, the script can’t delete anything more without a Sudo password.
Apple may not be perfect on security, but they’re no Microsoft.
Kevin Ballard meint
Ok, I just found an example on another site. And I was right - there’s no auto-executing here. The example was a .mov file that was in fact a terminal document. And you know what? Getting info on the file *told* me it was a Terminal.app Document. Just like all the other “masquerade a malicious file as a safe one” tricks. The only problem here is Safari isn’t warning about the terminal document. And you know what? I don’t care. I’m not an idiot - all the Safari warnings do for me is bug me. I know exactly what I’m downloading, and if a file gets downloaded that I’m not expecting there’s no way in hell that I’d actually open the damn thing. Try using your brains.
Kevin Ballard meint
I don’t quite understand. You’re implying that Safari would auto-execute the shell script somehow, yet Safari does not auto-execute files. Even if it’s a .jpg, it would still have to have the executable bit set to actually run, and that’s a dead giveaway that it’s not a jpeg. Also, what do you mean by “an administrative file that’ll conect that file with the shell”?
AFAICT all you’re saying is that it’s possible to rename extensions so a shell script looks like an image and tricks the user into opening it. That’s hardly a hole. Now if you’re in fact saying that Safari will auto-open the shell script, then please describe it better or give us an actual sample download.
Dud meint
How does disabling the “safe” option help? If you manually open the file later, won’t the damage still be done?
Pingbacks & Trackbacks