Yesterday evening it was just a little news entry at heise online that I was referring to when I wrote about the latest shell script execution security hole in Apple’s Safari browser.
Today there’s new evidence that the issue is far more concerning than it seemed yesterday. Many Mac users reacted the usual “this issue doesn’t bother me” way, but heise online (post in German) just published the results of their further investigations – and these results confirm the security hole as being large enough to fly a 747 through it.
First – and most important – result: not only Safari carries the problem into the Mac world, but AppleMail as well. To achieve a shell script without that Shebang-row being executed without any user’s notice, just simply write your shell script, rename it to something with .jpg as the filename’s end, connect your file via Finder with the terminal and transmit this file AppleDouble encoded with AppleMail. If this attachment then is single(!!)clicked on the target system, the seems-to-be-an-image will get executed without any warning message.
Take into account, that this mechanism is the usual way virii and worms spread in the windoze world!
The basic issue, that was confirmed and published yesterday, works in a similar way – just send the OS X metadata in the ZIP file along with the shellscript (the __MACOSX folder), and there’s your security issue. The infection will work this way even if you download and save the file with Firefox (!) instead of executing it directly through Safari!
Welcome, Apple Users, in the Intel / windoze world 
Anybody out there who doesn’t think that this is really a big issue?
2 Kommentare
2 Pings
That Nimrod sagt:
27.02.2006 von 19:33 (UTC 0 )
prove it. send me a copy.
CountZero sagt:
27.02.2006 von 21:49 (UTC 0 )
why should I? there are tons of proofs and evidences out in the net, Use ur brain or at least google if you want a proof.
Severe security hole in Apple Safari Browser | 4null4.de - Blog around the world sagt:
21.02.2006 von 21:11 (UTC 0 )
[...] Update #2 02/21/2006: Heise Online confirmed the issue being even more important, as they found out that you can even trick Firefox users into this trap. I have covered the topic in a separate post. Even slashdot and the Inquirer have covered it now, so it must be assumed to be a real big issue. By CountZero, 20. February 2006, 19:14 o’clock [...]
SvenOnTech sagt:
22.02.2006 von 07:23 (UTC 0 )
[...] Looks like there’s a big security hole in Safari (as well as Firefox) that takes advantage of the “open safe files” feature. From 4null4.de: If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore – it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file – zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP – it’ll take it as totally normal to execute the “jpg file” with the shell. [...]