Yesterday evening it was just a little news entry at heise online that I was referring to when I wrote about the latest shell script execution security hole in Apple’s Safari browser.

Today there’s new evidence that the issue is far more concerning than it seemed yesterday. Many Mac users reacted the usual “this issue doesn’t bother me” way, but heise online (post in German) just published the results of their further investigations - and these results confirm the security hole as being large enough to fly a 747 through it.

First - and most important - result: not only Safari carries the problem into the Mac world, but AppleMail as well. To achieve a shell script without that Shebang-row being executed without any user’s notice, just simply write your shell script, rename it to something with .jpg as the filename’s end, connect your file via Finder with the terminal and transmit this file AppleDouble encoded with AppleMail. If this attachment then is single(!!)clicked on the target system, the seems-to-be-an-image will get executed without any warning message.

Take into account, that this mechanism is the usual way virii and worms spread in the windoze world!

The basic issue, that was confirmed and published yesterday, works in a similar way - just send the OS X metadata in the ZIP file along with the shellscript (the __MACOSX folder), and there’s your security issue. The infection will work this way even if you download and save the file with Firefox (!) instead of executing it directly through Safari!

Welcome, Apple Users, in the Intel / windoze world Anybody out there who doesn’t think that this is really a big issue?