February 20th, 2006  |  Published in old and busted  |  2 Comments

Apple Safari Browser Automatically Executes Shell Scripts:

> Shortly after reports of the first virus for Mac OS X, a new security flaw has surfaced. The culprit is the option “Open ‘safe’ files after downloading” in Apple’s Safari web browser. This feature is activated by default. Its function is to automatically display images and movies after they are transmitted to the user’s computer, using the application assigned to that particular document format. Safari will also unpack ZIP archives and display the documents within if they are considered “safe”. If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good.

> Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. This behavior has been discovered by Michael Lehn, who has documented it on a web site.

The first bonehead who argues “privilege separation! privilege separation!” as a reason to poo-poo this can go to the back of the class. A fully functioning shell script in any user’s account is a bad thing. If you’ve been socially engineered well enough to download the malicious payload, you’re probably not too far from the next logical step, which is to get you to provide a system password to finish installing the goodies you thought you were going to get. From that point onward, a shell script can do an awful lot.

That isn’t going to stop the apologists from doing what they do so well, which is apologizing a lot about this. But it’s no better than the crack-headed widget of mass destruction business.

Apple should drop the “Open ‘safe’ files after downloading” configuration option from Safari.

Update: SANS agrees: It’s bad. And if you read the comments on the related item on Slashdot, you get the picture more succinctly, which is that Safari is really a mere accomplice: The auto-opening “safe” files option is a mere speedbump, because opening the tainted archive will still end with, well, a righteous corn-holing.

Meanwhile: Crickets over at MacSlash.

Second Update: As I prepare to shut down for the afternoon, still more crickets at MacSlash. “Norman … coordinate! Norman … coordinate! Beepbeepbeepbeepbeeeeeeeeeeeeeep.”

Leave a Response

© Michael Hall, licensed under a Creative Commons Attribution-ShareAlike 3.0 United States license.