Serious flaw on OS X in Safari
You are here:  SillyDog701 > Message Centre > Mac OS and Apple > [sdt=10910]
SillyDog701 Forums
Author Message
J-M
diamond member


Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
20 Feb, 2006 4:06 pm Serious flaw on OS X in Safari [sdp=70666]  
More information about details is available at Internet Storm Center site:

http://isc.sans.org/diary.php?storyid=1138

From the report:

Quote:
"In its default configuration shell commands are execute[d] simply by visting a web site - no user interaction required."
....
The problem is due to a feature that is activated by default: Open Safe Files after downloading. A zip file is considered safe and so they will be opened automatically.

According to the Center Heise.de magazine has a related article at
http://www.heise.de/english/newsticker/news/69862 .

Google Translate tool http://www.google.com/translate_t etc. can be used to translate it (good, only three years of studying German. Sad )

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Back to top profile website
Antony
Site Admin


Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
20 Feb, 2006 9:16 pm [sdp=70683]  
This can be easily avoided by disabling opening safe files after downloading.


(Edit: adding screenshot, 26th Feb 2006)

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8
MozInfo701 | MacCentre701 | AntBlog701 | don't steal music.

Last edited by Antony on 26 Feb, 2006 3:35 am; edited once(1)
Back to top profile website
J-M
diamond member


Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
21 Feb, 2006 4:53 am [sdp=70698]  
Secunia has rated this as Extremely Critical at
http://secunia.com/advisories/18963/

They have this similar recommendation too:

Quote:
Solution:
The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari.

Do not open files in ZIP archives originating from untrusted sources.

Interesting test link included too:
http://secunia.com/mac_os_x_command_execution_vulnerability_test/

Edited by J-M: Added Secunia's test URL

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Last edited by J-M on 21 Feb, 2006 3:32 pm; edited once(1)
Back to top profile website
J-M
diamond member


Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
21 Feb, 2006 3:40 pm [sdp=70723]  
FrSIRT uses the highest rating level at their advisory too:
http://www.frsirt.com/english/advisories/2006/0671

Quote:
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes

ISS X-Force says High Risk as well:
http://xforce.iss.net/xforce/xfdb/24808

What news articles says:

eWEEK has title New Safari Flaw, Worms Turn Spotlight on Apple Security in use at
http://www.eweek.com/article2/0,1895,1929342,00.asp

Macworld UK, in turn, says Safari struck by Zip security warning at
http://www.macworld.co.uk/news/index.cfm?NewsID=13911&Page=1&pagePos=2

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Back to top profile website
Antony
Site Admin


Joined: 18 Jun 2002
Posts: 12754
Location: Sydney, Australia
21 Feb, 2006 5:08 pm [sdp=70730]  
I am sure Apple will provide a fix for our beloved Safari!

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8
MozInfo701 | MacCentre701 | AntBlog701 | don't steal music.
Back to top profile website
Pu7o
Macfox


Joined: 06 Jan 2005
Posts: 1978
Location: Portugal
21 Feb, 2006 5:11 pm [sdp=70731]  
Antony wrote:
...our beloved Safari.


When will you stop saying that? That's getting annoying...

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X UB; en-US; rv:1.8.0.1) Gecko/20060218 Firefox/1.5.0.1 Firescape/0.2b2 wml/1.3
Back to top profile website
J-M
diamond member


Joined: 25 Jul 2004
Posts: 777
Location: Helsinki, Finland
22 Feb, 2006 1:18 am [sdp=70757]  
Antony, is it possibly to explain with two sentences what the following information in ISC's report (from the UPDATE 2 section) means:

Quote:
The [second] article also says that the Mail application is vulnerable as well. What's even worse, the attacker doesn't need to send a ZIP archive; the shell script itself can be disguised to practically anything.

The Finder looks like the main culprit for this. The way it uses to decide what to do with the file and what to show to the end user (as the icon).

They are opinting to new Heise.de article

http://www.heise.de/english/newsticker/news/69919

Thanks beforehand.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Back to top profile website
Display posts from previous:   
Reply to topic    Forum Index > Mac OS and Apple All times are CST (GMT -6)
page 1 of 1
To add your questions, comments, and for more features and more, please join SillyDog701 Message Centre. It's free! This is SillyDog 701 Message Centre (SD701 Forums).

App Store iTunes

*Search | FAQ | Rules and Policies | MozInfo701 - Mozilla Information Centre | SD701 Open Directory | Message Board Map | download Netscape