SillyDog701

[J-M]

More information about details is available at Internet Storm Center site:

http://isc.sans.org/diary.php?storyid=1138

From the report:

"In its default configuration shell commands are execute[d] simply by visting a web site - no user interaction required."
....
The problem is due to a feature that is activated by default: Open Safe Files after downloading. A zip file is considered safe and so they will be opened automatically.

According to the Center Heise.de magazine has a related article at
http://www.heise.de/english/newsticker/news/69862 .

Google Translate tool http://www.google.com/translate_t etc. can be used to translate it (good, only three years of studying German. )

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7

[Antony]

This can be easily avoided by disabling opening safe files after downloading.


(Edit: adding screenshot, 26th Feb 2006)

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8

[J-M]

Secunia has rated this as Extremely Critical at
http://secunia.com/advisories/18963/

They have this similar recommendation too:

Solution:
The vulnerability can be mitigated by disabling the "Open safe files after downloading" option in Safari.

Do not open files in ZIP archives originating from untrusted sources.

Interesting test link included too:
http://secunia.com/mac_os_x_command_exe ... lity_test/

Edited by J-M: Added Secunia's test URL

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7

[J-M]

FrSIRT uses the highest rating level at their advisory too:
http://www.frsirt.com/english/advisories/2006/0671

Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes

ISS X-Force says High Risk as well:
http://xforce.iss.net/xforce/xfdb/24808

What news articles says:

eWEEK has title New Safari Flaw, Worms Turn Spotlight on Apple Security in use at
http://www.eweek.com/article2/0,1895,1929342,00.asp

Macworld UK, in turn, says Safari struck by Zip security warning at
http://www.macworld.co.uk/news/index.cf ... &pagePos=2

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7

[Antony]

I am sure Apple will provide a fix for our beloved Safari!

UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/417.9 (KHTML, like Gecko) Safari/417.8

[Pu7o]

...our beloved Safari.

When will you stop saying that? That's getting annoying...

UserAgent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X UB; en-US; rv:1.8.0.1) Gecko/20060218 Firefox/1.5.0.1 Firescape/0.2b2 wml/1.3

[J-M]

Antony, is it possibly to explain with two sentences what the following information in ISC's report (from the UPDATE 2 section) means:

The [second] article also says that the Mail application is vulnerable as well. What's even worse, the attacker doesn't need to send a ZIP archive; the shell script itself can be disguised to practically anything.

The Finder looks like the main culprit for this. The way it uses to decide what to do with the file and what to show to the end user (as the icon).

They are opinting to new Heise.de article

http://www.heise.de/english/newsticker/news/69919

Thanks beforehand.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7