Safari exploit can make scripts run

Security firm Secunia on Tuesday documented a possible exploit in Apple’s Safari Web browser that the company describes as “extremely critical.” Secunia calls the exploit Mac OS X “__MACOSX” ZIP Archive Shell Script Execution, and advises Mac users to take simple action to avoid the problem. Apple confirmed it’s working on a fix.

A preference setting in the Safari Web browser can lead to the execution of a malicious shell script, renamed to a “safe” extension in a ZIP archive, according to the security alert.

That preference allows the Mac to automatically open “safe” files after downloading them. So-called safe files include movies, pictures, sounds, PDF and text documents, disk images and other archives.

If a shell script is renamed to appear as a “safe” extension to Safari, systems that have this preference turned on can automatically execute the script — and this can be exploited by someone with malicious intentions, according to Secunia.

“Apple takes security very seriously,” said an Apple spokesman. “We’re working on a fix so that this doesn’t become something that could affect customers. Apple always advises Mac users to only accept files from vendors and Web sites that they know and trust.”

Apple has also posted safety tips on its Web site to advise users how to hand e-mail attachments and content downloaded from the Internet.

Secunia has developed a safe test to show you if your system is vulnerable. The test will cause the Mac OS X “Calculator” application to start up after you click on a link.

The solution is to uncheck the preference setting, “Open ‘safe’ files after downloading” — available from the General tab in Safari’s Preferences.

Macworld’s tests show that the Safari preference setting is turned on by default in a newly installed Mac OS X v10.4.5 partition — a situation confirmed by Secunia in its own evaluation.

This is the third documented security exploit on Mac OS X in recent days. Last week saw the emergence of OSX/Leap-A, malware code designed to spread through iChat. A “proof of concept” malware called Inqtana.A was also identified — this exploited a flaw in Bluetooth security that Apple patched in mid-2005.

Updated Feb. 21, 2006 3:48 PM: Added comments from Apple.

Subscribe to the Apple @ Work Newsletter

Comments