Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huge security hole in Internet Explorer for MacOS

Posted by ryuzaki0 on from the now-thats-really-funny dept.

Brad Lucier writes "Macintouch is reporting (go down the page a bit) that Internet Explorer 5.1, which comes preinstalled on MacOS X 10.1, has a huge security hole---when it downloads arbitrary programs encoded in the Macintosh's standard BinHex (.hqx) format, it automatically executes them. " Well I guess thats one way to make Unix insecure. Can anyone actually confirm this since it looks kinda sketchy. I wonder what someone's rationale would be for that:"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!".

5 of 606 comments (clear)

  1. Personally, I prefer OmniWeb by ehintz · · Score: 5, Informative

    I do occasionally use IE, when hitting one of those pages designed by MS only shops, but most of my browsing time is in OmniWeb (www.omnigroup.com). Problem solved.

    As an added benefit, OmniWeb has options to disable banner ads (sorry VA), kill javascript popup windows, and it's just a generally nicer browser with more intelligent design decisions. And it keeps web pages from looking like NASCAR with all the bloody ads and popups. Did I mention how it kills ads and popups? Although I will admit IE is wicked fast under 10.1, OmniWeb is plenty fast enough.

    --
    ehintz
  2. As YOU DIDN"T read this article using said browser by SteveM · · Score: 5, Informative

    Its been standard in Mac OS for Stuffit Expander to automatically extract archives once downloaded. Isn't this issue related more to Stuffit Expander than IE?"

    We all know how hard it is to click on a link and read the article, so I did it for you.

    From the MacInTouch web site: "Every .hqx encoded classic application is decoded by Explorer itself (that's the default, Stuffit Expander isn't used) and then AUTOMATICALLY STARTED!"

    I suggest that in the future you read the article in question before posting.

    Steve M

  3. Re:Not M$ by ehintz · · Score: 5, Informative

    Internet Explorer on the MAC has nothing to do with Microsoft. It's developed, published, and installed by Apple.

    Not. It's developed and published by the Microsoft Macintosh Business unit, which is a somewhat independent MS arm out in the SF Bay Area. Apple's only involvement is bundling IE with the OS. About the only way your statement is accurate is if you're trying to stipulate that IE for Mac has little to do with IE for windows, which is correct. In fact, it's not uncommon for IE/Windoze to inherit good ideas from IE/Mac.

    And not to be picky, but it's Mac. Short for Macintosh. Not MAC, short for Media Access Control address, as in your NIC card.

    --
    ehintz
  4. Here's the fix (no sarcastic anti-MS comment here) by Anonymous Coward · · Score: 5, Informative

    Launch IE 5.1, go to the Explorer menu, then to Preferences.

    Go to the "Receiving Files" options and DISABLE "Automatically decode MacBinary files" and "Automatically decode BinHex files".

    Easy as that.

  5. Not Stuffit's Fault by Brownian+Motion · · Score: 5, Informative

    It is not Stuffit. It's Internet Explorer de-binhexing and executing the coded app all on it's own. Since you mention Stuffit, I'm not sure you understand what is going on as Stuffit does not have this behavior (nor is it involved).

    It's not a feature of OS X (or the OS's fault in any way). I never noticed the beta-IE (used in OS 10.0[0-4] doing this, and I used it throughout. I rarely booted into OS 9 when OS X came out, and I used the beta fairly extensively as well.

    IE is auto-decoding a binhex, then if it's an application, automatically executing it. No other version of IE does this. No other mac internet app does either. Others will auto-decode files for you, but leave it to you to launch them.

    Sure, you can turn off the binhex pref, but without the added "feature" it is not a security risk to simply de-binhex a file (probably less dangerous than uu-decoding). Even a savvy user who perused every setting wouldn't know to uncheck "automatically decode binhex" to turn off a feature that's so stupid one wonders why someone would bother coding it (automatically running dl'd apps).

    Now Stuffit has it's own security risk. By default, it will auto-mount any disk image it decodes. A disk image can be set to automatically launch an app when loaded. Hence, Stuffit can be made to do what IE is doing in a roundabout way. Personally, I think this "feature" should be turned off for disk images as well.

    I use the slowest G4, and I've not noticed Stuffit being a hog, though it is annoying. It ripped through the 189 MB dev tool installer in a few seconds.

    IE has other problems as well. It will reset my Internet prefs (usually just the dl folder, but sometimes it will set itself as the default web app). Just use Omniweb, and you get a nice spell checker to spell check your posts (I know I need it).