Slashdot Mirror

← Back to Stories (view on slashdot.org)

Huge security hole in Internet Explorer for MacOS

Posted by ryuzaki0 on from the now-thats-really-funny dept.

Brad Lucier writes "Macintouch is reporting (go down the page a bit) that Internet Explorer 5.1, which comes preinstalled on MacOS X 10.1, has a huge security hole---when it downloads arbitrary programs encoded in the Macintosh's standard BinHex (.hqx) format, it automatically executes them. " Well I guess thats one way to make Unix insecure. Can anyone actually confirm this since it looks kinda sketchy. I wonder what someone's rationale would be for that:"Oh this won't hurt anyone, and saving that extra 'OK' click will be great!".

11 of 606 comments (clear)

  1. Wow by bigbrett · · Score: 0, Redundant

    Brilliant. That sort of decision runs by whole teams, I would imagine. Why doesn't anyone speak up? I would imagine that folks on the apple side saw that, also.

  2. filter blocking the Re:Well, yeah..... by motherhead · · Score: 0, Redundant

    yeah you beat me to the punch but that was pretty much exactly what i was thinking...

    "how come something that can be changed with two simple radio button clicks is being broadcast as a gapeing titanic scale hole in Max OS 10.1 security..."

    Had i posted it first though, i would have tossed in some. "For Shame!" as well, especially after reading all the kneejerk anti-Mac anti-BSD trolls and their retarded comments.

    good call, good post.

  3. Re:Sigh. by J'raxis · · Score: 0, Redundant

    No, they wont. When its a problem with Windows, or Microsoft software running on Windows, its reported as a general computer problem. This is a problem with Macintosh. Im sure that the media will point that out very specifically.

    --
    Liberty in your lifetime
  4. look in the preferences by bubbo · · Score: 2, Redundant

    In the preference options, under download options, there is a checkbox for opening binhex, and macbinary files automatically. If you are really concerned about it, turn it off.

  5. I wish I could mod this up by HoaryCripple · · Score: 0, Redundant

    It does not deserve a 0

  6. Replace IE On Any System by PRickard · · Score: 2, Redundant

    For a full list of replacements for Internet Explorer on any computer system, check out the Internet Explorer listing on MSBC's The Alternative. It's worth a read to see just how many IE replacements are available, quite a few of them for Macs.

    --

    == Paul Rickard, Editor of The Microsoft Boycott Campaign ====

  7. Confirmed problem does exist by pbaker · · Score: 0, Redundant

    We tried this on my friends G3 Pismo with MacOS X 10.1 and MacOS 9.2.1 installed. Clicking on the danger link from the site, IE downloaded the file. It then was automatically extracted. Classic then started up and tried to run the program. This locked up Classic but we were able to force quit the danger app and shutdown Classic.

    This was with a default install of Internet Explorer on 10.1. NO PREFERENCES were changed.

    This is very scary indeed!!

  8. Simple fix for the problem by DragonPup · · Score: 2, Redundant

    Under IE5.1 Final for OS X, go into it's preferences. Under the Recieving Files catagory, choose Download Options. There's 2 checked items by default. 'Automatically decode BinHex' and 'Automatically decode MacBinary'. Uncheck them both and hit ok. IE will now send those files over to Stuffit Expander, like it should. Easy, isn't it?

    -Henry

    --
    "Useless organic meatbag" -HK-47
  9. But why the HELL... by Ungrounded+Lightning · · Score: 1, Redundant

    You can turn off the automatic decoding of bin.hex files ...

    But why the HELL was it on by DEFAULT?

    Oh, right.

    It's a Microsoft program.

    Never mind.

    (The fact that it's for use on a non-Microsoft platform, and thus could make that platform vulnerable to malicious cracking, probably wasn't even a factor.)

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  10. Re:Not really a hole by J'raxis · · Score: 0, Redundant

    Yes, and IIS is an option in Windows 2000 that can be easily turned off.

    /ME checks his Apache logs.

    Looks like most people are not aware of that either.

    --
    Liberty in your lifetime
  11. Re:Not true by sugarbomb · · Score: 1, Redundant

    Root may be the owner of the file, but that does not mean root owns the process when TruBlue is launched. Classic is just another application, and not a system function. As an app, the only way it gets root power is if a password is entered by an administrative user.