Mac OS X Struck By Severe Security Hole

An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."

Also works in Mail.app

[daveschroeder]

You can send this same shell script masquerading as a JPG file and shown as such by Mail.app, and it gets executed as soon as it is clicked/viewed in Mail.app (obviously not affected by Safari's "safe files" setting).

You can test this by downloading this harmless exmaple:

http://www.heise.de/security/dienste/browsercheck/ demos/safari/Heise.jpg.zip

...and sending the resulting JPG to yourself in Mail.app.

This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.

I'd expect a security update that addresses this *very* soon. This is a bad one.

Re:Also works in Mail.app

[joetheappleguy]

Thanks for the test file. I downloaded with Safari, but have "Open Safe Files" turned off it did nothing after download.

I then unzipped the file and had a look at it in the Column view of the Finder, at this stage a normal jpeg would have been previewed, but the Finder had the file listed as "Terminal Application", but I think that most Mac users tend to use List or Icon view though, which would force them to open the file, activating it.

I then emailed myself the file with Mail.app 1.3.11 (In 10.3.9) and after the receiving the email I was warned that "Heise.jpg is an Application and could contain viruses, etc". after I attempted to save the attachment - It also did not preview in the mail message (Obviously)

Seems that this type of vulnerability is most likely to affect mid-level users who are somewhat reckless with their clicking and think they know better than new users who read and "cancel" every message box for fear of breaking their computers or advanced users who realize at a glance that the .jpg does not "feel" right.

Workaround: Camino

[Ryan+Amos]

I don't use Safari because it doesn't render pages as well as a mozilla based browser, and now I have a reason to gloat :)

Get Camino here. Camino is an OS X native browser using the gecko rendering engine. Looks better than Safari, is faster than Safari, and apparently is more secure than Safari. Plus the security is more easily tunable.

Most Mac users have heard of it by now, but I'm just giving them another plug because it kicks ass.

Re:Workaround: Camino

[IronyChef]

Camino is an OS X native browser using the gecko rendering engine. ... faster than Safari

I don't know what the evidence for this claim is, but my (warm app, cold cache) tests on a few sites showed Camino to range from similar to slower than Safari.

and apparently is more secure than Safari.

Read the Secunia article - this isn't a Safari security hole, it's an underlying platform issue and can be exploited in other ways.
Besides, the Mozilla family browsers have had their share of security holes.

Re:how bad is it really?

[nkarman]

No, it does NOT ask for an admin password, however you need to be logged in as a privledged user (administrator) for it to work. A standard user clicking the test link does not execute calculator, an admin user does. All the more reason to not do your everyday work in an administrative account. My test was Safari 2.0.3/OSX 10.4.5. Now if the code tried to do something more system wide through the terminal window it opened, it would probably require a su or sudo authentication. Opening a program or executing some simple code is enough to cause some problems though.