Mac OS X Struck By Severe Security Hole

An anonymous reader writes "Macworld is reporting about a new security hole in Mac OS X that can be exploited to compromise a system if the user simply visits a web site with Safari. Currently, no vendor patch is available. Secunia has a demonstration of the vulnerability and suggestions for temporary workarounds."

OS X 10.4.5

[RugRat]

Went to the proof of concept, followed directions and it did not execute.

I'm running 10.4.5 with Safari 2.0.3. Looks like not everyone is vulnerable.

This is just like a .jpg.exe

[Gopal.V]

The vulnerability is caused due to an error in the processing of file association meta data (stored in the "__MACOSX" folder) in ZIP archives. This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive.

Considering that Mac OSes have never believed in file extensions and have always read file meta-data to determine action, this ranks equal with a browser executing .jpg.exe files when you click on the seemingly innocent nude-zeta-jones.jpg.exe...

disabling the "Open *safe* files after downloading" option in Safari

So the guys in apple who had the __MACOSX part to zip files didn't communicate that to the Safari folks. Communication gaps happen, but this is gross oversight in a company which claims to sell their software for a premium because it is cool (and well-tested UNIX background).

Shell vulnerabilities seem to be the entry point usually, seeing the firefox shell:// that was recently discovered... Integration comes with its own sweet price.

Re:Protect yourself in one click

[hackstraw]

This is quite a nasty little exploit so I suggest making the change ASAP.

I did this years ago.

Can someone remind me what is the point of a browser allowing "driveby downloads" and automatically launching the content of the download?

Safari has a nice download manager that lists the most recent downloads, and by simply double clicking on the one you trust and want to view is up to you.

This is at least over a 1 year old issue: http://www.net-security.org/vuln.php?id=3461

Is it too much to ask for normal users to double click on a file to launch it? This is what we used to do, and still do with email, ftp, removable media, networked drives, everything. What is the point of a driveby download and launch?

Re:Safe default settings

[corvair2k1]

I remember quite distinctly the horror I felt when I first got my mac and discovered that it automatically opened safe files... At least around 10.4.2 or so, this was default behavior. And this option has carried on with me to 10.4.5, but is disabled today.

Why isn't Secunia Being Flamed Here

[Compulawyer]

Why isn't Secunia being flamed here for releasing details of an exploit before Apple has had a chance to patch it? Are there not enough details for someone to create their own version? I may be wrong, but I did not notice one mention of any fact that indicates that Apple was notified of the problem and/or given an opportunity to fix the problem. I am used to seeing such information releases eing labeled as "irresponsible" but I have not seen any discussion of this aspect of the story yet.