Skip to comments.Safari struck by Zip security warning (OS X security warning)
Posted on 02/21/2006 7:36:56 AM PST by Senator Bedfellow
A new security vulnerability in Safari has been identified by security experts at Secunia.
The company - which rates the flaw as extremely critical - says that the vulnerability was discovered by a source outside the company, Michael Lehn.
It can be exploited by malicious people to compromise a user's system, it warns.
The vulnerability is caused due by an error in the processing of file association meta data (stored in the "__MACOSX" folder) in ZIP archives.
This can be exploited to trick users into executing a malicious shell script renamed to a safe file extension stored in a ZIP archive, Secunia warns.
It can also be exploited automatically by Safari when visiting a malicious website.
The company has released a test users can run to check if their systems have been affected.
The vulnerability has been confirmed on an up-to-date system running Safari 2.0.3 (417.8) and Mac OS X 10.4.5.
Users can mitigate the threat by disabling the "Open safe files after downloading" option in Safari.
But, but... Macs don't have any viruses or bad things happening to them. Must be a typo.
Even the magic elf workshop has an off day now and then, I guess ;)
this cant be right... Lex Luther must have implanted embedded kryptonite into the all mighty OSX... Superman must have overlooked this deliberate plot hatched by Bill Gates.
Well, I'm typng this on a Mac now and I've never, ever had a problem and everything...&&&&&&**((((((!!!!!!!!!!AHHHHHHHHHHH
LOL.... this is old news ( well, the secunia variant isnt) - its basically an option in the web browser that you can turn on to allow it to auto open files after you download. So, make sure it isnt turned on ( which it isnt by default) and the " virus" doesnt work.- This has been something that was addressed LAST year.... by telling people " Hey. Jackass. DONT turn on the "open safe files" if you browse the web a lot."--- this is basically someone else writing a little proof of concept file ( which by the way, I just downloaded and ran and didnt work on my machine- something about permissions) ---
still running 20+ macs and ne'rry a single virus ........ And having well over 2000 clients with macs without a SINGLE virus, trojan......spyware...adware..... sniffles....
Waiting for the inevitable " Its coming .. you just wait....!" from someone playing devils advocate for the windows side.......
BTW- just an odd thought- when did it become alright to advocate the devil?
Im not from the windows team... i dislike both OSX and windows.
"its basically an option in the web browser that you can turn on to allow it to auto open files after you download. So, make sure it isnt turned on ..."
Kind of like the vulnerability Outlook had a long while ago ...
"Hey. Jackass. DONT turn on the "open safe files" if you browse the web a lot."---
LOL -- Hey Jackass - Just because we say "open SAFE files" dosen't mean we actually know that they ARE safe to open!
No, that's really not true - until Apple patches the OS to change how ZIP files are handled, this is readily exploitable as a trojan. It would be wise to be wary of ZIP files from unknown or untrusted sources until then.
BTW- just an odd thought- when did it become alright to advocate the devil?
Not only is it "alright" ... It's a MUST .. re the cannonization of saints. It's sort of like, I'm not gonna' take as fact, my young son's word is true .. that the kid down the street, or across town, is OK for him to hang out with. It's my duty to check it out. "Trust, but verify."
("Advocate of the Devil" or "Devil's Advocate").
A popular title given to one of the most important officers of the Sacred Congregation of Rites, established in 1587, by Sixtus V, to deal juridically with processes of beatification and canonization. His official title is Promoter of the Faith (Promotor Fidei). His duty requires him to prepare in writing all possible arguments, even at times seemingly slight, against the raising of any one to the honours of the altar. The interest and honour of the Church are concerned in preventing any one from receiving those honours whose death is not juridically proved to have been "precious in the sight of God" (see BEATIFICATION and CANONIZATION). Prospero Lamertini, afterwards Pope Benedict XIV (1740-58), was the Promoter of the Faith for twenty years, and had every opportunity to study the workings of the Church in this most important function; he was, therefore, peculiarly qualified to compose his monumental work "On the Beatification and Canonization of Saints," which contains the complete vindication of the rights of the Church in this matter, and sets forth historically its extreme care of the use of this right. No important act in the process of beatification or canonization is valid unless performed in the presence of the Promoter of the Faith formally recognized. His duty is to protest against the omission of the forms laid down, and to insist upon the consideration of any objection. The first formal mention of such an officer is found in the canonization of St. Lawrence Justinian under Leo X (1513-21). Urban VIII, in 1631, made his presence necessary, at least by deputy, for the validity of any act connected with the process of beatification or canonization.
Saints Alive! My MAC is clean!!
Also works in Mail.app
by daveschroeder (516195)
on 10:27 AM February 21st, 2006 (#14767730)
You can send this same shell script masquerading as a JPG file and shown as such by Mail.app, and it gets executed as soon as it is clicked/viewed in Mail.app (obviously not affected by Safari's "safe files" setting).
You can test this by downloading this harmless exmaple:
http://www.heise.de/security/dienste/browsercheck/ demos/safari/Heise.jpg.zip [heise.de]
...and sending the resulting JPG to yourself in Mail.app.
This is rooted in something that has been true about Mac OS in general for over 22 years, which is that any file or document - including executables - can have any icon. Other elements of the OS (such as the Get Info window) properly identify it as a Terminal document (shell script), and show that it is opened with Terminal, but most users won't see or understand this.
I'd expect a security update that addresses this *very* soon. This is a bad one.
[ Reply to This ]
Reminds me of how the gun-grabbers flock to a school shooting -- hoping to dance on the graves of the innocent...
Okay. Have it your way. Don't pay any attention to this, and just keep on doing what you're doing.
Actually, this particular bug would force Safari to open ZIP files, even if that option is turned off. I was affected by it (it never executed any programsthat I could see), but Apple seems to have fixed the problem in 10.4.5.
Just goes to re-iterate every software developer's core doctrinethere is NO bugproof software.
(Denny Crane: "I Don't Want To Socialize With A Pinko Liberal Democrat Commie. Say What You Like About Republicans. We Stick To Our Convictions. Even When We Know We're Dead Wrong.")
The Slapdash post is more troubling than the original report.
Secunia is not a reliable source.
Better to get security info from other Mac sources.
It's only troubling if you're an apple user. >:-}
I'm not yet too proficient an OSX hacker, yet; but on earlier systems; I would check the resource forks of suspect files. These things are easy to spot...
I just find it amusing that PC users are drawn to Mac threads -- to the extent that their posts frequently outnumber those of the Mac folks. Sort of like the morbid folks who watch NASCAR -- hoping for a wreck....
Does Mail.app attempt to display inline images by default, rather than as attachments? If so, the rather troubling result is that the script may well automatically execute simply by opening a malicious email. Considering how much havoc was caused by Outlook executing whatever script happened to land in the inbox, I'm sure we can imagine the potential for trouble here...
Well, I'm not a Mac user, so I can't really test this, but one would think that it shouldn't be able to work this way, as a file has to be marked as executable (i.e., chmod 755) in order to run. Images don't need to have the executable bit set to display, so I question whether this tidbit is true. /. is not the best place to get accurate information, but can often point you to a place to look :-)
True. On the other hand, you can gzip it with the executable bit, and when it's unzipped it'll be ready to roll.
True. I'm still kind of unclear about how a particular file gets executed when you are attempting to view an image. Doesn't really effect me anyway :-) I should let the Macheads figure it out. :-)
Re: FireFox ... But, But...
"If you have at least version 1.5, you will be prompted to use the new automated update feature. There are 8 'highly critical' security fixes included with the newest update. Head over to the Firefox site (http://www.mozilla.com/firefox/) to get the latest version of the browser. "
No, its that PC users are tired of mac users lying about their systems working perfectly to try and show intellectual or class superiority -- or some such thing. And, to a lesser extent, irritation at the emotional attachment most mac users seem to have to their machines such that they get terribly defensive when anyone suggests that anything made by Apple isn't the best.
"Sort of like the morbid folks who watch NASCAR -- hoping for a wreck...."
True, but I just find it amusing how the Mac and Linux folks keep trying to say they have no problems.
Doesn't work on my G5... I think this was a vulnerability that was found about two years ago and patched.
I also tested my computer on the test the guy who claims to have discovered its site... didn't work there either. I tested it on five other Macs today... none were vulnerable.
The Secunia variant is just that ... a re-writing of the same-old, same-old. It works the same way the original did two years ago... and adds nothing new.
Why are we seeing these FUD stories about Trojans being called "viruses" and retreads of old, long since patched security issues, popping up this last two weeks? Could it be because Apple is shipping the new Intel Dual Core MacBookPros and a lot of Windows users are seriously looking at purchasing one? Yup... I think that might be it.
It is a retread of an issue that was discovered and fixed two years ago or so. All you Mac users, go ahead and try the vulnerability test... let us know if your calculator pops up. Mine didn't.
I was pinged to this story yesterday and checked my G5 running OSX.4.5 and found it DIDN'T WORK! I decided it was FUD and elected not to post it as it had been reported on February 2nd and got absolutely no notice because it was FUD... but now it has been posted so ...
Basically, its another Trojan proof of concept.
Just payback for the interminable Windows bashing that goes on. In 23 years of PC using I've had two viruses. One was Melisa, which got past all the best virus scanners for the for a couple of days. Fortunately it didn't destroy anything.
The other was in a game I downloaded from CNET. Not a virus, but a package of adware. That was the worst. CNET pulled the game after a couple of days.
Macs are perfect. Saint Steve says so.
We keep saying it because it's true. We h@v3 noooooooooooooooooooooooo pr**bl&mmmssszzzzzzzzzzz. NikNikNikNik waaaaaaaaaaaaaaaaaaaaaa
I don't remember him ever saying they were perfect. Did he say that?
I just spent two and a half days cleaning spy & adware off a XP machine at work. I have yet to have that experience with a Mac.
Largely on FR by Apple users, actually.
If you think I'm an Apple hater, you're sadly mistaken. I've owned as many Apple products (starting with Apple II+ and have currently the top of the line iPod) as many serious Apple devotees have or do. I just don't drink the kool-aid nor do I have an emotional attachment to a damn computer like the vast majority of Apple users.
I also don't make uninformed assumptions like someone else on this forum obviously did!
How do I fix this?
In Safari, under the Safari menu, select Preferences. Click on the General tab and look for a check box that says "Open Safe Files after downloading" and click it to put a check in the box. Done. This was the solution two years ago when this problem was first noticed.
Most of the Apple-related posts I see are by those who bash Apple users. I don't see too many Apple zealots, if any. Certainly nothing like what's popularly attributed. Apple users have yet to have a Golden Eagle-like poster.
Last year, I too thought the same... and undertook a study of several FR threads to see if I could determine the truth. My methodology and the results culled from 36 threads (18 Mac, 18 Windows) are posted below:
I have long thought that there was a distinct dichotomy between the civility of Mac users on MS threads and vice-verse. This was just a casual observation that Mac users on Windows' threads, aside from comments such as "Buy a Mac" in response to problems on MS Windows computers, were generally fairly helpful and polite compared to MS Windows users on Mac oriented threads.
I decided to check and see if my casual observation was actually fact.
I did a Free Republic search for both "Windows" and "Microsoft" and read the first 18 threads I found dealing with Windows' security and OS issues. I then did a similar search for "Macintosh" and "Apple" as well as "OSX" and read the first 18 threads also dealing with Macintosh's security and OS issues.
I tabulated comments in each thread that I deemed were "invading" the thread (Mac is better than Windows in Windows threads, or Windows is better than Mac in Mac threads). I noted comments in three categories: mild, moderate, and insulting. Those which I deemed "mild" were those in which a platform advocate made reasoned commentary about their preferred platform and compared it to the subject platform. Those that commented denigrating the subject platform with ignorant or outdated mis-information, I deemed "moderate". Finally, comments attacking or denigrating the users of the subject platform, I deemed "Insulting". These judgments were subjective on my part... but I attempted to be totally fair.
The findings were eye opening.
Microsoft Windows Threads: In the 18 threads dealling with problems or OS issues of Microsoft Windows, I found 33 pro-Macintosh comments out of 944 comments in the threads. Those comments accounted for a mere 3.5% of all comments. Of those comments, 19 (2%) were of the mild "Buy a Mac" type, 14 (1.5%) were of the "Windows sucks and you should buy a Mac" category, and 1 was an outright insult to Windows users. Incidentally SIX of the 18 threads had no pro-Mac/Anti-Windows comments (although there were were Windows users slamming Windows in all but one of the threads!)
Four of the 18 Windows articles mentioned Macs in the body of the article... and naturally there were more pro/anti Mac comments in those particular threads by about 3 to 1 over articles that did not mention Macs.
Interestingly, 16 of the 944 comments in the Windows threads were gratuitous slams against Macs... 1.7%... and four of them were outright insults to Mac users themselves.
Apple Macintosh OSX Threads: On the 18 Macintosh threads, which were for some reason more active than the Windows threads with 1563 comments, (the percentages were far different). In those 1563 comments, 230 (an astounding 14.7%) were pro-Windows/anti-Mac comments! Of those, 89 (5.7%) were of the mild "Windows can do the job better" or "I prefer to use Windows because there is more depth to the software" type. 112 (7.2%) were of the moderate type, repeating out-dated or mis-information about Macs as gospel truth. There were 29 (1.8%) outright insult comments attacking or denigrating Mac users as" Gay", "Liberal" or "scraggly, goateed, artsy, hippies."
Going the other way in the Mac threads, 2.4% of the comments (38) were anti-Windows. Of those, 29 (1.9%) were mild and 9 (0.6%) were moderate... and there were zero insults/attacks of Windows users. Examining these, it is apparent that most are responses to the attacks and/or mis-information pushed by the Mac thread invaders (I hesitate to use the term "Trolls"). In five of the Mac threads, comments had been deleted by FR moderators due to abuse by Mac bashing invaders... nowhere was this found on the MS Windows threads surveyed.
The evidence is in. Windows "Microsofties" are far more insulting and invasive of Mac threads than "Macmoonies" are of Windows threads.
But, 1L, they are not lying. Most Mac users are reporting their experiences truthfully. It is YOUR unfounded assumption that we are lying.
You state later in this thread that you have owned Apple products in the past such as an Apple II and you now own an iPod... but do you own an OS X Mac? I doubt it. If my doubt is true, then you have very little experience with modern Macs on which to base your opinions.
I on the other hand, in addition to owning several OS X Macs, own several Windows machines running Windows from 98 through ME, 2000, XP, and XP Pro. I maintain the computers, IT security, and networks of about 35 small businesses, some of which use Macs and others that use Windows. I submit my experience on both systems is greater than yours.
Many Mac users have come from the Windows environment... and again have experience on both platforms. The same is usually not true of Windows users in general who tend to spout what they have heard from other as ignorant of Macs as themselves.
You've blinded me. With science!
It was already checked, now what?
My calculator popped us as well and I'll follow your directions when I get home. In the meantime, if this is a two year old issue, I'm amazed we haven't been shut down by now. Good karma?
No it's the invisible Rovian hand!
Yep, the bad guys don't aim at Macs since there are so few of them. You didn't know that ?