Doctor Q said:
Is this potentially another workaround?jon_010101 said:
<edit> Exploit still works. Hope they fix it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Safari Security Flaw Reported
- Thread starter michaellehn
- Start date
- Sort by reaction score
<edit> Exploit still works. Hope they fix it.
Did this crash anyones machine? cause mine did, first time since i got the mac :S
lets hope apple fix safari
lets hope apple fix safari
motulist said:
Yes, if you had the Safe download checked. It could still delete your home folder. It would have the same permissions that you, as a user, would. It'd be like if you launched it manually, or you went into Terminal and typed the command itself.
Bottom line, turn off "Safe" downloading. Apple should remove the feature altogether, IMHO.
rm -rf $HOME/* might work with tcsh
jon_010101 said:Ha... I use tcsh as my default shell, so it just poops out after it launches. Still, scary stuff... they will have to change the "open" command to warn against, or simply restrict, shell scripts in order to fix this. The problem is not really with Safari ... it is with the way that OS X launches files in general. It allows you to have a benign-looking file be a shell script in disguise!
Yes
The worm can potentially do everything you can do in person via mouse and keyboard as long as it does not require you to type in a password.
This can be a lot: deleting your own files, sending/reading emails,...
motulist said:
The worm can potentially do everything you can do in person via mouse and keyboard as long as it does not require you to type in a password.
This can be a lot: deleting your own files, sending/reading emails,...
This seems about as dangerous as the recently discovered malware/trojan/virus. Simple solution is just to deselect "open safe files after download." From there it is more a social engineering trojan/malware/virus - "click on me, I'm just a picture of some naked celeb".
Don't get me wrong, I'm glad this was discovered. I think it is just another reason why the mac is safer (not immune) from many of the problems with windows. A bug like this comes out on windows and most would be "oh, it doesn't self propogate and you have to actually click to download - no biggie."
Don't get me wrong, I'm glad this was discovered. I think it is just another reason why the mac is safer (not immune) from many of the problems with windows. A bug like this comes out on windows and most would be "oh, it doesn't self propogate and you have to actually click to download - no biggie."
German Heise Magazine just reported that this flaw also is in Mail
Heise reported, that the flaw is also in the Mail program (so giving a shell script the jpg ending and setting the open with to terminal and the encode it as a AppleDouble will make a executable script with a jpg-icon !!!)
Downloaded the test from heise... It worked ! Scary !!!!
Heise reported, that the flaw is also in the Mail program (so giving a shell script the jpg ending and setting the open with to terminal and the encode it as a AppleDouble will make a executable script with a jpg-icon !!!)
Downloaded the test from heise... It worked ! Scary !!!!
It's neither a problem of Safari nor of Mail.
It's a flaw or at least an unwanted side-effect of OS X itself.
There is only one solution:
Don't ever open a file blindly if you don't know already what it is.
Check the file with Get Info and in Terminal:
`file filename` will give you more information about the file's type.
It's a flaw or at least an unwanted side-effect of OS X itself.
There is only one solution:
Don't ever open a file blindly if you don't know already what it is.
Check the file with Get Info and in Terminal:
`file filename` will give you more information about the file's type.
lexfuzo said:
Yup, it is.
lexfuzo said:
This is in the most cases the solution (even in M$ Windows).
But it's an issue... and Apple should do something about it...
Maybe we Mac-users should realize that reality finally catched up with us...(Hello, Anti-Virus !)
It's been a while... Is Disinfectant still available on the Mac ?
ah, good old System 6 days !uezi said:
Yes, the most important thing is to keep your eyes open. Antivirus - maybe, but don't rely on it blindly.
It is about time that even Mac-users start developing some consciousness for security issues.
Because security issues tend to come and go without a serious risk to the Mac community and this, a proof-of-concept exposure of a flaw that we already know can easily be avoided, is another such case.Whistleway said:
Doctor Q said:
Hrm. I would argue for just the opposite of what MR has done with the past two exploits. This one ought to be on the front page because everyone needs to know that they should turn off the "Open safe files" option. With this publicly known, anyone can now easily create a web page exploiting the flaw. People should also be very wary of any mail attachment even if it "looks" harmless. People need to be aware of this, even if it means bad press for Apple (and hey, bad press should light a fire under them to get a fix out quickly).
In contrast, the previous exploit (the trojan) was waaaaaay overblown and misinterpreted by external press, so in retrospect a page two placement may have helped contain the unnecessary fire. This one was the lesser risk by far, and much more easily avoided.
Just my opinion, though.