Safari shell script exploit

To be honest, I almost never read past the headline of any news item about malware. Of any kind. On any system. Essentially because one or more of the following are always true:
  • The author is very obviously completely clueless.
  • The target system is Microsoft Windows, and hence it's not even news. Closely related is that the exploit requires the user to be using Outlook Express to read email, is vectored over a peer-to-peer filesharing network, or requires a Windows box directly connected to the Internet. (None of these can possibly affect me.)
  • The malware requires the manual intervention of a novice-level user, such as falling for a phishing scam by clicking on a malicious hyperlink. (I'd like to think I'd never do that.)
Today I found an exception, and I read the whole article on the "Safari shell script execution exploit" over at Daring Fireball. The one line summary is this: By default, Safari will open "safe" files after downloading, and the application it uses to do so is determined by a particular resource in the file's resource fork. So, for example (and this is the example used in the demonstration by Heise Online), you can dress a shell script up as a JPEG by adding a ".jpg" extension, yet it will be opened by the Terminal and executed.

It's really easy to turn this behaviour off in Safari: untick "Open 'safe' files after downloading" in the General pane of Safari's preferences. Of course, this doesn't solve the entire problem, since the Finder will also feed the "JPEG" shell script to the Terminal. As Gruber points out, it's also not a new problem: "you can’t safely double-click files from untrusted sources, and you never could."


Popular Posts