Mac OS X vulnerability allows execution of malicious code

In what is being described as a "highly critical" vulnerability, security firm Secunia on Monday issued an advisory to all Mac OS X users that surf the Web with Microsoft's Internet Explorer or Apple's Safari Web browsers... The result of the vulnerability, which has been confirmed using Safari 1.2.1 (v125.1) and Internet Explorer 5.2, is that it is "possible to place arbitrary files in a known location, including script files, on a user's system if the Safari browser has been configured to ("Open "safe" files after download") (default behavior) by asking a user to download a ".dmg" (disk image) file." Source: MacCentral
Um, yea. This "flaw" has been known for a while now folks. Apple should have fixed this in February. Why didn't they? Good question. New information found here. Many other related links are found at that article. Basically you should get More Internet, something I have installed already. More Internet is a fix for the flaw, but Apple needs to patch the Terminal vulnerability. This is not, by the way, the first time a security hole has been found to gain access to the Terminal with more privileges then you should have. This one just has not been fixed yet. There is an AppleScript inside the Help Viewer package that is the root of this vulnerability. This is the first OS X vulnerability I am worried about. But there is a temporary fix, and I hope Apple makes an "official" patch soon. "rm -rf" cannot be used because the string command will not accept spaces. At least it has not been figured out yet. Two examples of what can be done with this vulnerability: The first uses a meta refresh to cause you to download and mount a .dmg file. The second uses this technique to launch an executable in the mounted volume. This could be used by AOL and other vermin to automatically install a "Free Trial of..." from a pop-up. That is nasty.

TrackBack

Listed below are links to weblogs that reference Mac OS X vulnerability allows execution of malicious code:

» roulette from roulette
You can also check some relevant pages about roulette blackjack [Read More]

Comments (2)

If it's been known for a while, then why haven't Apple fixed it yet?

You have to be cautious as to what you download off the web in Windows. Those who have used Windows for years know what I am talking about. The only thing I do on the web on my PC is test and debug, there is a reason for that.

Well, the Mac is not immune folks, the exploits are just not being as often or as much.

How many auto executable files are their on Windows. How many of those could a Web/Email user be tricked into downloading?

This is the perspective I look at.

At its inception, Safari has always been able to execute AppleScript code. I cannot remember if IE can execute AppleScript, I must admit, I have not actively used IE in years.

Yes, this is a problem. I do not see why you need to execute AppleScript, or for that matter, the Help Viewer app, from a web browser on Mac OS X. Patch Help Viewer and then I might understand the usefulness of hyper-linking help files from web pages.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


Warning: include(/home/meancode/public_html/breakingwindows/footer.php): failed to open stream: Permission denied in /home/breaking/public_html/2004/05/mac_os_x_vulnerability_allows.php on line 267

Warning: include(): Failed opening '/home/meancode/public_html/breakingwindows/footer.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/breaking/public_html/2004/05/mac_os_x_vulnerability_allows.php on line 267

Blogcritics Magazine

Social Networking

Mac Headlines

Read up-to-date headlines on everything Mac.

Content provided by prMac.

ESRB Search

Creative Commons License
This weblog is licensed under a Creative Commons License.
Enhanced with Snapshots