Avoid a security vulnerability in Safari

Feb 22, '06 07:11:00AM

Contributed by: robg

As most of you know, macosxhints is not a 'breaking news' site. We generally post things that aren't time sensitive, and try to stay away from news as much as possible -- there are many better sources for Mac-related news out there than this one!

As such, I didn't post anything here about either the Leap.A worm/trojan or the Bluetooth worm, as they were both thoroughly covered on other sites, and there wasn't much 'tip like' that could be considered tip-worthy about either of them, beyond 'use common sense when downloading and opening files from others.'

Yesterday's news of a Safari vulnerability, however, is different. While the Leap.A and Bluetooth programs required active user participation (you had to agree to accept a file, then expand and run it, for instance), this latest Safari vulnerability is riskier. You can actually execute a program on your Mac by just clicking a link on a website, or, on a truly malicious page (using some HTML programming tricks) by simply visiting that page .

Other sites have done a very good job of explaining how this particular vulnerability works in detail, so I'll just summarize it here. In a nutshell, a shell script can be written and then zipped in such a way that it will automatically expand and then execute on a user's machine. This shell script, could, of course do anything your user could do -- including, as an example, installing the Leap.A worm.

Thankfully, the short-term workaround is fast and simple: If you use Safari, open its Preferences, and in the General tab, uncheck the 'Open "safe" files after downloading' checkbox, as seen here:


From now on, you'll have to expand downloaded files yourself, but that's a small price to pay for insuring your machine won't automatically fall victim to this vulnerability. Note that you still need to practice common sense with downloaded files -- if you expand the archive and then run the resulting file, it will still do whatever damage it would have automatically done. You won't, however, need to worry about this happening without your intervention.

It's quite ironic that Apple themselves put the word safe in quotes there, as it's clear to me that almost no file from the internet should be assumed safe. Note that Safari ships with this option enabled by default, so many users may not even know they've agreed to have archives expand automatically on their machines. Given that our recent poll showed that Safari has close to a 60% browser share, this is indeed scary. So please, if you use Safari, take a second to disable the automatic expansion of downloaded files.

Edit: I edited the explanation of how one could be infected, to hopefully make it clearer...

Comments (39)


Mac OS X Hints
http://hints.macworld.com/article.php?story=20060222071126871