Intego Security Memo

Macintosh

Dual Protection (Mac + Windows)

Macintosh Enterprise

Free Trial

ContentBarrier FileGuard Internet Security Barrier NetBarrier Personal Antispam Personal Backup VirusBarrier

ContentBarrier DP Internet Security Barrier DP VirusBarrier DP

Remote Management Console VirusBarrier Server and VirusBarrier Mail Gateway

Buy Now Upgrade Update Renew Free Trial

Support Knowledge Base Software Registration User Manuals Software Updates Bug Report

Press Releases Latest Software Releases

Overview Press Releases Careers Contact Us

INTEGO SECURITY MEMO - FEBRUARY 21, 2006
SAFARI SHELL SCRIPT AUTO-EXECUTION VULNERABILITY

Exploit: Safari shell script auto-execution vulnerability

Discovered: February 20, 2006

Risk: High

Description: Apple’s Safari web browser, which is included with Mac OS X, has an option to automatically open “safe” files: movies, pictures, PDF and text files, disk images and other archives. Files compressed in .zip format are included in “other archives”, and it is possible for malicious users to include shell scripts in .zip archives.

In most cases, Safari alerts the user to the presence of applications or shell scripts in archives it is going to decompress, but if the shell script does not contain the “shebang” (the first line, such as #!/bin/bash, which indicates which shell should run the script), Safari does not display this warning. If users have Terminal (the built-in terminal application included with Mac OS X) set as the default application to open shell scripts, they can run with no user intervention, opening a terminal window, and executing the script in the bash shell.
The script could be a simple “hello world” message, or something as dangerous as an rm -Rf ~ command (which would delete a user’s home folder and all their files).

An additional risk arises because this script could be used to insert other malicious code, such as the recent Oompa-Loompa Trojan horse, onto a user’s computer. But even its ability to execute any kind of script presents a serious risk for Mac users.

Means of protection: The only way to currently protect against this exploit is to uncheck the option Open “safe” files after downloading, found in Safari’s General preferences. (This option is on by default, and Mac OS X would be more secure if it were set to off.)

Users who do this will be able to download files, and, if they download a malicious file, it will not execute automatically. However, users may still be tempted to double-click a file disguised with a custom icon to resemble, for example, a graphic or music file, allowing the script to execute.

About Intego
Intego develops and sells desktop Internet security and privacy software for Macintosh.

Intego provides the widest range of software to protect users and their Macs from the dangers of the Internet. Intego's multilingual software and support repeatedly receives awards from Mac magazines, and protects more than one million users in over 60 countries. Intego has headquarters in the USA, France and Japan.

As the dangers of the Internet grow, Intego is hard at work, developing new software to protect users and their Macs from the latest security and privacy threats.

We protect your world.

home | contact