shell

heise online - Apple Safari Browser Automatically Executes Shell Scripts heise online · c't · iX · Technology Review · Telepolis · mobil · Security · Netze · Open Source · Resale · Foto · Autos · c't-TV · Jobs · Kiosk Home Weekly News News-Archive German pages heise online UK Contact, Imprint Media Kit 20.02.2006 21:12 << Previous | Next >> Apple Safari Browser Automatically Executes Shell Scripts Shortly after reports of the first virus for Mac OS X, a new security flaw has surfaced. The culprit is the option "Open 'safe' files after downloading" in Apple's Safari web browser. This feature is activated by default. Its function is to automatically display images and movies after they are transmitted to the user's computer, using the application assigned to that particular document format. Safari will also unpack ZIP archives and display the documents within if they are considered "safe". If active content such as an application or shell script is found within the archive, a prompt requests user confirmation. So far, so good. Problems ensue if a shell script is stored into a ZIP archive without the so-called shebang line. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt. This behavior has been discovered by Michael Lehn, who has documented it on a web site. Under normal circumstances, shell scripts begin with a "shebang line" such as "#!/bin/bash" to indicate which interpreter should handle its execution. However, Mac OS X will load scripts without a shebang line into the Terminal where it will be executed by a shell. If the user has assigned the Finder to open scripts using the Terminal, this will happen automatically. If a script is given an extension such as "jpg" or "mov" and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application -- regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X. The best immediate recourse against such an attack is to deactivate the option "Open 'safe' files after downloading" in the "General" section of Safari's preferences. Alternative web browsers such as Camino or Firefox do not support the automatic execution of files. These browsers can be prompted to automatically download a file by using the refresh command in the HTML source code of a web page. However, the file will not be executed. Since the Finder selects the icon for a file based on its extension, users are advised to verify that the OS is using the proper file type. This can be done through the information window or in column view. An additional protective measure is to move the Terminal application from /Applications/Utilities into a different folder. The metadata file within the ZIP archives always contains absolute paths to the applications to be used for opening its contents. To avoid problems with system updates which update the Terminal, the application should be moved back to its original location before updating the OS. In addition, users should not use their administrator account. You can determine whether your system is vulnerable by using this online demonstration provided by heise Security. The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user. At this point, no web pages are known to misuse this vulnerability. However, this could change quickly. (ghi/c't) Print version << Previous | Next >> Anbieter in Ihrer Region finden Sie im heise IT-Markt Beispiele: Schrobenhausen: Com-Tech Systems Barleben: TSA - Teleport Sachsen-Anhalt GmbH München: Alegri International Service GmbH Latest News Sun buys CPU developers Montalvo Systems Nokia calls for open mobile telephony platform Advertising deal between Google and Yahoo under scrutiny by authorities French hybrid supercomputer to exceed 300 TFLOPS by 2009 EU Parliament greenlights Galileo AMD triple core now official Microsoft's Live Mesh: Online sync service with web desktop Apple sets its sights on PowerPC developer P.A. Semi eBay cracks down on stolen accounts Cisco CEO speaks of "difficult quarters" PayPal plans to block older browsers Windows XP Service Pack 3 is finished More News... Copyright © 2008 Heise Zeitschriften Verlag Privacy Policy Imprint Contact Hosted by Plus.line International: heise online UK, heise Security UK, heise open source UK, heise networks UK, heise online Polska, heise Security Polska, heise open source Polska, heise networks Polska разделы программа шифрование данный thuraya цепной конвейер теплогенераторы master сервис alfa laval квн учет данный автошкола кристофер брэнд капсула миаози шампанский заказ профессиональный видеосъемка лакокраска газонокосилка stiga summer кухонный кулер 939 универсам красный площадь перевод итальянский kyiv apartaments service измеритель петля фаза нуль сборный доставка компания сент-люсии thuraya sg 2510 французский вина бюгельные зубной протез луковичный цвет мини пекарня купить конвертер поставка тройник перех сенсорный экран устройство арочный конструкция слименд лифт информационный валаам пежо 407 сервер hp время кострома газонокосилка stiga подбор контрацепция 8800 gold фризер автобетононасосы растворитель путевой стена бахила электрокамин dimplex model plasma (sp9) колокейшн продать кайт мигрень герб область факсимиле путевой стена защитный краска программа шифрование данный выделение кислорода долг восстановление информация встраиваемый вытяжка кулер тихий венеролог переработка резина thuraya sg 2520 купить ниппель врач-гинеколог 5440.16 (крышка) ожирение краска двухкомпонентный этикетировщик вскрытие авто купить видеокарту листогибы время архангельск комплексный сайт детский мир циклон сцн-40 автоинформатор shell