Linked by Thom Holwerda on Tue 21st Feb 2006 17:59 UTC
Mac OS X "[Last week], we reported on a Trojan horse for Mac OS X that is just like the entry for Earth in the Hitchhiker's Guide to the Galaxy in that it is mostly harmless. A new vulnerability targeted at Apple's home-grown web browser, Safari, is another matter entirely. A German security firm appears to have been the first to discover the Safari flaw, which allows for shell scripts to be executed after clicking a link."
Permalink for comment 97949
To read all comments associated with this story, please click here.
This IS serious for John Doe
by Tobbe on Tue 21st Feb 2006 21:20 UTC
Tobbe
Member since:
2005-07-06

This is not just a Safari flaw though - we're still dealing with the error in the file description meta data parsing, making it possible to create zip files with seemingly harmless files (images, mp3, whatever). When unpacked and clicked on they can execute shell scripts.

Sure, in Safari with the default settings (as in "Automatically open safe files" enabled) these scripts can be triggered automatically - but downloading a zip with say Firefox and then unpacking it and clicking the files is just as dangerous. It's probably safe to assume that most people who download zip files have the intention of unpacking and using the contents sometime.

Imagine the damage a simple "rm -rf ~" will do for John Doe. Sure, the system files stay intact - but most people don't backup their files (like most of my colleagues). Most people expect an image to show when they click a file with the image icon. If they would've written "rm -rf ~" manually, or thrown all the files in the trashcan, or even clicked a shellscript to do it for them I'd say they had it coming and they should've RTFM:ed.

Double-clicking a JPEG should be safe - as of now it really isn't unless you're 100% sure the zip file comes from a reliable source.

Reply Score: 1