An Apple Computer patch released last week doesn't completely fix a high-profile Mac OS X flaw, leaving a toehold for cyberattacks, experts said. The update added a function called 'download validation' to the Safari Web browser, Apple Mail client and iChat instant messaging tool. "While Apple added a checkpoint to the downloading and execution process, they did not eliminate this vulnerability," said Kevin Long, an analyst at security specialist Cybertrust and a Mac user for 11 years. "If a user can be tricked into opening a file that looks like a picture, the user may actually be opening a malicious script."
To view parent comment, click here.
To read all comments associated with this story, please click here.
Member since:2005-07-11
I really think the best option is to limit the per file association to the computer where it was set. Thus if a file were to be sent by email, zipped, transferred to shared network drive, or put on a thumb drive it would then revert to opening with the default application on any computer where the unique association wasn't explicitly set. Maybe I'm a purist, but I think it is absolutely crucial that your computer behave predictably, which means that if your OS is going to treat a file as an image file, video file, or text file then it should predicatbly treat them like every other image, video, or text file unless explicitly instructed to do otherwise.
Apple might also be able to require than all scripts have a proper file extension (sh, py, pl, etc...) in order to be lauched by the GUI.
Member since:2006-01-05
But that limits how things are sent. most downloaded OS X apps are DMG. Disk images. They get mounted to the file system and a new finder window then opens. most use a custom background and locations so showcase off their wares.(if you run OS X download the Fire IM client)
Member since:
2006-03-07
And what do you propose as the alternative? I do not want to have to put a file extension on every one of my files and be restricted to that. For instance, I have many PDFs that have to be opened in Adobe Reader due to form data being present. Most other PDFs I want to open in Preview because it's faster. I fail to see how I can accomplish this without per-file associations. The same is true for many other document types.
I understand your suggestion but I don't think it would solve the whole problem. As long as I can have a file called "abc.jpg" be a shell script or an app, there is the potential for mischief. Should Apple disallow the use of periods in file names of apps and shell scripts? Then we would just see "abc,jpg" and have essentially the same problem. Apple could force apps and scripts to have a certain extension, but that's quite a major undertaking (particularly on the script side).
There are no easy answers. If you want to call this a vulnerability, that's fine. It's probably not fair to call the OS flawed because of this, though. That's like saying my house is flawed because it's vulnerable to small arms fire. At some point, tradeoffs have to be made.