A serious security flaw in Mac OS X opens machines with Apple’s Safari Web browser to hijack by outsiders, Secunia has warned. The vulnerability and ‘proof of concept’ code to exploit it were released on Wednesday as part of the Month of Apple Bugs project. It affects Mac OS X 10.4.8, the most recent version of Apple’s operating system and, possibly, previous versions, security researcher LMH said in the posting on MOAB’s Web site.
Apple really should’ve released an update that removes the ‘Open safe files automatically after downloading’ option months ago. Everybody clued switches it off right away, but the rest of the world is none the wiser. Leaving it there’s a Microsoft-esque mistake, really.
<BIG>FUD
Any idea if KHTML would be affected by this exploit? Or is this just a bug affecting Webkit?
Browser: Opera/8.01 (J2ME/MIDP; Opera Mini/3.0.6540/1558; en; U; ssr)
It’s more in the GUI than anything else, so KHTML and WebKit browsers other than Safari should be okay.
The option was off, then they changed it to allow “safe” files to be opened automatically. I still prefer what Firefox does, allowing the user more control.
It’s not a webkit but, it’s a Safari bug. It has to do with how it handles opening downloaded files.
I killed that option after the last security issue with it!
To anyone who didn’t read the article you have to have the default option for opening safe files, which is to open them.
At least they are starting to find something that almost looks like a bug with a third of the month over already. Starting to look like a Mac OS commercial, who’s funding this?
Have you ever done sourceless vulnerability research? Finding a crash is one thing, getting your shellcode to work reliably on multiple versions of the OS/application is another. Neither of which takes “a couple of days.”
“””Finding a crash is one thing, getting your shellcode to work reliably on multiple versions of the OS/application is another. Neither of which takes “a couple of days.””””
And you think they didn’t do their work in advance?
Besides, there is plenty of the subject code available to review in the form of Darwin.
I said at the beginning of all this that OSX might well come out of this smelling like a rose. Looks like maybe I was right. Nineteen more days to go.
BTW, I’m not particularly an Apple fan, and the last Apple I owned was the II+ I bought in November 1980.
But I recognize that OSX is fairing well in this little exercise and applaud its developers and maintainers.
I find Camino to be a pretty cool browser. So much so, I can’t even remember the last time I used Safari. Sadly, like its Firefox brethren, Camino is plaqued with an unfortunate ‘memory-leak’ problem. I hope that problem is addressed soon.
Agree with Sphinx,
Looks like there’s something to that Apple Security then just 5% market share.
Would be nice if the guys involved gave us a clue as to what Apple’s secret is.
“””Would be nice if the guys involved gave us a clue as to what Apple’s secret is.”””
Paying security more than just lip service? Treating security as a technical problem instead of as a PR problem?
iPhone?