A potentially severe security flaw has been uncovered in Apple‘s Safari Web browser, which may enable attackers to execute arbitrary Unix shell scripts on a user’s machine simply by following a link on a Web site.
The exploit involves the way Mac OS X determines which program it should launch when opening files of a particular type. By renaming a Unix shell script to an extension Safari considers “safe,” omitting the script’s so-called “shebang line” (a command which specifies how the script should be executed), and compressing the script with the Zip archiving utility, Safari can be convinced to download the script, decompress it, assume the script is “safe,” then pass it off to the Mac OS X Terminal application for execution. An attacker could easily use such a script to delete a user’s home directory, damage the computer’s configuration, or obtain personal data.
Apple has yet to comment or release a patch. In the meantime, Safari users should disable the “Open ‘safe’ files after downloading” option in General pane of Safari’s preferences. This option is disabled by default in new installations of Mac OS X 10.4.5, but may be enabled by default in older systems or systems which have been upgraded to Mac OS X 10.4.5.
So far, Safari is the only application known to be affected, although it is possible other programs could be vulnerable to similar attacks. The Camino and Firefox Web browsers are not vulnerable to this particular exploit.
Danish security firm Secunia has listed the flaw as “extremely critical,” and has posted a harmless sample exploit of the flaw so users can test if their systems are vulnerable. Heise Online has another demonstration of the exploit.
Users may also be able to protect themselves from the exploit by removing the Terminal application from its default location in Applications > Utilities. (However, doing so may confuse future system updaters, so users would probably have to remember to put it back before installing new software.)
