February 21, 2006
When safe isn’t safe
Posted Feb. 21, ’06, 8:06 PM PT by Derik DeLong
Category | Security
Despite getting several black eyes over the “Safe” file opening preference before (with Dashboard Widgets and protocol trickery), this option is still a mine field. This time, Safari will execute files contained within a Zip archive without properly checking if the contents are safe.
In fact, one can rename a shell script to a picture extension to wreak all kinds of havoc. Until Apple releases an official fix, you have three options. First, don’t use Safari (a fairly silly solution, reminiscent of cutting off one’s nose to spite their face), opting instead for Camino, Opera, or Firefox. Second, disable “Open ‘safe’ files after downloading” in Safari’s preference. Finally, use the updated Paranoid Android. Unsanity has been all over this kind of stuff, and even has an alternate piece of software to do the same thing.
At any rate, I’m not turning this preference back on for a long time, despite any assurances by Apple.
Update: Rosyna of Unsanity has further fleshed out his blog entry on the problem. The problem is rooted in what he calls strong bindings and the fact that an alternatively chosen opening application for a document is not checked when making the “safe”. Bad. The use of strong bindings can also be used to trick a user in environments outside Safari and Mail.app, but the exploit basically degenerates to making a file look like something other than it really is (like the Word 2004 trojan floating around on P2P networks). It’s slightly more sophisticated but it still requires social engineering to properly work.
3 Comments
Leave a comment
Recent Entries
Ch-ch-ch-ch-changes afoot at MacUser
The Macalope Weekly: Leopards and monopolies and DRM! Oh, my!
Apple levels DMCA on iPodhash project
iPod touch users get second classed again with the omission of new Maps features
Apple Pro Applications Update 2008-004 makes your day
iTunes v8.0.2 comes riding on the coattails of iPhone firmware v2.2
About MacUser
MacUser is your source for news, info, and opinion about Apple, the Mac, and the iPod. Our dedicated team of bloggers covers everything that is relevant to Mac users — and, okay, some stuff that’s not quite relevant, but is still a lot of fun.
Subscribe/RSS
- Blog Posts
- Blog Comments
- Podcast (RSS) (iTunes)
Tip us off!
- Email: macuser [at] macuser [dot] com
Recent Comments 
- Dan Moren on iPod touch users get second classed again with the omission of new Maps features
- johnnydfred on iPod touch users get second classed again with the omission of new Maps features
- on iPod touch users get second classed again with the omission of new Maps features
- Neurotic Nomad on Apple levels DMCA on iPodhash project
- Dan Moren on iPod touch users get second classed again with the omission of new Maps features
- Me Again on iPod touch users get second classed again with the omission of new Maps features
Categories
- Apple (234)
- Advertising (162)
- Events (235)
- Huh? (182)
- Humor (259)
- News (148)
- People (258)
- Rivals (405)
- Speculation (167)
- Steve Jobs (172)
- Stores (206)
- Apple TV (58)
- Business (451)
- Games (143)
- Geekery (460)
- Hardware (935)
- Accessories (79)
- Intel Macs (162)
- Ihnatko (18)
- Internet (463)
- Legal (244)
- MacUser (94)
- Macalope (8)
- Money (177)
- Music (344)
- Podcasting (100)
- Photography (74)
- Security (246)
- Software (1544)
- Updates (538)
- Tips (352)
- Troubleshooting (189)
- Video (403)
- Windows (219)
- iPhone (199)
- iPod (602)
- iPod Accessories (96)
- iPod Software (61)
- iTunes (128)
- iTunes Store (443)
Archives
- November 2008 (91)
- October 2008 (138)
- September 2008 (151)
- August 2008 (177)
- July 2008 (175)
- June 2008 (171)
- May 2008 (185)
- April 2008 (234)
- March 2008 (217)
- February 2008 (215)
- January 2008 (239)
- December 2007 (169)
- November 2007 (164)
- October 2007 (187)
- September 2007 (167)
- August 2007 (195)
- July 2007 (152)
- June 2007 (223)
- May 2007 (243)
- April 2007 (286)
- March 2007 (288)
- February 2007 (250)
- January 2007 (266)
- December 2006 (244)
- November 2006 (293)
- October 2006 (307)
- September 2006 (250)
- August 2006 (268)
- July 2006 (288)
- June 2006 (293)
- May 2006 (297)
- April 2006 (351)
- March 2006 (366)
- February 2006 (110)
- January 2006 (107)
- December 2005 (23)
Mac Publishing Sites
Links
You say "...Safari will execute files contained within a Zip archive without properly checking if the contents are safe."
That's not true at all. For one thing, Safari isn't doing the checking at all, it's the Mac OS that's checking. Scripts are considered "unsafe" files according to the OS, so it will not open them after downloading with Safari.
But what tells the OS if it's a script? Why, it's none other than the shebang line! Without this, that script becomes just another file to the OS and unless it meets certain other criteria stored in the Mac, it's considered safe.
Creating a script without the shebang line, adding an extension like .jpg and then creating a Zip archive is not going to cause it to execute in Terminal. Same with Mail, or any other application.
So you don't understand what's really going on or how this vulnerability (which has existed for years) actually works. You're blowing it out of proportion due to pure ignorance.
Ok, so I didn't mention the metadata aspect of the exploit. The fact remains, Safari is launching the file. (Note that other browsers do not have this issue.)
Whether Safari or the Mac OS is technically the one making the safe determination is neither here nor there. The determination is wrong and Safari is using it to make the decision to launch or not.
The behavior is wrong and is a serious problem.
Gruber's got a good explanation of what the security hole involves over at Daring Fireball. Unchecking safe seems to be the way to go for now, though I really like his suggestion that Apple implement some sort of visual cue around a file's icon when the metdata and file type suffix don't match up.