The Flaw :
ZIP files are considered safe by OS X, but by tweaking the archive file, attackers could pack a ZIP with malicious scripts that the Mac would automatically run.
Attackers can cripple a Mac simply by duping them into visiting a malicious Web site. The bug could be invoked without user interaction via the bundled Safari browser and its default setting of "Open Safe Files after downloading."
Details :
Problems arises if a shell script is stored into a ZIP archive without the so-called 'shebang line'. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt.
Later it was found that the vulnerability wasn't limited to Safari. The Mac operating system is, in fact, vulnerable, which opens other attack avenues, such as file attachments sent via e-mail or other tricks to bamboozle users into downloading files from Web sites.
It looks like this can be used to fool users into starting the file no matter which vector is used. ZIP files can be disguised as, say, JPEG image files, to hoodwink users into opening them.
Normally, OS X owners use the default "administrator account," which requires a password before most changes are made to the machine. Even so, an exploit using this vulnerability could wreak havoc by, for instance, deleting all files assigned to that user.
Safeguards :
Safari users are most at risk, and should deactivate the "Open Safe Files after downloading" option in the "General" section of Safari's preferences.
Alternate browsers, such as Firefox or Camino, are somewhat safer, in that they won't automatically execute files.
Users are advised to verify that the OS is using the proper file type, in response to possible hacker masquerades of ZIP archives as other file formats.
Apple spokesman reminded users "to only accept files from vendors and Web sites that they know and trust."
Free Online Tests :
Online tests that show Mac users if their machine is vulnerable to the bug.
ZIP files are considered safe by OS X, but by tweaking the archive file, attackers could pack a ZIP with malicious scripts that the Mac would automatically run.
Attackers can cripple a Mac simply by duping them into visiting a malicious Web site. The bug could be invoked without user interaction via the bundled Safari browser and its default setting of "Open Safe Files after downloading."
Details :
Problems arises if a shell script is stored into a ZIP archive without the so-called 'shebang line'. If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt.
Later it was found that the vulnerability wasn't limited to Safari. The Mac operating system is, in fact, vulnerable, which opens other attack avenues, such as file attachments sent via e-mail or other tricks to bamboozle users into downloading files from Web sites.
It looks like this can be used to fool users into starting the file no matter which vector is used. ZIP files can be disguised as, say, JPEG image files, to hoodwink users into opening them.
Normally, OS X owners use the default "administrator account," which requires a password before most changes are made to the machine. Even so, an exploit using this vulnerability could wreak havoc by, for instance, deleting all files assigned to that user.
Safeguards :
Safari users are most at risk, and should deactivate the "Open Safe Files after downloading" option in the "General" section of Safari's preferences.
Alternate browsers, such as Firefox or Camino, are somewhat safer, in that they won't automatically execute files.
Users are advised to verify that the OS is using the proper file type, in response to possible hacker masquerades of ZIP archives as other file formats.
Apple spokesman reminded users "to only accept files from vendors and Web sites that they know and trust."
Free Online Tests :
Online tests that show Mac users if their machine is vulnerable to the bug.