Extremely critical Mac OS X zero-day exploit released

Summary:If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user.

Heise online is reporting that a new critical vulnerability for Mac OS X has been discovered and it appears to have ramifications beyond the Safari brows (thanks to SANS and SunbeltBLOG for the link).  The problem is severe because a user simply needs to visit a malicious website and shell scripts with launch with zero user interaction!

The cause for this problem is that OS X will automatically launch shell scripts (even inside a ZIP file) when it's missing certain syntax at the beginning of the script.

Here is an excerpt from Heise online:
You can determine whether your system is vulnerable by using this online demonstration provided by Heise Security. The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user. At this point, no web pages are known to misuse this vulnerability. However, this could change quickly.

Vulnerabilities don't get any more serious than this since it requires no user interaction.  The recent Mac OS X Leap.A worm attempted to fool users in to launching the malicious code which was disguised as an image file, but this exploit launches the minute you visit a webpage with Safari.  All Apple OS X users should immediately implement the following temporary workaround before Apple releases a patch.

Heise online recommends this temporary workaround:
The best immediate recourse against such an attack is to deactivate the option "Open 'safe' files after downloading" in the "General" section of Safari's preferences. Alternative web browsers such as Camino or Firefox do not support the automatic execution of files. These browsers can be prompted to automatically download a file by using the refresh command in the HTML source code of a web page. However, the file will not be executed. Since the Finder selects the icon for a file based on its extension, users are advised to verify that the OS is using the proper file type. This can be done through the information window or in column view.

[Updated 10:00 AM]  Secunia posted this "extremely critical" advisory along with a demonstration link that automatically launches the calculator.

Topics: Apple

About

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.