Critical Mac OS X zero-day exploit
Summary: ZDNet's George Ou has posted some details about a scary new Mac OS X exploit that takes advantage of Safari. Unlike the relatively benign OSX.Leap.A worm which emerged last week this exploit is a major security hole because it requires no user interaction.
ZDNet's George Ou has posted some details about a scary new Mac OS X exploit that takes advantage of Safari. Unlike the relatively benign OSX.Leap.A worm which emerged last week this exploit is a major security hole because it requires no user interaction.
Heise online is reporting that a new critical vulnerability for Mac OS X has been discovered and it appears to have ramifications beyond the Safari brows. The problem is severe because a user simply needs to visit a malicious website and shell scripts with launch with zero user interaction!
Here is an excerpt from Heise online:
You can determine whether your system is vulnerable by using this online demonstration provided by Heise Security. The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user. At this point, no web pages are known to misuse this vulnerability. However, this could change quickly.
Click through to George Ou's blog posting today for a temporary workaround to protect yourself if you use Safari on Mac OS X.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Hmmmm . . .
OK. So what. None of my browsers since day ONE have been
given permission to OPEN anything after download. This has
nothing to do with security issues, but everything to do with
crappy file mapping in OS X. Most everything coming into this
computer has it's Creator codes stripped, with only the
extension left, so common '.JPEGs', ',GIFs' (and the like) have
generic icons. I either open them by dragging onto Photoshop in
the dock or by using File Adopter. Either way, a 'masked' image
file as an app is going to be exposed pretty fast. The other flaw
in this is, my clients (or others I know) would never have enough
savvy to figure out that you could '.zip' a JPEG, or a bunch of
JPEGs. They (and most everyone else) either post them online or
sent them raw. A compressed file from anyone you don't know
should be an instant alert.
So in the case of this demo, the downloaded image '.ZIP' just sat
there. Inert.
The key here is NOT to open stuff from anyone that you don't
trust, and even then, bin the joke stuff from buddies, or, better
yet, use Pop Monitor 2.1.3 to pre-screen your email, as I do. (I
also use Mailwasher on the PC too. Works super)
A few simple steps can go along way to keep your gear from
being comprimised.
Literally everyone
years ago.
RE: Critical Mac OS X zero-day exploit
"Stepping off a curb in front of an approaching bus is hazardous!"
giclkpg 53 rbz