[unisog] MacIntosh Safari Scripts - Hype or Hack?

Gary Flynn flynngn at jmu.edu
Tue Feb 21 11:47:58 GMT 2006


Not being familiar enough with MacIntosh to assess the
risk posed by the discovery being reported by Michael Lehn
and being repeated on the SANS and heise.de web sites,
I was hoping for some knowledgeable input here.

http://www.heise.de/english/newsticker/news/69862
http://www.incidents.org/

Obviously, if anyone can put a file on a web site that
will run unix shell scripts if hit by a Safari browser,
this is extremely serious. I keep seeing the word
"automatic" everywhere.

Yet the heise.de site says,

"If the user has assigned the Finder to open scripts
  using the Terminal, this will happen automatically."

That sounds like something needs to be changed from
default. One person I asked said,

"It seems to me that the user would have had to done a Get
  Info on an AppleScript file, changed the "Open With..." to
  Terminal, and then clicked on "Change All..." sometime
  beforehand for this situation to exist.  This is a *highly*
  unlikely sequence of events--I can't imagine a reason for
  doing it (Terminal isn't a text editor) and have never heard
  anyone suggest doing it.  So while it *is* an exploit, it's
  got practically a zero chance of actually affecting anyone
  assuming that I understand things correctly."

Can you folks more conversant in MacIntosh tell us
what is really going on? Is this thing exploitable
in a default configuration and, if not, under what
circumstances would an operator or application change
those defaults?

Thanks!

-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security


More information about the unisog mailing list