[unisog] MacIntosh Safari Scripts - Hype or Hack?

Adam McMaster adam at moosoft.net
Tue Feb 21 12:38:54 GMT 2006

On 21 Feb 2006, at 11:47, Gary Flynn wrote:
> "If the user has assigned the Finder to open scripts
>   using the Terminal, this will happen automatically."
> That sounds like something needs to be changed from
> default. One person I asked said,
> "It seems to me that the user would have had to done a Get
>   Info on an AppleScript file, changed the "Open With..." to
>   Terminal, and then clicked on "Change All..." sometime
>   beforehand for this situation to exist.  This is a *highly*
>   unlikely sequence of events--I can't imagine a reason for
>   doing it (Terminal isn't a text editor) and have never heard
>   anyone suggest doing it.  So while it *is* an exploit, it's
>   got practically a zero chance of actually affecting anyone
>   assuming that I understand things correctly."

That's not exactly correct.  The key part is this:

"If a script is given an extension such as "jpg" or "mov" and stored  
within a ZIP archive, Mac OS X will add a binary metadata file to the  
archive which determines its association. This metafile instructs the  
operating system on another Mac to open that file with the Terminal  
application -- regardless of its extension or the symbol displayed in  
the Finder. "

The attacker can add metadata to the script to have the victim's Mac  
open it with Terminal, without the victim having to change their  
global "Open With..." preferences.  That could be a problem.

Adam McMaster <adam at moosoft.net>

More information about the unisog mailing list