[unisog] MacIntosh Safari Scripts - Hype or Hack?

Pascal Meunier pmeunier at cerias.purdue.edu
Tue Feb 21 13:10:41 GMT 2006

I can confirm that their exploit works on MacOS X 10.4.5.  I had to turn on
the option "open safe files after downloading", which is on by default.

Pascal Meunier
Purdue University CERIAS

On 2/21/06 6:47 AM, "Gary Flynn" <flynngn at jmu.edu> wrote:

> Not being familiar enough with MacIntosh to assess the
> risk posed by the discovery being reported by Michael Lehn
> and being repeated on the SANS and heise.de web sites,
> I was hoping for some knowledgeable input here.
> http://www.heise.de/english/newsticker/news/69862
> http://www.incidents.org/
> Obviously, if anyone can put a file on a web site that
> will run unix shell scripts if hit by a Safari browser,
> this is extremely serious. I keep seeing the word
> "automatic" everywhere.
> Yet the heise.de site says,
> "If the user has assigned the Finder to open scripts
>   using the Terminal, this will happen automatically."
> That sounds like something needs to be changed from
> default. One person I asked said,
> "It seems to me that the user would have had to done a Get
>   Info on an AppleScript file, changed the "Open With..." to
>   Terminal, and then clicked on "Change All..." sometime
>   beforehand for this situation to exist.  This is a *highly*
>   unlikely sequence of events--I can't imagine a reason for
>   doing it (Terminal isn't a text editor) and have never heard
>   anyone suggest doing it.  So while it *is* an exploit, it's
>   got practically a zero chance of actually affecting anyone
>   assuming that I understand things correctly."
> Can you folks more conversant in MacIntosh tell us
> what is really going on? Is this thing exploitable
> in a default configuration and, if not, under what
> circumstances would an operator or application change
> those defaults?
> Thanks!

More information about the unisog mailing list