[unisog] MacIntosh Safari Scripts - Hype or Hack?
pmeunier at cerias.purdue.edu
Tue Feb 21 13:10:41 GMT 2006
I can confirm that their exploit works on MacOS X 10.4.5. I had to turn on
the option "open safe files after downloading", which is on by default.
Purdue University CERIAS
On 2/21/06 6:47 AM, "Gary Flynn" <flynngn at jmu.edu> wrote:
> Not being familiar enough with MacIntosh to assess the
> risk posed by the discovery being reported by Michael Lehn
> and being repeated on the SANS and heise.de web sites,
> I was hoping for some knowledgeable input here.
> Obviously, if anyone can put a file on a web site that
> will run unix shell scripts if hit by a Safari browser,
> this is extremely serious. I keep seeing the word
> "automatic" everywhere.
> Yet the heise.de site says,
> "If the user has assigned the Finder to open scripts
> using the Terminal, this will happen automatically."
> That sounds like something needs to be changed from
> default. One person I asked said,
> "It seems to me that the user would have had to done a Get
> Info on an AppleScript file, changed the "Open With..." to
> Terminal, and then clicked on "Change All..." sometime
> beforehand for this situation to exist. This is a *highly*
> unlikely sequence of events--I can't imagine a reason for
> doing it (Terminal isn't a text editor) and have never heard
> anyone suggest doing it. So while it *is* an exploit, it's
> got practically a zero chance of actually affecting anyone
> assuming that I understand things correctly."
> Can you folks more conversant in MacIntosh tell us
> what is really going on? Is this thing exploitable
> in a default configuration and, if not, under what
> circumstances would an operator or application change
> those defaults?
More information about the unisog