Mac OS X "__MACOSX" ZIP Archive Shell Script Execution
22/02/06 19:19
A new alert has emerged regarding the possible security hole using social engineering and automatic opening of file by Safari to execute undesirable code on your Mac… read more here
While people start posting message in various web forums regarding this problem (with more or less pertinent remarks), let's analyze the possible solutions.
As many have said, disabling the automatic opening of "safe" files in Safari is the first step to make your Mac more secure.
But is that enough ?
Sure it is not, because if social engineering has made you download the file, it can make you open it later, even by mistake…
A better solution would be:
1. a tool (daemon) watching for files with inconsistancy between the content, the extension and the executable bit.
2. a safer replacement for the open command supplied by Apple.
A .mov file containg ASCII TEXT and with the executable bit set is not OK, right ?
Take a look at our little tool (its man page here) to get an idea of what can be done in that direction…
When used on the proof of concept file referenced in the Secunia article, with the command:
chkfileext -t Secunia.mov
echo $?
it will prints 1 meaning the file is NOT safe to be opened (-1 error, 0 OK, 1 not safed == identified pattern of malware…)
To make it the basis of a open replacement, work has still to be done to support URL parameters as open does, but it's a first step…
As many have said, disabling the automatic opening of "safe" files in Safari is the first step to make your Mac more secure.
But is that enough ?
Sure it is not, because if social engineering has made you download the file, it can make you open it later, even by mistake…
A better solution would be:
1. a tool (daemon) watching for files with inconsistancy between the content, the extension and the executable bit.
2. a safer replacement for the open command supplied by Apple.
A .mov file containg ASCII TEXT and with the executable bit set is not OK, right ?
Take a look at our little tool (its man page here) to get an idea of what can be done in that direction…
When used on the proof of concept file referenced in the Secunia article, with the command:
chkfileext -t Secunia.mov
echo $?
it will prints 1 meaning the file is NOT safe to be opened (-1 error, 0 OK, 1 not safed == identified pattern of malware…)
To make it the basis of a open replacement, work has still to be done to support URL parameters as open does, but it's a first step…