Mac OS X Suffers From 'Critical' Flaw, Security Firms Say
Apple confirmed the vulnerability hours later. "We're working on a fix so that this doesn't become something that could affect customers," a spokesman for the Cupertino, Calif.-based company said.
ZIP files are considered safe by OS X, but by tweaking the archive file, attackers could pack a ZIP with malicious scripts that the Mac would automatically run, said German firm Heise Security, one of the first to publish an advisory.
The bug, noted Heise, could be invoked without user interaction via the bundled Safari browser and its default setting of "Open Safe Files after downloading."
"Problems ensue if a shell script is stored into a ZIP archive without the so-called 'shebang line,'" wrote Heise in its advisory. "If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt."
Danish vulnerability tracker Secunia tagged the flaw as "Extremely critical" in its own alert Tuesday, the highest warning rating the company uses. FrSIRT, a French vendor, dubbed it "Critical."
The SANS Institute's Internet Storm Center, however, pointed out that Heise's explanation of the flaw actually said the vulnerability wasn't limited to Safari. The Mac operating system is, in fact, vulnerable, which opens other attack avenues, such as file attachments sent via e-mail or other tricks to bamboozle users into downloading files from Web sites.
"It looks like this can be used to fool users into starting the file no matter which vector is used," said the ISC's online warning. ZIP files can be disguised as, say, JPEG image files, the ISC noted, to hoodwink users into opening them.
Normally, OS X owners use the default "administrator account," which requires a password before most changes are made to the machine. Even so, an exploit using this vulnerability could wreak havoc by, for instance, deleting all files assigned to that user.
Safari users are most at risk, and should deactivate the "Open Safe Files after downloading" option in the "General" section of Safari's preferences. Alternate browsers, such as Firefox or Camino, are somewhat safer, said Heise, in that they won't automatically execute files.
"Users are advised to verify that the OS is using the proper file type," added Heise in response to possible hacker masquerades of ZIP archives as other file formats.
While Mac users have long defended their operating system as invulnerable to the kind of attack Windows users commonly suffer, Apple's taken several malware hits of late. Last week, two worms targeting Mac owners were discovered by security researchers.
For its part, the Apple spokesman reminded users "to only accept files from vendors and Web sites that they know and trust."
Heise credited Michael Lehn of the University of Ulm with the discovery. Lehn has posted a harmless proof-of-concept for the vulnerability here. Several security companies, including Secunia and Heisse, have also posted online tests that show Mac users if their machine is vulnerable to the bug.
