Do you have adblock enabled?
If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(ZDNet)   Mac flaw puts Safari surfers at risk. Buh, buh, but it's Mac   ( divider line
    More: Interesting  
•       •       •

1208 clicks; posted to Geek » on 11 Jan 2007 at 6:33 PM (10 years ago)   |   Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»

52 Comments     (+0 »)

Oldest | « | 1 | 2 | » | Newest | Show all

2007-01-11 03:45:34 PM  
Yeah, but what kind of idiot has downloaded files open automatically. They deserve to have their system hijacked.
2007-01-11 04:03:32 PM  
If I am not mistaken my crapple which I recently reloaded 10.2 or 3 on has that enabled by default. Even then I was thinking that was really stupid.
2007-01-11 04:05:37 PM  
I automatically downloaded and opened a file called "Apple Dysentery.Net-Worm". Am I farked?

2007-01-11 04:09:53 PM  
So what's the actual exploit? Does it require the automatic open only or does it require an Administrator password from there? Sadly lacking article.

If the only issue the auto open portion of Safari, it's a big non-issue. One, it's a feature you can easily turn off. Two, even if something malicious did come through, it would require an Admin or root password to take control of your computer or do anything malicious. If something comes out that is able to do all that without an Admin password, then we have a much bigger flaw than just auto-open in Safari.
2007-01-11 04:16:27 PM  
Who the fark uses Safari?
2007-01-11 04:19:31 PM  
Whats Mac? Whose?
2007-01-11 04:37:41 PM  
Yeah, there are probably security issues with the Mosaic browser too. Probably as many people use it as use Safari.
2007-01-11 05:23:35 PM  

I assume it's a reference to MOAB-10-1-2007, the UFS DMG vulnerability. So this would be an issue if you download a malformed DMG and open it.

1) Yes, you can easily turn it off, but a lot of people won't.
2) If something malicious came through, it wouldn't require root to do anything malicious, because normal users have enough access to do all sorts of nastiness (delete their own files, run a spam relay, run a web proxy, launch a DDoS, etc, etc, etc). It's a big myth that running as a user really helps you at all on a standard desktop.
2007-01-11 05:24:39 PM  
Oh, sorry. linky.
2007-01-11 05:40:10 PM  
Hmmm, let's see. Safari-Preferences-open safe files....

Nope not checked. Try again.
2007-01-11 05:52:35 PM  

I suppose you have the rtsp:// URI handler disabled, too?

(All of you Windows-using Farkers with Quicktime installed better look out for this, too...)

And last I checked, "open safe files" was, by default, on.

B-b-b-b-but Microsoft!

/typed from MacOS 10.4
//you asked me to "try again"
2007-01-11 06:42:49 PM  
-rw-r--r-- 1 luser luser 666 2007-01-11 17:41 savedevilfile

~$ ./savedevilfile
bash: ./savedevilfile: Permission denied

Execute permission: DENIED!
2007-01-11 06:47:53 PM  
Use Flock.
2007-01-11 06:55:15 PM  
Who the fark uses Safari?

2007-01-11 07:12:28 PM  
Seriously though, who cares? The threat is minimal since so few people use Safari. This would just be one of the benefits of owning a mac.

/typing on my $1000 dell laptop that's faster than the macbook pros
2007-01-11 07:28:14 PM  
Meanwhile new security exploits are discovered hourly for Internet Explorer.
2007-01-11 07:37:04 PM  
First that flaw in VLC, and now this? I haven't been paying attention to this 'month of cheap publicity', but if this is the best that they can do, who honestly gives a hoot? Is this something that cannot happen on a PC that opens downloads after loading?

mistergecko: What Dell laptop matches the specs of the MacBook Pros for $1k?
2007-01-11 07:38:50 PM  

Er, I think you're misunderstanding the vulnerability. It has nothing to do with being able to execute the saved file. You can't execute the saved file on OSX, either.

But you can open it.

File parsing vulnerabilities exist in Linux, too.

(Nothing's worse than a snotty Linux dork. Except a snotty, ignorant Linux dork.)


It's not a wormable bug anyway. The risk is that someone will put a malicious file up on a website visited by Mac users. Like, say, Or Or whatever.


IE sucks, but hourly? Geeze. The truth is bad enough. No need to make shiat up.
2007-01-11 07:39:37 PM  

It's not per se a Safari vulnerability. If you were to download such a DMG with Flock (or Camino or Firefox or wget or curl or lynx or or whatever) and try to open it, you'd get farked just the same.
2007-01-11 07:40:11 PM  
I use Safari.
Works great.
It's a preference that can be turned off. Always thought it was dumb that it was automatically on but I seem to recall that not so long ago Mozilla Firefox did something very similar.
2007-01-11 07:41:43 PM  

Er, did you see the RTSP vuln? The very first one they released?

The RTSP one was real, the Finder one was real, this one is real. (The others were real but generally very boring.) None are wormable, perhaps, but they're all fairly serious (on part, for instance, with the current MS Office vulns).

Clearly, you haven't been paying close enough attention.
2007-01-11 07:47:32 PM  
I'm running a really old version of Safari, so my browser usually crashes way before the download is done.

Actually it's just some of the farking advertisements on Slashdot that crash it.
2007-01-11 08:00:36 PM  
I'm running Safari, I'm happy with it in general, but I also use FF. Anyway, didn't we all turn off the "automatically open 'safe' files" option last August, as a precaution against some malformed jpgs or something?

/I wish we could all give MOAB the 'saddam execution' treatment on FARK until thay publish something a bit more shocking than this...
2007-01-11 08:20:34 PM  
Teh Safari Farking Sucks.

2007-01-11 08:29:44 PM  
KrispyKringle: (Nothing's worse than a snotty Linux dork. Except a snotty, ignorant Linux dork.)

What about having your feet eaten off by ants?

/C'mon... you have to admit that'd be pretty bad.
2007-01-11 08:56:00 PM  
So, an article pointing out rampant fear of Vista, followed immediately by an article pointing out an earth-shattering security flaw on the Mac.

Wonder what they suggest then? Oh great and mighty ZDNet light the way!

/switches back to TI-99/4A
2007-01-11 09:21:11 PM  
KrispyKringle: File parsing vulnerabilities exist in Linux, too.

I looked at the first five results and of those four of them were faults in anti-malware products (Kaspersky, ClamAV, etc.) not Linux. The fifth was a flaw in RedHat Linux back in 2003.

I'm not saying Linux doesn't have vulnerabilities - but the example you used doesn't seem to be a very good one.
2007-01-11 10:09:53 PM

///Mozilla Product
2007-01-11 10:17:28 PM  
Hey, subby!

Any thread like this is basically a "b-b-b-but Macs get viruses too!"
2007-01-11 10:31:24 PM  

Er, it was a Google search. Jesus.

I mean:

1) The UFS integer overflow allegedly exists in FreeBSD, too. "But, but, but, if it were GPL it wouldn't have that vulnerability."

2) I take it you want to restrict me to just Linux kernel vulnerabilities, since otherwise you'll just say, "But, but, but, it's an optional component." Fine.

Or if you want to be a biatch about it and restrict me to integer overflows (like this was) in just the kernel (this Mac vuln wasn't in the kernel), how about this, this, this or this?

Unfortunately, Secunia don't track vulnerabilities by what component of a product they occur in, so we can't compare the number of OSX or Windows kernel vulnerabilities; if you'd be so kind as to allow me to compare the total number of vulnerabilities for the product (e.g., RedHat Enterprise Linux vs. OSX, or RHEL vs. Windows), we might find that Linux isn't quite as secure as Linux users like to think.

3) If you know I'm right, why quibble with my example, especially when you're quibbling with the first ten Google results. What, the first ten Google results for "linux file parsing vulnerability" aren't to your liking? And that's relevant? It's like the Bushbots who like to point out that the AP misspelled the name of some random Iraqi source.


If Camino had the "open downloaded files" option turned on, it would be just as easy to attack. The only difference is that Camino has it turned off by default. The ZDNet report is pretty useless, because this isn't a flaw in Safari. Safari is one possible exploitation vector, but it's a flaw in the way OSX mounts certain DMGs. If someone sends you that DMG by e-mail or puts it on a floppy, you'd be equally farked if you opened it.
2007-01-11 10:31:45 PM  
What do you do after downloading a file if not open it? Isn't that sort of the point of downloading it?
2007-01-11 10:37:56 PM  
I use Firefox only on my Mac because I also use Firefox on Windows at work and I used to run Firefox when I had my PC.

I will say I really do like Safari's built in RSS reader. But the brushed metal doesn't do it for me.
2007-01-11 10:51:04 PM  
ChairmanKaga: Who the fark uses Safari?

I do. It hogs less memory, opens quicker, and looks nicer than Camino, Firefox, Shiira, etc.
2007-01-11 11:01:32 PM  
Isn't this really old news? Isn't that why they changed the default behavior of Safari with downloaded files in the first place?
2007-01-11 11:16:19 PM  
theurge14: I will say I really do like Safari's built in RSS reader. But the brushed metal doesn't do it for me.

Check this out.
2007-01-11 11:34:35 PM  
KrispyKringle: If you know I'm right, why quibble with my example...

Because your "example" sucked.
2007-01-11 11:47:27 PM  
I'm a mac fanboy all the way, but Safari is for suckers.
2007-01-11 11:53:00 PM  
i wish i could have the last 5 minutes of my life back.
2007-01-12 12:03:45 AM  

Interesting. So you're agreeing with me that DoktorSeven was being an idiot, and just taking the time to biatch about my example, even after I gave you about five new ones?
2007-01-12 01:20:35 AM  

Thanks. Shoulda RTFA.
2007-01-12 03:20:50 AM  
crossthread: theurge14: I will say I really do like Safari's built in RSS reader. But the brushed metal doesn't do it for me.

Check this out.

I think I love you.
2007-01-12 05:21:55 AM  
I work for Safari, so I'm really getting a kick out of some of these posts...

/mac user
//ya rly
///see 'british gubment warns users against installing Vista thread
2007-01-12 07:28:30 AM
2007-01-12 08:44:29 AM  
Okay, let's assume this actually is an issue.
And let's assume that it doesn't matter that users don't have root access at any level (the admin user still must do 'sudo' to execute at root level...which requires a password).

Security Vulnerability Score:
Microsoft Apple
3,254,521 2
2007-01-12 08:46:23 AM  
fixed formatting

Security Vulnerability Score:
Microsoft: 3,254,521
Apple: 2
2007-01-12 08:50:58 AM  

I think the point is that if you malform a URL such that a download is executed without the user's consent, you can then infect said host without any user fault.

In Safari there is no dialog box issued when downloading a's just automatic.

//btw, all the more reason to back yer shiat up
2007-01-12 09:31:43 AM  
The real point of the project isn't to make Mac OS look unsafe. The point of it is to go after the ignorant mentallity that it's impervious. With the increased sale of Macs there is a large population of less-than-technically-inclined individuals who buy into the idea that if they have a Mac they do not have to be wary of anything. As the amount of Mac users increases so does the validity of the Mac as a target for viruses and malware and hacks. The people doing this project did the same thing for Linux a few years ago.

Anyone who works with an IT infrastructure knows that security is based on process and approach. You can be running the safest OS, have security hardware and have vigilant management and still be insecure. An entire security implementation can be undermined by one idiotic user.
2007-01-12 01:08:19 PM  
manazzoth: An entire security implementation can be undermined by one idiotic user.

Here here...

/IT would be so much more fun without the damn users
2007-01-12 03:40:45 PM  

don't worry, I know all about the security flaws and such (I'm a apple certified tech), I just prefer to use Camino over Safari.
2007-01-12 03:56:08 PM  

Score based on what? The number of MacOSX vulns listed on Secunia is 90; the number of Windows Server 2003 vulns (seemed a good version to pick, as it's current but has been out longer than Vista) is 113. 12 of the OSX vulns are unpatched, as are 10 of the Win2K3 vulns.

Seems pretty comparable to me.


I hate the user.
Displayed 50 of 52 comments

Oldest | « | 1 | 2 | » | Newest | Show all

This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »
On Twitter

Top Commented
Javascript is required to view headlines in widget.

In Other Media
  1. Links are submitted by members of the Fark community.

  2. When community members submit a link, they also write a custom headline for the story.

  3. Other Farkers comment on the links. This is the number of comments. Click here to read them.

  4. Click here to submit a link.