Explanation, fixes for "Safari Automatically Executes Shell Scripts" vulnerability; similar to Widget vulnerability
Explanation, fixes for "Safari Automatically Executes Shell Scripts" vulnerability; similar to Widget vulnerability
Originally posted February 21st
As we noted below in "Odds and Ends", the "Safari Automatically Executes Shell Scripts" vulnerability that has recently garnered increased discussion is extremely similar in nature to a bug we discussed in the middle of last year, where Safari would automatically open a compressed .zip file and execute a potentially malicious Widget.
The scenario for that vulnerability went like this:
You click on a seemingly innocuous link, and view the resulting page's content. Meanwhile, a meta tag embedded in the page (META HTTP-EQUIV="Refresh") downloads a Widget in the background, and Safari -- which is, by default, set to automatically open "trusted" files, including Widgets -- quietly places the newly downloaded Widget in the ~/Library/Widgets folder. The next time you access Dashboard, the Widget is loaded in the Dashboard storage bar, and executed when you click it or drag it out of the bar. The only indication you will receive in Safari indicating that this process is happening is a generally unnoticeable refresh of the URL address bar.
The vulnerability was fixed in Mac OS X 10.4.1.
The new issue is virtually identical to the Widget vulnerability, except this time shell scripts without a "shebang" line -- which tells the script which shell to execute in -- are implicated. Without the aforementioned line, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt.
As we noted previously and in our coverage of the Widget vulnerability, there are some effective ways to mitigate this threat:
Turn off "Open 'safe... Turn off the option "Open 'safe' files after downloading" in the "General" pane of Safari's preferences.
Use a different browser Use an alternative browser like Firefox
Make Terminal ask for permission This is the most involved workaround, and probably the most effective. It involves replacing the Terminal application with an automator script that will intercept calls to Terminal and seek your permission to run Terminal before executing.
- First you will need to download the Automator script, created by a MacFixIt reader, by going to the "Go" menu in the Finder, navigating to the "iDisk" sub-menu, selecting "Other User's Folder" then typing "pehowland" (without quotes) and pressing return.
- Next, download the file named "Terminal.app.zip" and unstuff it. The resulting file will be an Automator script application named "Terminal.app" or just "Terminal" if you have file extension display turned off.
- Next, using the Finder, go to /Applications/Utilities and rename Terminal.app to _Terminal.app.
- Copy the replacement Terminal.app (the Automator script) into /Applications/Utilities
- Now every time a shell script attempts to launch the Terminal, the automator script will launch instead and demand user permission before the actual Terminal is launched.
If you want to undo this process, just delete my new Terminal.app and rename _Terminal.app back to Terminal.app.
The author of the script writes:
"This fix works on my machine and seems completely harmless. However, use it at you own risk - I am not responsible for any unintended side effects.
"The paranoid amongst you should also verify my script inside Automator before installing - after all, I could just be playing a nasty social engineering joke on you."
Feedback? Late-breakers@macfixit.com.
Resources