Mac flaw puts Safari surfers at risk
Combination of hole in Apple's OS X and a feature in its Web browser opens Macs to attack, Secunia says.
The vulnerability and "proof of concept" code to exploit it were released on Wednesday as part of the Month of Apple Bugs project. It affects Mac OS X 10.4.8, the most recent version of Apple's operating system and, possibly, previous versions, security researcher LMH said in the posting on MOAB's Web site.
The flaw can be exploited if the Mac user has enabled an option in Safari to "open safe files after downloading," Secunia said in an advisory Thursday. The security company has rated the problem "highly critical."
"It is never good to have something open automatically when you download it, so users should disable this automatic feature in Safari," said Thomas Kristensen, Secunia's chief technology officer.
Over the past year, security experts have scrutinized the "open safe" feature in Apple's code, and have said that the company hasn't completely closed up the security holes. The feature automatically opens files that are deemed to be safe. In March, Apple added a "download validation" function to the tool to warn people when they may be downloading a malicious file or disk image.
However, security experts have noted that malicious attackers could create a file that appears to be safe, such as a movie or image file, but is actually an application that gets loaded onto a user's system.
Security researchers are advising users to disable the "open safe" feature in Safari.
In response to the news, an Apple representative said: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."