Mac OS X: No malware for five years and counting. Until now. Last week’s news headlines screamed “First Mac Virus.” This week we learn of a huge hole in Safari, the popular Mac browser. What’s next? Mail? Yes.
The so-called First Mac Virus™ turned out to be a poorly engineered trojan horse not capable enough to do more than irritate; like dental floss after chewing on a pulled pork bar-b-que sandwich.
Still, the headlines were of concern, if not ill advised, considering the actual severity (or lack of) of the trojan horse.
It’s a new week, a new day, and now another new exploit for your Mac. This time it’s in the Safari browser and it’s serious. Worse, the same exploit could be used in Mac OS X’s Mail.
What’s going on. Has the flood of Mac malware for 2006 begun? Do we need to create a Top 10 List?
Apple’s Safari web browser has a default setting called “Open “safe” files after downloading.” Those files include movies, pictures, sounds, text documents, disk images, PDF files, and so on.
When clicked (the default setting), Safari will open those files when the downloaded process is complete. The idea is to make it easy to display photos and play music and view documents.
If you double click the .jpg file on the desktop, expecting to see a photo of Jessica Simpson’s teeth, the file executes without warning, just as it does in SafariSmart Mac users know the danger signs, and Safari’s default setting is one of them. Turn it off. Unclick it. Don’t use it. Why?
This is a huge hole that Apple will be pressured to seal quickly. Why?
Because it takes nearly no effort whatsoever to use Safari and Mail to open and run Mac malware which could harm your Mac. How easy? Read on.
In this particular case, with the “Open files after downloading” left on, Safari could download a zipped file and unpack it. If it detects, and it will, an executable file inside, Safari will prompt you for confirmation.
These are all good steps in a bad situation. If that unzipped file contains a malware shell script, it can execute commands on your Mac without a confirmation prompt.
Your Mac was once secure. Today it is less so.
Heise Online, a German web site, found that a simple shell script, designed to run in Mac OS X’s Terminal application, could be run using the above scenario.
Normally, Terminal shell scripts have what is known as a ‘shebang line’ at the top. It would look like this: #!/bin/bash. That little line would tell Safari that the unzipped and disguised application is dangerous, so no problem.
Remove that line out of a dangerous shell script, and Safari will let it run automatically, making it even more dangerous.
The example at Heise Online is a zipped .jpeg file. Except the .jpg file is really a shell script, not a .jpg image. Double click to unzip the file, then double click the so-called .jpg file and the Terminal opens, runs the script, and the damage is done.
It’s that simple. And that dangerous. How dangerous? It takes little scripting knowledge to create a shell script which can wreak havoc on your Mac.
Worse, this hole is not limited to Safari. Safari does automatically what you could do manually using OS X’s Mail appliction.
That’s right. If you received the same zipped .jpg file as an attachment in an email message, you start a similar, and just as dangerous process.
Let’s say you receive an attachment in Mail which is named “jessica_simpson_teeth.jpg.zip.” That’s worth clicking, right?
Double clicking the zipped attachment will launch a warning dialog box in Mail. If you click OK, the zipped file is unzipped and placed in your download folder (usually your Mac’s desktop).
If you double click the .jpg file on the desktop, expecting to see a photo of Jessica Simpson’s teeth, the file executes without warning, just as it does in Safari.
The Mail problem isn’t really the same as Safari’s exploit, though the damage could be exactly the same.
This is the same kind of threat that Windows users have put up with for years. Such a threat to Mac users, a file received as an attachment in Mail, has always been there. User beware.
For Safari users, it’s an automated threat, a dangerous one, which Apple needs to plug. Now.