Wednesday, February 22, 2006

Macintosh OS X Vulnerability

Symantec Security Response has confirmed a new vulnerability in the Macintosh OS X (version 10.4) operating system. Symantec Security Response rates the vulnerability as high severity. However, there is no known exploit currently targeting this vulnerability.

The vulnerability lies in the "Open 'safe' files after downloading" option in Apple's Safari Web browser. By default, the set-up for the Web browser automatically has this option turned on and will displays images and movies or open ZIP archives to display the documents inside if they are deemed "safe."

“This is yet another example of the continuing spread of malicious code onto other platforms,” said Patrick Evans, regional directory, Symantec Africa. “While there is no known exploit at this time, users are encouraged to turn off the ‘Open safe files after downloading option’ in their Safari browsers and watch for further information from Apple.”

The disclosure of this vulnerability follows two low level worms from last week that targeted the Macintosh OS X (version 10.4) operating system -- OSX.Leap.A and OSX.Inqtana.A.

The issue exists because of an error when processing file association metadata. This metadata is contained in the '.__' file contained within an archive and extracted to the '__macosx' directory. Successful exploitation can allow a malicious script file to be renamed with a safe extension in order to trick a user into believing that the file is safe. This issue is considered to be remotely exploitable in nature because the Safari Web browser will automatically open ZIP archives when downloaded. Macintosh OS X (version 10.4) is reported to be vulnerable to this exploit. Earlier versions may also be affected.

Symantec advises Apple Safari users to turn off the “Open ‘safe’ files after downloading” feature in the Web browser software. Users are also encouraged to review Apple’s guide to safely handling files received from the Internet at:

Symantec’s security experts will closely monitor further information related to this vulnerability and will provide updates and security content as necessary.

No comments: