01:28 PM

Mac OS X Suffers From 'Critical' Flaw

Several security companies found a critical vulnerability in Apple Computer's OS X that could let attackers cripple a Mac simply by duping users into visiting a malicious Web site.

Several security companies warned users of a critical vulnerability in Apple Computer's OS X Tuesday that could let attackers cripple a Mac simply by duping them into visiting a malicious Web site.

Apple confirmed the vulnerability hours later. "We're working on a fix so that this doesn't become something that could affect customers," a spokesman for the Cupertino, Calif.-based company said.

ZIP files are considered safe by OS X, but by tweaking the archive file, attackers could pack a ZIP with malicious scripts that the Mac would automatically run, said German firm Heise Security, one of the first to publish an advisory.

The bug, noted Heise, could be invoked without user interaction via the bundled Safari browser and its default setting of "Open Safe Files after downloading."

"Problems ensue if a shell script is stored into a ZIP archive without the so-called 'shebang line,'" wrote Heise in its advisory. "If this line is omitted, Safari no longer recognizes the content as potentially dangerous and executes shell commands without a confirmation prompt."

Danish vulnerability tracker Secunia tagged the flaw as "Extremely critical" in its own alert Tuesday, the highest warning rating the company uses. FrSIRT, a French vendor, dubbed it "Critical."

The SANS Institute's Internet Storm Center, however, pointed out that Heise's explanation of the flaw actually said the vulnerability wasn't limited to Safari. The Mac operating system is, in fact, vulnerable, which opens other attack avenues, such as file attachments sent via e-mail or other tricks to bamboozle users into downloading files from Web sites.

"It looks like this can be used to fool users into starting the file no matter which vector is used," said the ISC's online warning. ZIP files can be disguised as, say, JPEG image files, the ISC noted, to hoodwink users into opening them.

Normally, OS X owners use the default "administrator account," which requires a password before most changes are made to the machine. Even so, an exploit using this vulnerability could wreak havoc by, for instance, deleting all files assigned to that user.

Safari users are most at risk, and should deactivate the "Open Safe Files after downloading" option in the "General" section of Safari's preferences. Alternate browsers, such as Firefox or Camino, are somewhat safer, said Heise, in that they won't automatically execute files.

"Users are advised to verify that the OS is using the proper file type," added Heise in response to possible hacker masquerades of ZIP archives as other file formats.

While Mac users have long defended their operating system as invulnerable to the kind of attack Windows users commonly suffer, Apple's taken several malware hits of late. Last week, two worms targeting Mac owners were discovered by security researchers.

For its part, the Apple spokesman reminded users "to only accept files from vendors and Web sites that they know and trust."

Heise credited Michael Lehn of the University of Ulm with the discovery. Lehn has posted a harmless proof-of-concept for the vulnerability here. Several security companies, including Secunia and Heisse, have also posted online tests that show Mac users if their machine is vulnerable to the bug.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of October 9, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll