Notices

NSC-060222: Apple Mac OS X Safari Command Execution Vulnerability

National Cyber Alert System

Technical Cyber Security Alert TA06-053A

Apple Mac OS X Safari Command Execution Vulnerability

Original release date: February 22, 2006

Last revised: --

Source: US-CERT

Systems Affected

Apple Safari running on Mac OS X

Overview

A file type determination vulnerability in Apple Safari could allow aremote attacker to execute arbitrary commands on a vulnerable system.

I. Description

Apple Safari is a web browser that comes with Apple Mac OS X. The default configuration of Safari allows it to automatically "Open'safe' files after downloading." Due to this default configuration andinconsistencies in how Safari and OS X determine which files are"safe," Safari may execute arbitrary shell commands as the result ofviewing a specially crafted web page.

Details are available in the following Vulnerability Note:

VU#999708 - Apple Safari may automatically execute arbitrary shellcommands

II. Impact

A remote, unauthenticated attacker could execute arbitrary commandswith the privileges of the user running Safari. If the user is loggedon with administrative privileges, the attacker could take completecontrol of an affected system.

III. Solution

Since there is no known patch for this issue at this time, US-CERT isrecommending a workaround.WorkaroundDisable "Open 'safe' files after downloading"Disable the option to "Open 'safe' files after downloading," asspecified in the document "Securing Your Web Browser."

Appendix A. References

* US-CERT Vulnerability Note VU#999708 -

<http://www.kb.cert.org/vuls/id/999708>

* Securing Your Web Browser -

<http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>

* Apple - Mac OS X - Safari RSS -

<http://www.apple.com/macosx/features/safari/>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA06-053A.html>

____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please sendemail to <cert@cert.org> with "TA06-053A Feedback VU#999708" in thesubject.

____________________________________________________________________

For instructions on subscribing to or unsubscribing from this

mailing list, visit <http://www.us-cert.gov/cas/signup.html>.

____________________________________________________________________

Produced 2006 by US-CERT, a government organization.Terms of use:

<http://www.us-cert.gov/legal.html>

____________________________________________________________________

Revision History

Feb 22, 2006: Initial release

UI Home | UI A-Z Search | UI Phonebook/Email | Contact Us

Copyright © The University of Iowa. All rights reserved.