Heise online is reporting that a new critical vulnerability for Mac OS X has been discovered and it appears to have ramifications beyond the Safari brows (thanks to SANS and SunbeltBLOG for the link). The problem is severe because a user simply needs to visit a malicious website and shell scripts with launch with zero user interaction!The cause for this problem is that OS X will automatically launch shell scripts (even inside a ZIP file) when it's missing certain syntax at the beginning of the script.
You can determine whether your system is vulnerable by using this online demonstration provided by Heise Security. The demo attempts to open a Terminal window to display the contents of a folder. If you are running Mac OS X in its standard configuration and use Safari, the window will open without waiting for a prompt. The script could just as well delete all files accessible to the current user. At this point, no web pages are known to misuse this vulnerability. However, this could change quickly
No comments:
Post a Comment