Monday, February 20, 2006
Mac users, this one's for you
Do you ever use the Safari web browser? Go to preferences, and turn off "Open safe files after downloading". The Mac turns out to have a dangerously unclear idea of what a "safe" file is.
The result is a recently discovered bug which lets a bad guy's web site take over your computer just because you visited there. That's right, just as if you were a Windows user.
The good news is that last I heard the bad guys weren't yet taking advantage of this bug. Of course you should still change your Safari preferences. Or use Camino or Firefox instead of Safari.
The respected Eric Rescorla discusses the "open safe files" bug and has an insightful comment from developer Peter da Silva.
UPDATE 2/21:
Reportedly the same thing can happen in Mail.app. Changing Safari's preferences of course won't help but it may work to move the Terminal application to a different folder (don't ask).
Credit to Michael Lehn for the discovery.
UPDATE 2/25:
Usually the press exaggerates security problems. This time there are columnists in the Mac trade press saying this isn't a big deal, common sense will prevent it, no need to change anything.
See for yourself. Try Secunia's vulnerabity demonstration page and imagine whether you could protect yourself if it were a malicious web page. Show a trusted technical advisor the Internet Storm Center's detailed report.
UPDATE 6/22/2007:
Removed the link to heise.de's test for whether you're affected: McAfee Site Advisor thought it was malicious.
|
The result is a recently discovered bug which lets a bad guy's web site take over your computer just because you visited there. That's right, just as if you were a Windows user.
The good news is that last I heard the bad guys weren't yet taking advantage of this bug. Of course you should still change your Safari preferences. Or use Camino or Firefox instead of Safari.
The respected Eric Rescorla discusses the "open safe files" bug and has an insightful comment from developer Peter da Silva.
UPDATE 2/21:
Reportedly the same thing can happen in Mail.app. Changing Safari's preferences of course won't help but it may work to move the Terminal application to a different folder (don't ask).
Credit to Michael Lehn for the discovery.
UPDATE 2/25:
Usually the press exaggerates security problems. This time there are columnists in the Mac trade press saying this isn't a big deal, common sense will prevent it, no need to change anything.
See for yourself. Try Secunia's vulnerabity demonstration page and imagine whether you could protect yourself if it were a malicious web page. Show a trusted technical advisor the Internet Storm Center's detailed report.
UPDATE 6/22/2007:
Removed the link to heise.de's test for whether you're affected: McAfee Site Advisor thought it was malicious.
# posted by Frederick @ 11:25 PM Email to a friend:
Haloscan: they provide trackback