Exploit for Safari Hole Raises Risk for Mac Users

The security hole in the Safari browser can be exploited by files downloaded directly from a Web page and without any user interaction.

Software code that can exploit a hole in Apples Safari Web browser was added to a popular hacking tool on Feb. 22, raising the risks of attack for Apple Mac users.

So-called "shell code" that takes advantage of a security flaw in Safaris "safe file" feature was added to the Metasploit framework on Feb. 22 and a copy of the script was posted on FrSIRT.com, a software vulnerability and exploit Web site.

Apple did not immediately respond to a request for comment. On Feb. 21, the company said that it takes security very seriously and was working on a fix for the Safari vulnerability.

The hole was first reported on Feb. 20 after security researcher Michael Lehn, a graduate student at the University of Ulm, in southern Germany, documented a problem with Safaris handling of shell commands.

The security hole could be exploited by files that were downloaded directly from a Web page and without any user interaction.

/zimages/4/28571.gifNew Safari flaw, worms turn spotlight on Apple security. Click here to read more.

Lehn discovered the hole in a feature called Open Safe Files, which allows files such as ZIP archives and movie files to be opened and viewed automatically.

Safari will run specially modified shell script files that are stored in ZIP archives without prompting the user first. That would enable attackers to enclose a series of malicious commands in a shell script that would then be run automatically by Safari when the ZIP archive was downloaded from a Web site or opened as an e-mail attachment.

The code posted on Feb. 22 creates a new Metasploit module for the Safari exploit. It is a slight modification of "proof of concept" code written by Lehn, with minor modifications to make the exploit harder for IDS (intrusion detection system) software to detect, said Johannes Ullrich of the SANS Internet Storm Center.

Malicious hackers could set up a Web page, and then use Metasploit to trigger the Safari hole on the systems of Mac users who visited the site, he said.

Anti-virus software and vulnerability tracking companies said the Safari hole is very severe or "critical" for users of Apple systems running Mac OS X.

However, the hole does not affect the more than 90 percent of computer users running non-Mac systems.

Symantec advised Safari users to turn off the "Open safe files after downloading" feature on the Web browser and review an Apple document on safely handling files downloaded from the Internet. For more information on downloading files in Safari, click here.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.