Member Michael Lehn today reported the discovery of a security flaw in the Open "safe" files after downloading feature of Safari, also being reported by heise online. The flaw has been independantly confirmed.
When the Open "safe" files option is checked in the General tab of Safari preferences, a downloaded archive (zip file) containing a shell script named with a .jpg or .mov extension and missing the standard #!/bin/bash line can cause Safari to execute the shell script in the Terminal application without a confirmation prompt. A shell script has the privileges of the logged-in user, so in theory if a malicious script was executed this way, home folder files would be suspectible to damage. If the user was an administrator, system files and applications could be affected as well.
Two preventative measures can be used to avoid the flaw: (1) Disabling the Open "safe" files after downloading feature in Safari preferences. (2) Moving the Terminal application out of its normal location in the Applications/Utilities folder. The former method may be inconvenient during other routine downloads, while the latter may need to be reversed while performing Mac OS X updates.
The problem does not apply to other commonly used web browsers.
So far, a demonstration (proof of concept) download has been created, but no real exploits are known to exist. The problem has been reported to Apple Computer.
[Update] CNET reports that Apple is developing a patch for this security flaw, quoting an Apple representative as saying "We're working on a fix so that this doesn't become something that could affect customers" but without giving a delivery date for an update. Because the problem can reportedly affect Mail as well as Safari, the update may come in the form of changes to Mac OS X, not to Safari alone.
