MOAB Uncovers Mac OS X Flaw On Safari Browser
Computers running Apple's Safari Web browser caused vulnerability in Mac OS X, which researchers discovered under the ongoing Month of Apple Bugs (MOAB) project. The vulnerability allows hackers to compromise such computers. Other security firms have confirmed the impact of the vulnerability on Mac OS X 10.4.8 and earlier versions. The project has also released a proof-of-concept code.
Security firm Secunia has rated the vulnerability as "highly critical" saying that its exploit can enable execution of remote code.
An exploit of the default "Open Safe" technology can allow running malicious code enabling hacking of systems. Open Safe is featured to execute by default 'trusted' pieces of code that are downloaded from the Internet. Therefore, the catch is that the browser will automatically download and run anything that the code developer wishes to include in the so-called trusted certificate.
Safari lets automatic opening of several types of files by default. This also includes disk image (.dmg) files, which helps to compress downloadable applications. The vulnerability is inherent in the manner Mac OS X processes disk images. A maliciously constructed .dmg file could crash an application that could help the attacker to execute malware.
The MOAB project released the vulnerability and proof-of-concept code on January 10, 2007. It impacts Mac OS X 10.4.8, the latest version of Apple's operating system and may be afflict, other versions of Mac OS, said security researcher LMH via a posting on MOAB's Web site. Users need to disable the "Open Safe files after downloading" option to prevent exploitation. As always important, they should allow only trusted parties to access their systems.
In a similar opinion Secunia's chief technology officer, Thomas Kristensen said that users should disable the automatic option in Safari for it is never safe to let something open on its own while downloading it. ZDNet published Kristensen's views in news on January 12, 2007.
Apple has uncovered ten vulnerabilities so far this month and more would be coming over the next two weeks. Independent researcher Kevin Finisterre and LMH, another researcher identified only by those initials are the key persons working on the MOAB project.
Related article: MoAB Disclose Two Bugs On Two Successive Days
» SPAMfighter News - 17-01-2007