Apple Safari executes arbitrary shell scripts without asking you for permission

It seems Apple is having more and more severe problems lately, MacOS viruses and worms start popping up and spreading on a larger scale... Michael Lehn has now discovered that Apple Safari can be tricked into automatically downloading and executing arbitrary shell scripts.

No need to mention what harm this can cause, especially if you are stupid enough to browse the web as root (or whatever Apple calls their superuser).

The behaviour to automatically open downloaded "trusted" files in a respective application is the default in Safari, which is obviously not the brightest idea Apple ever had. This is not an Apple-only problem, though. I really wonder why so many people, be it developers or users, are willing to sacrifice security for some crappy "feature"...

(via Digg)


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

all very well for experienced users..

..but certainly worrying for the proverbial 'grandma's' out there.

while the capacity to download and unpack/run any files retrieved from a remote site should be disbanded altogether, it is truly unfortunate that Apple allows for this action out-of-the-box.

it will be telling how long it takes for them to release a patch.

No escalation

The shell script will be run with user privileges. You cannot use the superuser as a normal user account. You could however use an account with administrator privileges, who is able to sudo. (And not password-less sudo that is, however the passphrase is cached as usual.) So iff the user just used the sudo command on the console the root privileges might be abused. Otherwise the script will lock due to the password prompt. But well, one could do enough harm in a normal user account, on any OS.

MacOS + root

Ok, thanks for the clarifications. The problem, however, is only made worse by running stuff as root, it's still bad enough if run as normal user, as you said.

The real issue is that such blind execution of any downloaded content should not be possible at all. Making it the default is even worse...