US-CERT Technical Cyber Security Alert TA06-053A -- Apple Mac OS X Safari Command Execution Vulnerability

National Cyber Alert System

Technical Cyber Security Alert TA06-053A

Apple Mac OS X Safari Command Execution Vulnerability

Original release date: February 22, 2006
Last revised: March 3, 2006
Source: US-CERT

Systems Affected

Apple Safari running on Mac OS X

Overview

A file type determination vulnerability in Apple Safari could allow a remote attacker to execute arbitrary commands on a vulnerable system.

I. Description

Apple Safari is a web browser that comes with Apple Mac OS X. The default configuration of Safari allows it to automatically "Open 'safe' files after downloading." Due to this default configuration and inconsistencies in how Safari and OS X determine which files are "safe," Safari may execute arbitrary shell commands as the result of viewing a specially crafted web page.

Details are available in the following Vulnerability Note:

VU#999708 - Apple Safari may automatically execute arbitrary shell commands
(CVE-2006-0848)

Information about VU#999708 is also available in US-CERT Technical Alert TA06-062A.

II. Impact

A remote, unauthenticated attacker could execute arbitrary commands with the privileges of the user running Safari. If the user is logged on with administrative privileges, the attacker could take complete control of an affected system.

III. Solution

Install an update

Install Apple Security Update 2006-001. This and other updates are available via Apple Update.

Disable "Open 'safe' files after downloading"

With the update installed, Safari will no longer automatically execute certain types of downloaded files and may also display a warning dialog. For additional protection, disable the option to "Open 'safe' files after downloading," as specified in "Securing Your Web Browser."

Appendix A. References

US-CERT Vulnerability Note VU#999708 - <http://www.kb.cert.org/vuls/id/999708>
US-CERT Technical Cyber Security Alert TA06-062A - <http://www.us-cert.gov/cas/techalerts/TA06-062A.html>
Securing Your Web Browser - <http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>
CVE-2006-0848 - <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0848>
Apple - Mac OS X - Safari RSS - <http://www.apple.com/macosx/features/safari/>

Feedback can be directed to the US-CERT Technical Staff

Produced 2006 by US-CERT, a government organization. Terms of use

Revision History

February 22, 2006: Initial release
February 23, 2006: Added CVE reference
March 3, 2006: Updated solution and added reference to TA06-062A

Last updated February 08, 2008

US-CERT: United States Computer Emergency Readiness Team

Information For

Sign Up

Reporting

DHS Threat Advisory