[Ti] Intel Mac Mini?
Norman Cohen
nacohen at mac.com
Wed Mar 1 19:24:46 PST 2006
That's a shame that it's not a complete fix.
I'd suggest installing Safe Terminal, available at MacUpdate and
Version Tracker. It's an input manager that will put up a dialog box
before running any shell script launched from outside Terminal. From
the description on MacUpdate:
"Safe Terminal fixes a security weakness with Mac OS X Terminal
utility, when it execute shell scripts without the user confirmation.
If Safari "Open safe files after download" is enabled, its possible
to create malicious shell scripts that will be executed by the
Terminal automatically after you download them. It is also possible
to create malicious shell scripts that look like a document or a
folder, that will be executed by Terminal on double click without
warning.
After Safe Terminal is installed, the Terminal utility will show an
alert before executing a shell script, allowing the user to confirm
or cancel. The usage of the Terminal to type and run commands is not
effected in any way."
Norm
---
Norman A. Cohen
nacohen at mac.com
"The hardest thing in the world to understand is the income tax."
Albert Einstein
On Mar 1, 2006, at 18:58 PM, Chris Olson wrote:
>> Apple's Security Update 2006-001 issued today fixes this problem.
>
> I'm afraid it only partially fixes it. Launch Services will still
> start Terminal.app and run a bash shell script without a shebang
> line and path to the interpreter in the first line of the script
> without asking or without warning.
>
> Our demo exploit with a hidden trojan still works perfectly, post-
> update.
> --
> Chris
More information about the Titanium
mailing list