[X4U] FW: [Fwd: US-CERT Technical Cyber Security Alert TA06-053A -- Apple Mac OS X Safari Command Execution Vulnerability]

richard.gilmore rgilmor at uwo.ca
Thu Feb 23 09:45:16 PST 2006 

This came to my email this morning. Does anybody know anything about it?

----------------------------------------

Richard Gilmore
Media Production Centre
Althouse: Faculty of Education
University of Western Ontario


------ Forwarded Message
From: Clint Bourdeau <cbordeau at uwo.ca>
Date: Thu, 23 Feb 2006 10:12:02 -0500
To: Richard Gilmore <rgilmor at uwo.ca>
Conversation: [Fwd: US-CERT Technical Cyber Security Alert TA06-053A --
Apple Mac OS X Safari Command Execution Vulnerability]
Subject: FW: [Fwd: US-CERT Technical Cyber Security Alert TA06-053A -- Apple
Mac OS X Safari Command Execution Vulnerability]



-----Original Message-----
From: owner-tums at uwo.ca [mailto:owner-tums at uwo.ca] On Behalf Of Ellen
Smout
Sent: Thursday, February 23, 2006 10:00 AM
To: tums at uwo.ca; soa at uwo.ca
Subject: [Fwd: US-CERT Technical Cyber Security Alert TA06-053A -- Apple
Mac OS X Safari Command Execution Vulnerability]

Hi All

Please see below for the latest CERT.

thxs

Ellen

-------- Original Message --------
Subject: US-CERT Technical Cyber Security Alert TA06-053A -- Apple Mac
OS X Safari Command Execution Vulnerability
Date: Wed, 22 Feb 2006 15:58:22 -0500
From: CERT Advisory <cert-advisory at cert.org>
Organization: CERT(R) Coordination Center - +1 412-268-7090
To: cert-advisory at cert.org


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                         National Cyber Alert System

                 Technical Cyber Security Alert TA06-053A


Apple Mac OS X Safari Command Execution Vulnerability

    Original release date: February 22, 2006
    Last revised: --
    Source: US-CERT


Systems Affected

    Apple Safari running on Mac OS X


Overview

    A file type determination vulnerability in Apple Safari could allow
a
    remote attacker to execute arbitrary commands on a vulnerable
system.


I. Description

    Apple Safari is a web browser that comes with Apple Mac OS X. The
    default configuration of Safari allows it to automatically "Open
    'safe' files after downloading." Due to this default configuration
and
    inconsistencies in how Safari and OS X determine which files are
    "safe," Safari may execute arbitrary shell commands as the result of
    viewing a specially crafted web page.

    Details are available in the following Vulnerability Note:

    VU#999708 - Apple Safari may automatically execute arbitrary shell
    commands


II. Impact

    A remote, unauthenticated attacker could execute arbitrary commands
    with the privileges of the user running Safari. If the user is
logged
    on with administrative privileges, the attacker could take complete
    control of an affected system.


III. Solution

    Since there is no known patch for this issue at this time, US-CERT
is
    recommending a workaround.

Workaround

Disable "Open 'safe' files after downloading"

    Disable the option to "Open 'safe' files after downloading," as
    specified in the document "Securing Your Web Browser."


Appendix A. References

      * US-CERT Vulnerability Note VU#999708 -
        <http://www.kb.cert.org/vuls/id/999708>

      * Securing Your Web Browser -
        <http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>

      * Apple - Mac OS X - Safari RSS -
        <http://www.apple.com/macosx/features/safari/>


  ____________________________________________________________________

    The most recent version of this document can be found at:

      <http://www.us-cert.gov/cas/techalerts/TA06-053A.html>
  ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to <cert at cert.org> with "TA06-053A Feedback VU#999708" in the
    subject.
  ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  ____________________________________________________________________

    Produced 2006 by US-CERT, a government organization.

    Terms of use:

      <http://www.us-cert.gov/legal.html>
  ____________________________________________________________________


Revision History

    Feb 22, 2006: Initial release







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQ/zKN30pj593lg50AQJgoQf/ZajorZz/6quzA40dc8cLxIBT70xcClH5
CKDN5nMXl1mRYYkDPF07GbcWL3lWarW5Hif0OiZfazaGNC3p9v4ZxDx/dW/ZmsYo
eDznsNWNphKB6yBSIbOUSfGyh/I7pQlG3qxXRWDTA9nVK12KIkvAAoPTgBe40obu
+x58gK5/ib4d+dEZ8F9SbO7/syYtcAzfzS2HrBYhG1lWWLYTaNC3hyI2nXF5lNV/
ymwaPv0ivAB9rpalus+KkajjiV5+J08dj+1JwgwcSpvuNMQ5c/8RCIILP+1bR+CL
lScvGuSRYk4S0QI9nmCDvwD52sluiwp2VO1atTQ1zcgpwhvLRGo3DQ==
=P2/3
-----END PGP SIGNATURE-----


------ End of Forwarded Message

-------------- next part --------------
A non-text attachment was scrubbed...
Name: esmout.vcf
Type: text/x-vcard
Size: 318 bytes
Desc: esmout.vcf
Url : http://listserver.themacintoshguy.com/pipermail/x4u/attachments/20060223/b9bb6488/esmout.vcf

More information about the X4U mailing list