[X4U] FW: [Fwd: US-CERT Technical Cyber Security Alert TA06-053A -- Apple Mac OS X Safari Command Execution Vulnerability]

Eddie Hargreaves meged at earthlink.net
Thu Feb 23 10:20:06 PST 2006 

Yes, it's been discussed pretty vociferously on many Mac web sites. The
current workaround is just as described in the CERT Alert - Disable Safari's
"Open 'safe' files after downloading" preference. I don't think this solves
the vulnerability in Mail, however, and I expect to see a security update
from Apple within a week or two.


On 2/23/06 9:45 AM, richard.gilmore <rgilmor at uwo.ca> wrote:

> 
> This came to my email this morning. Does anybody know anything about it?
> 
> ----------------------------------------
> 
> Richard Gilmore
> Media Production Centre
> Althouse: Faculty of Education
> University of Western Ontario
> 
> 
> ------ Forwarded Message
> From: Clint Bourdeau <cbordeau at uwo.ca>
> Date: Thu, 23 Feb 2006 10:12:02 -0500
> To: Richard Gilmore <rgilmor at uwo.ca>
> Conversation: [Fwd: US-CERT Technical Cyber Security Alert TA06-053A --
> Apple Mac OS X Safari Command Execution Vulnerability]
> Subject: FW: [Fwd: US-CERT Technical Cyber Security Alert TA06-053A -- Apple
> Mac OS X Safari Command Execution Vulnerability]
> 
> 
> 
> -----Original Message-----
> From: owner-tums at uwo.ca [mailto:owner-tums at uwo.ca] On Behalf Of Ellen
> Smout
> Sent: Thursday, February 23, 2006 10:00 AM
> To: tums at uwo.ca; soa at uwo.ca
> Subject: [Fwd: US-CERT Technical Cyber Security Alert TA06-053A -- Apple
> Mac OS X Safari Command Execution Vulnerability]
> 
> Hi All
> 
> Please see below for the latest CERT.
> 
> thxs
> 
> Ellen
> 
> -------- Original Message --------
> Subject: US-CERT Technical Cyber Security Alert TA06-053A -- Apple Mac
> OS X Safari Command Execution Vulnerability
> Date: Wed, 22 Feb 2006 15:58:22 -0500
> From: CERT Advisory <cert-advisory at cert.org>
> Organization: CERT(R) Coordination Center - +1 412-268-7090
> To: cert-advisory at cert.org
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
>                          National Cyber Alert System
> 
>                  Technical Cyber Security Alert TA06-053A
> 
> 
> Apple Mac OS X Safari Command Execution Vulnerability
> 
>     Original release date: February 22, 2006
>     Last revised: --
>     Source: US-CERT
> 
> 
> Systems Affected
> 
>     Apple Safari running on Mac OS X
> 
> 
> Overview
> 
>     A file type determination vulnerability in Apple Safari could allow
> a
>     remote attacker to execute arbitrary commands on a vulnerable
> system.
> 
> 
> I. Description
> 
>     Apple Safari is a web browser that comes with Apple Mac OS X. The
>     default configuration of Safari allows it to automatically "Open
>     'safe' files after downloading." Due to this default configuration
> and
>     inconsistencies in how Safari and OS X determine which files are
>     "safe," Safari may execute arbitrary shell commands as the result of
>     viewing a specially crafted web page.
> 
>     Details are available in the following Vulnerability Note:
> 
>     VU#999708 - Apple Safari may automatically execute arbitrary shell
>     commands
> 
> 
> II. Impact
> 
>     A remote, unauthenticated attacker could execute arbitrary commands
>     with the privileges of the user running Safari. If the user is
> logged
>     on with administrative privileges, the attacker could take complete
>     control of an affected system.
> 
> 
> III. Solution
> 
>     Since there is no known patch for this issue at this time, US-CERT
> is
>     recommending a workaround.
> 
> Workaround
> 
> Disable "Open 'safe' files after downloading"
> 
>     Disable the option to "Open 'safe' files after downloading," as
>     specified in the document "Securing Your Web Browser."
> 
> 
> Appendix A. References
> 
>       * US-CERT Vulnerability Note VU#999708 -
>         <http://www.kb.cert.org/vuls/id/999708>
> 
>       * Securing Your Web Browser -
>         <http://www.us-cert.gov/reading_room/securing_browser/#sgeneral>
> 
>       * Apple - Mac OS X - Safari RSS -
>         <http://www.apple.com/macosx/features/safari/>
> 
> 
>   ____________________________________________________________________
> 
>     The most recent version of this document can be found at:
> 
>       <http://www.us-cert.gov/cas/techalerts/TA06-053A.html>
>   ____________________________________________________________________
> 
>     Feedback can be directed to US-CERT Technical Staff. Please send
>     email to <cert at cert.org> with "TA06-053A Feedback VU#999708" in the
>     subject.
>   ____________________________________________________________________
> 
>     For instructions on subscribing to or unsubscribing from this
>     mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
>   ____________________________________________________________________
> 
>     Produced 2006 by US-CERT, a government organization.
> 
>     Terms of use:
> 
>       <http://www.us-cert.gov/legal.html>
>   ____________________________________________________________________
> 
> 
> Revision History
> 
>     Feb 22, 2006: Initial release

More information about the X4U mailing list