The Cult of the Cool Mac: Made with 100% USDA real meat!

This e-mail address is being protected from spambots. You need JavaScript enabled to view it from Unsanity has demonstrated yet another security issue similar to the ones that were eliminated by the latest Apple security update.

This exploit can be performed in several ways. The most obvious way requires some cooperation or gullibility on the part of the user. The user clicks on a hyperlink in his browser and instead of downloading the file that is expected, a disk image file is downloaded. The disk image file is automatically mounted and then clicking a second link executes a destructive AppleScript from the disk image. The way to avoid this vulnerability is to un-check "Open 'safe' files after downloading" from within Safari's preferences. This will prevent the disk image from being automatically mounted.

Another variation would have the illicit links embedded in a web page in such a way that they automatically execute.

I have tried the example links on two web pages and discovered that the More Internet fix in combination with un-checking "Open 'safe' files..." in Safari's preferences will prevent the exploits from working automatically. In such a case, however, it is still possible for an illicit link to trigger the AppleScript if the user intervenes to mount the disk image.

In all probability, no user will mount a Trojan disk image at just the right time for the link in a web site to trigger the evil AppleScript. Nevertheless, Unsanity is providing a utility to intercept the command from the web site before it can do any harm. It is aptly named "Paranoid Android."

While I would rate this vulnerability as a very moderate risk, it is prudent for every user to un-check "Open 'safe' files..." in Safari's preferences until Apple has released a security update for this new exploit.

You can test your system for the vulnerability here http://ozwix.dk/OpnAppFixer/testit.html or here http://www.geekspiff.com/unlinkedCrap/innocousPage.html.